RSA SecurID Access SAML Configuration for

SAP NetWeaver

Last Modified: January 18, 2016

SAP NetWeaver is the primary technology computing platform of the software company SAP SE, and
the technical foundation for many SAP applications. It is a solution stack of SAP's technology products.
The SAP Web Application Server (sometimes referred to as WebAS) is the runtime environment for the
SAP applications, and all of the mySAP Business Suite solutions (SRM, CRM, SCM, PLM, ERP) run on
SAP WebAS

Before You Begin

 Acquire an administrator account to both RSA SecurID Access and SAP NetWeaver.
 Acquire an SAP account with SAP_SAML2_CFG_ADM and SAP_SAML_CFG_DISPLAY roles
assigned.
 Verify SAP Cryptographic Library is installed.
 Verify AS ABAP is configured to support SSL.

Procedure
1. Add the Application in RSA SecurID Access
2. Configure SAP NetWeaver to Use RSA SecurID Access as an Identity Provider

Add the Application in RSA SecurID Access

Procedure
1. In the RSA SecurID Access Administration Console, click Applications > Application Catalog.
2. From the list of applications, locate SAP NetWeaver and click +Add.

1 Copyright © 2016 EMC Corporation. All Rights Reserved.

 3. On the Basic Information page, specify the application name and click Next Step.
4. On the Connection Profile page, set the Connection URL to your SAP application’s logon page
URL, choose SP-Initiated and set the Binding Method for SAML Request to POST.

5. If it is a SP Initiated configuration choose the SAML request method. Select either SAML
request on redirect binding or SAML request via post.
6. Scroll down to SAML Identity Provider (Issuer) section.

a. In the Identity Provider URL field, copy the URL which will be needed later to
configure the Service Provider configuration.
b. Take note of the Issuer Entity ID.
c. Select Choose File and upload the private key. Select Choose File to locate and import
a private key to sign the SAML assertion. The private key must correspond to the public
signing certificate loaded in the SP application. If a private/public key pair is not readily
available, you can click Generate Certificate Bundle.

2 Copyright © 2016 EMC Corporation. All Rights Reserved.

 7. Scroll down to the Service Provider section.

a. In the Assertion Consumer Service (ACS) URL field, enter the ACS URL to match the
configured value from the Service Provider.
b. In the Audience (Service Provider Entity ID) field, enter the Entity ID to match the
configured value from the Service Provider.
8. Scroll down to the User Identity section. Verify the settings are correct for your environment.

9. Click Next Step.

10. On the User Access page, select the desired user policy from the drop down list.

11. Click Next Step.

3 Copyright © 2016 EMC Corporation. All Rights Reserved.

 12. On the Portal Display page, select Display in Portal.
13. Click Save and Finish.
14. Click Publish Changes. Your application is now enabled for SSO.

Next Steps
Configure SAP NetWeaver to Use RSA SecurID Access as an Identity Provider

4 Copyright © 2016 EMC Corporation. All Rights Reserved.

Configure SAP NetWeaver to Use RSA SecurID Access as an Identity Provider
Procedure
1. Start the SAML 2.0 configuration application (transaction SAML2).
2. Click Enable SAML 2.0 Support.

3. Enter the Provider Name and click Next.

Note: The Provider Name must match the Audience (Service Provider Entity ID) as
configured in the RSA SecurID Access console.

4. Set the Clock Skew Tolerance and click Next.

5 Copyright © 2016 EMC Corporation. All Rights Reserved.

 5. Set the Identity Provider Discovery Selection Mode to Automatic, mark the checkbox for
Assertion Consumer Service HTTP POST binding and click Finish.

Note: None of the other Assertion Consumer Service or Single Logout Service bindings
are currently supported in RSA SecurID Access.

6. Open the Trusted Providers tab and click Add > Manually.

7. Enter a Name for the new trusted identity provider and click Next.

Note: The Name must match the Issuer Entity ID as configured in the RSA SecurID
Access Console.

6 Copyright © 2016 EMC Corporation. All Rights Reserved.

 8. Browse to and upload the Primary Signing Certificate and click Next.

Note: The primary signing certificate must match the certificate uploaded to the RSA
SecurID Access console.

9. Click Add to add a single sign-on endpoint.

7 Copyright © 2016 EMC Corporation. All Rights Reserved.

 10. Select HTTP POST from the Binding drop-down menu, enter the Location URL and click OK.

Note: The Location URL must match the Identity Provider URL as configured in the RSA
SecurID Access Console.

11. Click Next.

12. Click Next.

8 Copyright © 2016 EMC Corporation. All Rights Reserved.

 13. Click Next.

14. Click Finish.

15. Click Edit, then Add to add a NameID format.

9 Copyright © 2016 EMC Corporation. All Rights Reserved.

 16. Choose a NameID format and click OK.

Note: The NameID format must match the Identifier Type as configured in User Identity
section of the RSA SecurID Access console.

17. Click Save and then Enable > OK.

PEW

10 Copyright © 2016 EMC Corporation. All Rights Reserved.