Integrating Access Manager with SAP NetWeaver Enterprise Portal

44.1 What is Supported in This Release?

Versions 7.0.x and 7.4.x of SAP NetWeaver Enterprise Portal are supported in this release.

Access Manager supports SAP NetWeaver Enterprise Portal v7.4.x with the following caveats:

Apache 2.2.x and 2.0.x (from Apache.org) are supported Web servers with this release.
MySAP is not certified.

Access Manager supports SAP NetWeaver Enterprise Portal v6.0 and v7.0.x with the following caveats:

Apache 2.0 (from Apache.org) is supported as a Web server with this release.
MySAP is not certified.

44.2 Supported Versions and Platforms

Access Manager supports the versions and platforms described on the following site:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

44.3 Integration Architecture

The following diagram illustrates the integration between Access Manager and SAP NetWeaver Enterprise Portal.

Description of the illustration aiing005a1.png

44.3.1 Process Overview: Integration with SAP NetWeaver Enterprise Portal

Here is an overview of the integration process with SAP NetWeaver Enterprise Portal.

A user attempts to access content via the SAP NetWeaver Enterprise Portal.

For example, the user may enter the following URL to access an HR application through a proxy server:

https://host:port/irj
The WebGate intercepts the request and queries the Access Server for the security policy that determines if the resource is protected.

The security policy consists of an authentication scheme, authorization rules, and allowed operations. Based on the authentication and authorization success or failure, specified actions are performed.

The Access System security policy for the SAP /irj login URL is applicable to all resources accessed using the https://host:port/irj URL.

Note that the SAP NetWeaver Enterprise Portal has its own authorization system that can be configured to set user access to iViews.
If the resource is protected, the WebGate prompts the user for authentication credentials.

The credentials that the WebGate requests depend on the authentication scheme configured in the Access System, for example, Basic over LDAP or Form-based authentication.
If the credentials are validated, the Access System authenticates the user and sets an encrypted ObSSOCookie in the user's browser.
After authenticating, the authorization rules defined in the Access System are applied based on the security policy.

Specific actions are performed based on the authorization rules. If the user is authorized, access to the SAP Portal login (the requested content) is allowed. For SAP Enterprise Portal header variable integration, the Access Server sets the authenticated user ID in a header variable.

If the user is not authenticated or authorized, he or she is denied access and redirected to another URL, as determined by the administrator. For example, the user may be redirected to an "invalid credentials" page.
For the integration with SAP NetWeaver Enterprise Portal, the proxy Web server redirects the request to the SAP NetWeaver Enterprise Portal internal Web server that contains the header variable details.
The SAP NetWeaver Enterprise Portal uses the header variable value to check the mapping of the user ID against the configured data source in the portal.

Both the Access Manager and SAP NetWeaver Enterprise Portal data source must contain the same user ID value.

Upon successful mapping, SAP NetWeaver Enterprise Portal allows the user to access the requested resource.

SAP NetWeaver Enterprise Portal sends a response to the proxy, and the proxy redirects to the client browser.
All interaction with the SAP Enterprise Portal takes place through the proxy server.

44.4 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x

You can configure Access Manager and SAP NetWeaver Enterprise Portal 7.0.x to work together.

This section contains the following tasks:

44.4.1 Before You Begin Configuring OAM and NetWeaver Enterprise Portal 7.0.x

Install SAP NetWeaver Enterprise Portal before completing the steps in this section.
Install the Apache HTTP Server by following the installation steps provided by apache.org.
Install and configure a WebGate on each Apache HTTP Server instance that supports the proxy connection to the SAP Enterprise Portal instance. See Installing Webgates for Oracle Access Manager for details.
Install Access Manager before completing the steps in Configuring Access Manager for SAP Enterprise Portal. See the Installing and Configuring Oracle Identity and Access Management for details.
Synchronize the time on all servers where SAP NetWeaver Enterprise Portal and Access Manager components are installed.
Ensure that the users exist in the Access Manager LDAP directory as well as on the SAP R3 system database.

The user ID in Access Manager and the SAP database must be the same or be mapped to each other. Any attribute in a user's profile can be configured as the SAP ID and passed directly to SAP. Alternatively, SAP can be configured to map the SAP ID to any user attribute that it receives from Access Manager.
Verify that the Web browser is configured to allow cookies.

Note:

Oracle suggests reviewing the following topics prior to integrating Access Manager with SAP NetWeaver Enterprise Portal.

