This section contains the following tasks.
Install SAP NetWeaver Enterprise Portal version 7.4.x before completing the steps in this section.
Install Access Manager as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Install Apache HTTP Server 2.0.x or 2.2.x by following the installation steps provided by apache.org.
Install and configure an 11g WebGate on each Apache HTTP Server instance that supports the proxy connection to the SAP Enterprise Portal 7.4 instance. See Installing Webgates for Oracle Access Manager for details.
Synchronize the time on all servers where SAP NetWeaver Enterprise Portal and Access Manager components are installed.
Ensure that the users exist in the Access Manager LDAP directory as well as on the SAP R3 system database.
The user ID in Access Manager and the SAP database must be the same or be mapped to each other. Any attribute in a user's profile can be configured as the SAP ID and passed directly to SAP. Alternatively, SAP can be configured to map the SAP ID to any user attribute that it receives from Access Manager.
Verify that your Web browser is configured to allow cookies.
Oracle suggests reviewing the following topics prior to integrating Access Manager with SAP NetWeaver Enterprise Portal.
Managing Data Sources to understand how to add and configure data sources in Access Manager.
Managing Authentication and Shared Policy Components to understand how to configure Form and Basic mode authentication in Access Manager.
Configuring Cert Mode Communication for Access Manager to understand how to configure Cert mode for Access Manager.
You can configure the Access Manager security policy that protects SAP NetWeaver Enterprise Portal log-ins.
In to the Oracle Access Management Console, click Application Security at the top of the window.
In the Launch Pad tab, select Create Application Domain from the Create (+) drop-down menu in the Access Manager section.
Complete the form to create a WebGate for this integration. For example:
Name—Type a meaningful name, for example, SAP_AG. Do not include spaces in the name.
Version - select OAM from the drop-down menu.
Access Client Password—Enter a password to be used during the installation of the WebGate.
Security—Choose the type of communication that should occur between the WebGate and the OAM server.
A confirmation page opens.
At the bottom of the confirmation page, in the Server Lists section, associate the WebGate with a defined Access Server.
On the Launch Pad page, go to the Access Manager section and click Host Identifiers.
Click Search, then click the WebGate in the search results.
Configure the host identifiers using the fully qualified proxy machine name and port for the Apache proxy.
Click Application Domains and search for the application domain name that you used to create the WebGate (for example, SAP_WG).
Click the application domain name in the search results to open it
Click the Resources tab and search for the resource that the WebGates should protect. Select the resource in the search results then click the Create button.
Complete the form and click Apply.
Type - HTTP
Resource URL -
Protection Level - Protected
Authentication Policy - Protected Resource Policy
Authorization Policy - Protected Resource Policy
Click the Authentication Policies tab, then click Protected Resource Policy.
Choose the appropriate authentication scheme from the Authentication Scheme drop-down that you want to configure for this particular domain. For example, for a form-based authentication policy (FAAuthScheme), enter the following:
Name - Protected Resource Policy
Authentication Scheme - FAAuthScheme
Select either basic-over-LDAP or form-based authentication.
Oracle recommends that you use a form-based authentication scheme. If you use the basic authentication scheme, also set the Challenge Redirect field to another WebGate to ensure that the
ObSSOCookie is set.
Click Apply to save your changes.
Click the Authorization Policies tab, then click Protected Resource Policy.
Click the Responses tab and add the following:
Type - Header
Name - OAM_REMOTE_USER
Value - Same account name
The other tabs in Authorization Policies include conditions and rules:
Condition - Creates a list of users and puts them in a group.
Rule - Allows or denies access to the group of users created in the conditions tab.
Click Apply to save your changes.
If you configured a form-based authentication scheme, ensure that a
login.html page is configured in the proxy server document root.
Also, ensure that a
logout.html page is present on the proxy Web server document root. You can create a custom logout page using HTML, a JSP file, or a CGI protocol.
The default logout page (
logout.html) is located here:
WebGate_install_dir is the directory where the WebGate is installed. Ensure that the name of the logout page contains the string
Ensure that the user ID that is returned by the
OAM_REMOTE_USER header variable exists in the user management data sources for SAP Enterprise 7.4.
On the Launch Pad page, go to the Access Manager section and click Authentication Schemes.
Choose the authentication scheme to use. This is the scheme that you selected inside the application domain of the WebGate.
You can configure a proxy to access SAP Enterprise Portal 7.4.
If HTTPS communication is used with the SAP Enterprise Portal 7.4, use SSL mode.
ProxyPassReverse / http://
sap_host - The name of the machine hosting the SAP Enterprise Portal 7.4 instance
port - The listening port for the SAP Enterprise Portal 7.4 instance.
This set of directives specifies that all requests to the Web server that take the form
https://apache_host:port/irj are redirected to
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
This request should be redirected to the SAP Enterprise Portal 7.4 login ID.
Verify that you can perform the provided administrative functions when logged in as an administrator.
Verify that you can perform the provided non-administrative functions when logged in.
You can enable external authentication in SAP Enterprise Portal 7.4 using the OAM_REMOTE_USER header variable.
See the SAP Enterprise Portal 7.4 Enterprise Postal Security Guide for more information about configuring authentication schemes for SAP Enterprise Portal.
Set the SAP NetWeaver Portal Logoff URL (
ume.logoff.redirect.url) to the appropriate logout URL.
configtool.batfile, which is located here:
Prepare to edit the configuration by switching to configuration editor mode, and choosing edit mode.
ume.logoff.redirect.url property and the
ume.logoff.redirect.silent property with the logoff URL configured in step 1.
Save your changes and close the config tool.
You can use the NetWeaver Admin console to add the
HeaderVariableLoginModule to the appropriate login module stack or template and configure the options.
In the console, choose Configuration > Authentication and Single Sign-On. Click Login Modules under the Authentication tab. Create the
HeaderVariableLoginModule login module, with the display name as
HeaderVariableLoginModule and class name as
com.sap.security.core.server.jaas.HeaderVariableLoginModule. Choose Component > ticket from the Login Module Use tab, and add the login module
HeaderVariableLoginModule to the login module stack for each template or application that is to support header variable authentication.
Table 62-2 Login Module Stacks for using Header Variables