HowTo: Configuring SAML 2.0 GAM Authentication type using SAP

Official Content

This document explains the steps to be followed in SAP Cloud Platform in order to configure GeneXus Access Manager (GAM) to authenticate using SAML 2.0 Authentication type using SAP.

SAP Cloud Platform Identity Authentication configuration

  1. Contract the service SAP Cloud Platform Identity Authentication 
  2. Create the certificates necessary to connect to SAP as an SAML 2.0 Identity Provider.
    Get the Response certificates from the SAP Cloud Platform Identity Authentication console. Go through Applications -> Resources ->Tenant Settings ->SAML 2.0 Configuration, and click "download metadata".

    image_2018111219257_1_png
    Generate a Response certificate for SAP (keystore). It's used to complete the Response Credentials section, in the GAM SAML 2.0 Authentication type configuration. For detailed information on the subject see HowTo: Generating certificates for authenticating using SAML 2.0 GAM Authentication.
  3. Create an application in SAP Cloud Platform Identity Authentication. Go through Applications & Resources->Applications, and click "Add".
    image_20181112191031_1_png
  4. Assign a name to the application just created and save.
    image_2018111219115_1_png
  5. To configure the application, go through the Trust option,and configure the Authentication type (by default, it will be SAML 2.0).
    image_20181112191212_1_png
  6. Select SAML 2.0 Configuration:
    image_2018111219256_1_png

    Then configure:
    1. Name: the external identifier which to be assigned to the application (the same to be configured at the Service Provider Entity ID in the GAM SAML 2.0 Authentication type Login General tab configuration).
       
    2. Assertion Consumer Service Endpoint: the URL of the Service Provider (the GeneXus application) that receives responses from the Identity Provider (e.g.: https://gxexample/KBExample/saml/gam/signin).
       
       Important: The format of the URL must be https://<domain>/<url_base>/saml/gam/signin

       
    3. Single Logout Endpoint: the URL of the single logout endpoint of the Service Provider (e.g.: https://gxexample/KBExample/saml/gam/signout)
       
       Important: The format of the URL must be https://<domain>/<url_base>/saml/gam/signout

       
    4. Signing Certificate: public key used by the Service Provider to sign the requests to the Identity Provider (the certificate.pem created previously).
       
    5. Algorithm: the algorithm for signing the response messages.

In the GAM backend, you'll have a screen like the one below:

image_201811231579_1_png

The Saml Endpoint Location to be configured in the GAM backend should be taken from the SAP configuration (Single Sign On Endpoint). Likewise, the Single Logout Endpoint value to be configured in the backend should be taken from the Single Logout Endpoint in SAP .

image_20181130121040_1_png

Getting user information 

By default, SAP returns the following information: first name, last name, and email; all of which will be added to the assertion. It should be mapped in the GAM SAML 2.0 Authentication type configuration under the User Information tab, as follows:

  • User First Name tag: first_name
  • User Last Name tag: last_name
  • User E-mail tag: mail

If desired, further information may be added. First go through the "Assertion Attributes"->Add option in the SAP Cloud Platform and select the attribute you wish to add. Then specify the tag in the User Information tab configuration of the GAM SAML 2.0 Authentication type.

image_20181112201448_1_png

See also

HowTo: Generating certificates for authenticating using SAML 2.0 GAM Authentication
 

Was this page helpful?
What Is This?
Your feedback about this content is important. Let us know what you think.