You can also use Tivoli Federated Identity Manager with
Security Assertion Markup Language (SAML) for single sign-on to SAP NetWeaver Portal.
About this task
In such a scenario, Tivoli Federated Identity Manager
with SAML is responsible for handling the authentication flow by using
Security Assertion Markup Language. For the SAP integration into WebSphere® Portal, the supported SAML
scenario is named Service Provider initiated single sign-on.
To use such a scenario, you need technical expertise for all three
participating systems: IBM WebSphere Portal, IBM Tivoli Federated
Identity Manager, and SAP NetWeaver Portal.
To use Tivoli Federated
Identity Manager (Tivoli Federated Identity Manager) for single sign-on
to SAP NetWeaver Portal with Integrator for SAP, follow these
instructions:
Procedure
- Make sure that your Tivoli Federated Identity Manager is
configured correctly for authentication of the participating service
providers and the users in a service-provider initiated single sign-on
scenario. The service providers are the SAP NetWeaver Portal instance
and the WebSphere Portal instance.
- For the navigation integration, you must set up a Web Service
Single Sign On for the Web Service Client NavigationWS.
This Web Service Client is hosted in the enterprise application IntegrationSAP in
the WebSphere Integrated Solutions Console.
- For the SAP navigation integration, you must set up Web Single
Sign On to the SAP NetWeaver Portal.
- To make the Integrator for SAP, use Tivoli Federated Identity
Manager do not set any other authentication configuration:
- For the SAP navigation integration, do not set the parameters sap.CredentialSlotId and sap.SSOTokenUrl.
Also, do not configure single sign-on for browsers as described under
the topic about Configuring basic authentication for single
sign-on to SAP NetWeaver Portal.
- Do not add the login or logout filter of the SAP integration
to the filter chains.
- To test and verify your environment use the SAP navigation
integration. This test requires that the web service single sign-on
is configured.