Managing Data Sources to understand how to add and configure data sources in Access Manager.
Managing Authentication and Shared Policy Components to understand how to configure Form and Basic mode authentication in Access Manager.
Configuring Cert Mode Communication for Access Manager to understand how to configure Cert mode for Access Manager.

44.4.2 Configuring the Apache HTTP Server as a Proxy

You can configure a proxy (Apache HTTP Server 2.0.x) to access SAP NetWeaver Enterprise Portal.

To configure Apache HTTP Server 2.0.x

Set up the Apache HTTP Server proxy in non-SSL mode or SSL mode, as described in the Apache documentation.

If HTTPS communication is used with the SAP NetWeaver Enterprise Portal, use SSL mode.
To enable the proxy to access the SAP NetWeaver Enterprise Portal, enter the following in the httpd.conf configuration file:
For SAP NetWeaver Enterprise Portal 6:
```
ProxyRequests Off
ProxyPass /irj http://sap_host:port/irj
ProxyPassReverse /irj http://sap_host:port/irj
ProxyPreserveHost On
```
For SAP NetWeaver Enterprise Portal 7:
```
ProxyRequests Off
ProxyPass /webdynpro http://sap_host:port/irj
ProxyPassReverse /webdynpro http://sap_host:port/irj
ProxyPreserveHost On
```
Where sap_host is the name of the machine hosting the SAP NetWeaver Enterprise Portal instance and port is the listen port for the SAP NetWeaver Enterprise Portal instance. This set of directives specifies that all of the requests to this Web server of the form http://apache_host:port/irj or https://apache_host:port/irj are redirected to http://sap_host:port/irj or https://sap_host:port/irj.
Restart the proxy Web server.
Access the following URL:

Non-SSL—http://apachehost:port/irj

SSL—https://apachehost:port/irj

This request should be redirected to the SAP NetWeaver Enterprise Portal login.
Log in using the SAP NetWeaver Enterprise Portal administrator login ID.

The administrator should be able to perform the available administrative functions.
Log in as a non-administrative user.

This user should be able to perform non-administrative functions.

44.4.3 Configuring SAP NetWeaver Enterprise Portal for External Authentication

You can enable external authentication in SAP Enterprise Portal using the OB_USER header variable.

For more information about configuring authentication schemes for SAP Enterprise Portal, see the SAP documentation.

To configure the header variable

Stop the SAP J2EE dispatcher and server.
Browse to the following directory:

SAP_J2EE_engine_install_dir\ume
Back up the file authschemes.xml.bak to another directory.
Rename authschemes.xml.bak to authschemes.xml.

Open authschemes.xml in an editor and change the reference of the default authentication scheme to the authentication scheme header as follows:

<authscheme-refs>
     <authscheme-ref name="default">
          <authscheme>header</authscheme>
          <authscheme>uidpwdlogon</authscheme>
     </authscheme-ref>
</authscheme-refs>

In the authentication scheme header of authschemes.xml, specify the name of the HTTP header variable where the Access System provides the user ID.

As described in "Configuring Access Manager for SAP Enterprise Portal", this is the OB_USER header variable. You configure this header variable as follows:
```
<authscheme name="header">
     <loginmodule>
          <loginModuleName>  
               com.sap.security.core.logon.imp.HeaderVariableLoginModule 
          </loginModuleName>
               <controlFlag>REQUISITE</controlFlag>
               <options>Header=OB_USER</options>
     </loginmodule>
     <priority>5</priority>
     <frontEndType>2</frontEndType>
     <frontEndTarget>com.sap.portal.runtime.logon.header</frontEndTarget>
</authscheme>
```
The control flag value REQUISITE means the login module must succeed. If login succeeds, authentication continues through the list of login modules. If it fails, control immediately returns to the application and authentication does not continue through the list of login modules.
Restart the portal server and J2EE engine.

The modified authschemes.xml file will be loaded into the Portal Content Directory (PCD). SAP Enterprise Portal will rename it as authschemes.xml.bak.

To Configure Logout

To enable logout from a single sign-on session in both SAP Enterprise Portal and Access Manager, configure a logout URL in SAP Enterprise Portal from the administration interface.

The URL for the administration interface is as follows:

http://SAP_host:port/irj/

Where SAP_host is the name of the machine hosting the SAP Enterprise Portal and port is the listen port for the portal.
From the administration interface, click System Administration, then System Configuration, then UM Configuration, then Direct Editing.
Add the following lines to the end of the configuration file:
```
ume.logoff.redirect.url=http(s)://proxy_host:port/logout.html
ume.logoff.redirect.silent=false
```
Where http(s) is either http or https, proxy_host is the name of the proxy Web server, and port is the listen port for the proxy.
Save the changes and log out.

