Chat now with support
Chat with Support

Cloud Access Manager 8.1.3 - How to Configure for SSO to SAP NetWeaver using SAML 2.0

User mappings

In the following example Cloud Access Manager is deployed using Active Directory as the user store, and the logon ID of NetWeaver internal users matches the sAMAccountName of Cloud Access Manager users.

NetWeaver configuration (Service Provider Role)

To configure NetWeaver (Service Provider Role)

  1. In the SAP NetWeaver admin interface, navigate to Configuration | Security | Authentication and Single Sign-On. Select the SAML 2.0 tab.

  2. Click Enable SAML 2.0 support.
  3. In the Provider Name field, type NetWeaver and click Next.
  4. Click Browse, located next to the Signing Key Pair field. In the Select Keystore Entry box, click Create. In the Entry Settings window under Entry Name, type test and click Next.
  5. In the Subject Properties window, in the Common Name field type test. Click Finish, and then click OK.
  6. Click Next to advance to Service Provider Settings.
  7. Under Identity Provider Discovery, switch Selection Mode to Automatic.

    NOTE: This hides the NetWeaver home realm discovery interface. It is not needed here since Cloud Access Manager is the only configured identity provider.

  8. Click Finish.
  9. Click Edit then click the Service Provider Settings tab.
  10. Click Add in the Relay State Mappings section and insert the following entry to facilitate IDP-initiated SSO later:

    RelayState = portal

    Path = /irj/portal

  11. Click OK and then Save.

Cloud Access Manager configuration - (Identity Provider Role)

Cloud Access Manager configuration - (Identity Provider Role)

To configure Cloud Access Manager (Identity Provider Role (IDP))

  1. Log in to the Administration Console using the desktop shortcut Cloud Access Manager Application Portal and select Add New from the Applications section on the home page.
  2. Click Configure Manually. Select Using SAML, and then click Next.
  3. Under Federation Settings, set Recipient value to:


    Where <NetWeaver_server_fqdn> is the fully-qualified domain name of your SAP NetWeaver server, and <port> is the port number used by the NetWeaver server to listen on, for example

  4. Set Audience / SP Identity to NetWeaver and click Next.

  5. On the Subject Mapping page, select Derive the username from an attribute, and enter sAMAccountName in the attribute name. Do not add extra claim mappings. Click Next.
  6. Choose whether to proxy the application. Select Proxy this application if you want to expose your NetWeaver application to users on the Internet. If you choose this option, then you must:

    1. Set the value of the application URL to https://<NetWeaver_server_fqdn>:<port> for example Click Next.
    2. Set the proxy URL to the publicly-accessible proxy URL for the application. Click Next.
  7. Allow a role which includes your sample user to access the application. Click Next.
  8. Name the application SAP NetWeaver. Click Next.
  9. In the Application Portal section, change the title of the first entry to SAP NetWeaver Portal.
  10. Switch the SSO Mode to IDP initiated. In the Relay State (optional) field type portal.
  11. Click Finish. On the Application Created page, click Download Metadata and then Download Certificate. Save both files to a location that can be accessed by the NetWeaver admin browser. Click Close.

NetWeaver configuration

The following sections explain how to configure NetWeaver:

Related Documents