SAP NetWeaver

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) for SAP NetWeaver using SAML.

About SAP NetWeaver

SAP NetWeaver is an open technology platform that offers a comprehensive set of technologies for running mission-critical business applications and integrating people, processes, and information.

After integrating the SAP NetWeaver App with Oracle Identity Cloud Service:

  • Users can access SAP NetWeaver using their Oracle Identity Cloud Service login credentials.
  • Users can start SAP NetWeaver using the Oracle Identity Cloud Service My Apps console.
  • Admins can assign and revoke user access to the SAP NetWeaver app using the Oracle Identity Cloud Service administration console.

What Do You Need?

  • An Oracle Identity Cloud Service account with authorization rights to manage applications and users (Identity Domain Administrator or Application Administrator).
  • Make sure that the email ID of each user in SAP NetWeaver matches the primary email ID of the Oracle Identity Cloud Service account.

Configuring the SAP NetWeaver App in Oracle Identity Cloud Service

Use this section to register and activate the SAP NetWeaver SaaS App, and then assign users to the application.

Prerequisite Step

You need to contact the SAP admin team to help you configure and register the SAP NetWeaver app.

Registering and Activating the SAP NetWeaver App

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

  2. Click App Catalog.

  3. Search for SAP NetWeaver, and then click Add.

  4. In the App Details section, enter the Host, Port, and SAP Client ID fields, and then click Next.

    Tip: You can get values for the Host, Port, and SAP Client ID fields from the SAP admin team.

  5. Click Download IDCS Metadata.

    Tip: This file is used later during the SAP NetWeaver configuration in the "Configuring SSO for SAP NetWeaver" section.

  6. Click Finish. Oracle Identity Cloud Service displays a confirmation message.

  7. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Assigning Users to the SAP NetWeaver App

  1. On the SAP NetWeaver App page in Oracle Identity Cloud Service, select the Users tab, and then click Assign. The Assign Users window appears.

  2. Select the users that you want to assign to SAP NetWeaver, and then click OK. Oracle Identity Cloud Service displays a confirmation message stating that the SAP NetWeaver application is assigned to the users that you selected.

Configuring SSO for SAP NetWeaver

To configure SSO for SAP NetWeaver, you must share the IDCS metadata file that you downloaded with the SAP admin team.

Verifying the Integration

Use this section to verify that SSO initiated from both Oracle Identity Cloud Service (IdP Initiated SSO) and SAP NetWeaver (SP Initiated SSO) works.

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

  1. Access the Oracle Identity Cloud Service My Profile console: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

  2. Log in using credentials for a user that is assigned to the SAP NetWeaver App. Oracle Identity Cloud Service displays a shortcut to SAP NetWeaver under My Apps.

  3. Click SAP NetWeaver. The SAP NetWeaver home page appears.

  4. On the SAP NetWeaver home page, confirm that the user that is logged in is the same for both SAP NetWeaver and Oracle Identity Cloud Service.

    This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from SAP NetWeaver

  1. Access the SAP NetWeaver login URL: https://<Host>:<Port>/sap/bc/gui/sap/its/webgui?sap-client=<SAP_Client_ID>.

    You are redirected to the Oracle Identity Cloud Service login page.

  2. Log in using credentials for a user that is assigned to the SAP NetWeaver App. The SAP NetWeaver home page appears.

  3. On the SAP NetWeaver home page, confirm that the user that is logged in is the same for both SAP NetWeaver and Oracle Identity Cloud Service.

    This confirms that SSO that is initiated from SAP NetWeaver works.

Verifying Single Log-Out (SLO)

  1. On the SAP NetWeaver home page, click Log off on the right side of the menu bar.

  2. Access the Oracle Identity Cloud Service My Profile console, and then confirm that the login page appears.

    This confirms that SLO works and that the user is no longer logged in to SAP NetWeaver and Oracle Identity Cloud Service.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

SAP NetWeaver displays the login screen during SSO.

Cause: The email attribute sent by Oracle Identity Cloud Service during SSO doesn't match any existing user in SAP NetWeaver.

Solution: Ensure that the user that is signed in has an account in both Oracle Identity Cloud Service and SAP NetWeaver with the same email address.

SAP NetWeaver displays the message “There is a problem with your account. Please contact Support." during SSO.

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service SAP NetWeaver App and SAP NetWeaver is deactivated.

Solution 1:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then SAP NetWeaver.
  • Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The error occurs when the administrator revokes access for the user at the same time that the user is trying to access the SAP NetWeaver SaaS Application using Oracle Identity Cloud Service.

Solution 2: Access the Oracle Identity Cloud Service administration console, select Applications, SAP NetWeaver, Users, and then click Assign to re-assign the user.

SLO is not working when we try to logout from SAP NetWeaver.

Cause: Limitations from the SAP end.

Solution: Currently there is no solution available.

Unknown Issues

For unknown issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type.

  5. Complete your service request.