44.4.4 Adjusting the Login Module Stacks for using Header Variables

Add the HeaderVariableLoginModule to the appropriate login module stack or template and configure the options.

Table 44-1 Login Module Stacks for using Header Variables

Login Modules	Flag	Options
EvaluateTicketLoginModule	SUFFICIENT	{ume.configuration.active=true
HeaderVariableLoginModule	OPTIONAL	{ume.configuration.active=true, Header=<header_name>}
CreateTicketLoginModule	SUFFICIENT	{ume.configuration.active=true}
BasicPasswordLoginModule	REQUISITE	{}
CreateTicketLoginModule	OPTIONAL	{ume.configuration.active=true}

To adjust the Login Module Stacks for using Header Variables

Run the Visual Administrator tool, in the following location:

SAPJ2EEEngine_install_dir\j2ee\admin\go.bat
In the Visual Administrator, choose Security Provider.
Switch to edit mode by choosing the pencil icon.
Choose Policy Configurations, then Authentication.
For each template or application that is to support header variable authentication, add the login module HeaderVariableLoginModule to the login module stack (see Table 44-1.

44.4.5 Configuring Access Manager for SAP Enterprise Portal

You can configure the security policy in Access Manager to protect log-ins to SAP NetWeaver Enterprise Portal.

To configure Access Manager for SAP NetWeaver Enterprise Portal

In to the Oracle Access Management Console, click Application Security at the top of the window.
In the Launch Pad tab, select Create Application Domain from the Create (+) drop-down menu in the Access Manager section.

The Create OAM Webgate page opens.
Complete the form to create a WebGate for this integration. For example:

Name—SAP_AG

Version - OAM

Host Identifier—Apache proxy host

Auto Create Policies—Enabled (checked)

Public Resource List—Add any public Resources to this list.

Apply—Click to create the WebGate.
Click the Authorization Policies tab, then click the Create Authorization Policy button to open a fresh page (Managing Policies to Protect Resources and Enable SSO).
Summary Tab: Add your information to the Summary tab.
Click the Resources tab, click Add (+), and define the resources for the policies in this application domain as follows:

Name: SAP EP Security Policy

Type: http

Host identifiers: Enter the proxy host URL prefix: /irj.

Description: SAP EP Login URL
Add Resources: The Resource must be defined in the Application Domain before you can add the resource to a specific policy.
- Click the Resources tab on the Authorization Policy page.
- Click the Add button on the Resources tab.
- Click the Search button.
- Click a URL in the Results table, then click Add Selected.
- Repeat these steps to add more resources.
Click Apply to save changes and close the Confirmation window.
Responses: Add policy Responses, as described in "Adding and Managing Policy Responses for SSO".
Conditions: Add authorization conditions, as described in "Defining Authorization Policy Conditions".
Rules: Add authorization rules, as described in "Defining Authorization Policy Rules".
Close the page when you finish.

44.5 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x

This section contains the following tasks.

44.5.1 Before You Begin Configuring OAM and NetWeaver Enterprise Portal 7.4.x

Install SAP NetWeaver Enterprise Portal version 7.4.x before completing the steps in this section.
Install Access Manager as described in the Installing and Configuring Oracle Identity and Access Management.
Install Apache HTTP Server 2.0.x or 2.2.x by following the installation steps provided by apache.org.
Install and configure an OAM WebGate on each Apache HTTP Server instance that supports the proxy connection to the SAP Enterprise Portal 7.4 instance. See Installing Webgates for Oracle Access Manager for details.
Synchronize the time on all servers where SAP NetWeaver Enterprise Portal and Access Manager components are installed.
Ensure that the users exist in the Access Manager LDAP directory as well as on the SAP R3 system database.

The user ID in Access Manager and the SAP database must be the same or be mapped to each other. Any attribute in a user's profile can be configured as the SAP ID and passed directly to SAP. Alternatively, SAP can be configured to map the SAP ID to any user attribute that it receives from Access Manager.
Verify that your Web browser is configured to allow cookies.

Note:

Oracle suggests reviewing the following topics prior to integrating Access Manager with SAP NetWeaver Enterprise Portal.

Managing Data Sources to understand how to add and configure data sources in Access Manager.
Managing Authentication and Shared Policy Components to understand how to configure Form and Basic mode authentication in Access Manager.
Configuring Cert Mode Communication for Access Manager to understand how to configure Cert mode for Access Manager.

44.5.2 Configuring Access Manager for SAP NetWeaver Enterprise Portal 7.4.x

You can configure the Access Manager security policy that protects SAP NetWeaver Enterprise Portal log-ins.

To configure:

In to the Oracle Access Management Console, click Application Security at the top of the window.
In the Launch Pad tab, select Create Application Domain from the Create (+) drop-down menu in the Access Manager section.
Complete the form to create a WebGate for this integration. For example:

Name—Type a meaningful name, for example, SAP_AG. Do not include spaces in the name.

Version - select OAM from the drop-down menu.

Access Client Password—Enter a password to be used during the installation of the WebGate.

Security—Choose the type of communication that should occur between the WebGate and the OAM server.

Click Apply.

A confirmation page opens.
At the bottom of the confirmation page, in the Server Lists section, associate the WebGate with a defined Access Server.

Click Apply.
On the Launch Pad page, go to the Access Manager section and click Host Identifiers.

Click Search, then click the WebGate in the search results.

Configure the host identifiers using the fully qualified proxy machine name and port for the Apache proxy.
Click Application Domains and search for the application domain name that you used to create the WebGate (for example, SAP_WG).

Click the application domain name in the search results to open it
1. Click the Resources tab and search for the resource that the WebGates should protect. Select the resource in the search results then click the Create button.
  
  Complete the form and click Apply.
  
  Type - HTTP
  
  Resource URL - /irj
  
  Protection Level - Protected
  
  Authentication Policy - Protected Resource Policy
  
  Authorization Policy - Protected Resource Policy
2. Click the Authentication Policies tab, then click Protected Resource Policy.
  
  Choose the appropriate authentication scheme from the Authentication Scheme drop-down that you want to configure for this particular domain. For example, for a form-based authentication policy (FAAuthScheme), enter the following:
  
  Name - Protected Resource Policy
  
  Authentication Scheme - FAAuthScheme
  
  Note:
  
  Select either basic-over-LDAP or form-based authentication.
  
  Oracle recommends that you use a form-based authentication scheme. If you use the basic authentication scheme, also set the Challenge Redirect field to another WebGate to ensure that the ObSSOCookie is set.
  
  Click Apply to save your changes.
3. Click the Authorization Policies tab, then click Protected Resource Policy.
  
  Click the Responses tab and add the following:
  
  Type - Header
  
  Name - OAM_REMOTE_USER
  
  Value - Same account name
  
  The other tabs in Authorization Policies include conditions and rules:
  
  Condition - Creates a list of users and puts them in a group.
  
  Rule - Allows or denies access to the group of users created in the conditions tab.
  
  Click Apply to save your changes.
If you configured a form-based authentication scheme, ensure that a login.html page is configured in the proxy server document root.

Also, ensure that a logout.html page is present on the proxy Web server document root. You can create a custom logout page using HTML, a JSP file, or a CGI protocol.

The default logout page (logout.html) is located here:

WebGate_install_dir/webgate/apache/oamsso/logout.html

Where:

WebGate_install_dir is the directory where the WebGate is installed. Ensure that the name of the logout page contains the string logout.
Ensure that the user ID that is returned by the OAM_REMOTE_USER header variable exists in the user management data sources for SAP Enterprise 7.4.
On the Launch Pad page, go to the Access Manager section and click Authentication Schemes.

Choose the authentication scheme to use. This is the scheme that you selected inside the application domain of the WebGate.

44.5.3 Configuring Apache Web Server 2.0.x or 2.2.x

You can configure a proxy to access SAP Enterprise Portal 7.4.

To configure:

Set up the Apache proxy in non-SSL mode or in SSL mode. Refer to the Apache documentation for details.

If HTTPS communication is used with the SAP Enterprise Portal 7.4, use SSL mode.
To enable the proxy to the SAP Enterprise Portal 7.4, add the following to the httpd.conf file:

ProxyRequests Off

ProxyPass /http://sap_host:port/

ProxyPassReverse / http://sap_host:port//

ProxyPreserveHost On

Where:

sap_host - The name of the machine hosting the SAP Enterprise Portal 7.4 instance

port - The listening port for the SAP Enterprise Portal 7.4 instance.

This set of directives specifies that all requests to the Web server that take the form http://apache_host:port/irj or https://apache_host:port/irj are redirected to http://sap_host:port/irj or https://sap_host:port/irj.
Uncomment the following proxy related modules:
- LoadModule proxy_module modules/mod_proxy.so
- LoadModule proxy_http_module modules/mod_proxy_http.so
Restart the proxy Web server.
Open a browser and access the following URL:
- Non-SSL: http//apachehost:port/irj
- SSL: https://apachehost:port/irj
This request should be redirected to the SAP Enterprise Portal 7.4 login ID.
Log in using the SAP Enterprise Portal 7.4 administrator login ID.

Verify that you can perform the provided administrative functions when logged in as an administrator.
Log in as a non-administrative user.

Verify that you can perform the provided non-administrative functions when logged in.

44.5.4 Configuring SAP Enterprise Portal 7.4 for External Authentication

You can enable external authentication in SAP Enterprise Portal 7.4 using the OAM_REMOTE_USER header variable.

See the SAP Enterprise Portal 7.4 Enterprise Postal Security Guide for more information about configuring authentication schemes for SAP Enterprise Portal.

To enable logout from a single sign-on session in both SAP Enterprise Portal 7.4 and Access Manager, use the SAP NetWeaver Administrator interface to configure a logout URL.

Set the SAP NetWeaver Portal Logoff URL (ume.logoff.redirect.url) to the appropriate logout URL.
Open the config tool by running the configtool.bat file, which is located here:

SAP_J2EE_engine_install_dir\configtool

Prepare to edit the configuration by switching to configuration editor mode, and choosing edit mode.
Edit the properties for the following workernode service: com.sap.security.core.ume.service

Update the ume.logoff.redirect.url property and the ume.logoff.redirect.silent property with the logoff URL configured in step 1.

ume.logoff.redirect.url=http(s)://proxy_host:port/logout.html

ume.logoff.redirect.silent=false

Save your changes and close the config tool.
Stop the SAP J2EE dispatcher and server.

44.5.5 Adjusting the Login Module Stacks for Using Header Variables

You can use the NetWeaver Admin console to add the HeaderVariableLoginModule to the appropriate login module stack or template and configure the options.

In the console, choose Configuration > Authentication and Single Sign-On. Click Login Modules under the Authentication tab. Create the HeaderVariableLoginModule login module, with the display name as HeaderVariableLoginModule and class name as com.sap.security.core.server.jaas.HeaderVariableLoginModule. Choose Component > ticket from the Login Module Use tab, and add the login module HeaderVariableLoginModule to the login module stack for each template or application that is to support header variable authentication.

Table 44-2 Login Module Stacks for using Header Variables

Login Modules	Flag	Options
EvaluateTicketLoginModule	SUFFICIENT	{ume.configuration.active=true
HeaderVariableLoginModule	OPTIONAL	{ume.configuration.active=true, Header=<header_name>}
CreateTicketLoginModule	SUFFICIENT	{ume.configuration.active=true}
BasicPasswordLoginModule	REQUISITE	{}
CreateTicketLoginModule	OPTIONAL	{ume.configuration.active=true}

44.6 Testing the Integration

You can validate the front-end and back-end integrations. using web browser.

Front-End Integration Test Procedure

Follow these steps to test the integration using a Web browser.

Open a protected URL. For example: https://host:port/irj

Access Manager should prompt for authentication (either form based, or basic authentication over LDAP, or Cert Mode authentication).
Enter the correct user credentials.

If the credentials are correct, you will be logged into the SAP NetWeaver Enterprise Portal system.

Back-End Integration Test Procedure

To use these steps, download and install a plug-in for your Web browser that displays the HTTP requests and responses that happen when your browser requests a resource. Live HTTP Headers for Firefox, or ieHTTPHeaders for Internet Explorer are two such plug-ins.

Open the plug-in and type a URL in your browser to request a protected resource, for example: https://host:port/irj

The plug-in window will be populated with the HTTP requests and responses.
Analyze the requests and responses and make sure that each request returns a response without errors.
Once the user is authenticated you should see some sessions and cookies set in the HTTP Header logs. The cookies that are set include the following:
- ObSSOCookie
- JSESSIONID
- OAM_ID
- OAM_REQ
When the request reaches the SAP NetWeaver Enterprise Portal, you will receive responses from the Enterprise Portal system in the header logs.

44.7 Troubleshooting the Integration

You can troubleshoot issues with this integration.

Problem: The browser has problems displaying the SAP 7.0.x administration interface through the proxy server. You may receive an "object not found" error and related JavaScript errors.

Solution: See the following SAP document for a list of supported browsers, "SAP NetWeaver 7.0.x Product Availability Matrix."