This article describes how to configure SAP NetWeaver as an Service Provider for Cloud Access Service (CAS).

Configure CAS

Perform these steps to configure CAS as an IDP for SAP NetWeaver.  

Procedure

1. Sign in to RSA Cloud Administration Console, and navigate to Applications > Application Catalog.
2. Click Create From Template and select SAML Direct.

2. Choose Cloud on the Basic Information page.

3. Enter the Name for the application, and click Next Step.

4. On the Connection Profile page, navigate to Initiate SAML Workflow section and choose IdP-initiated.

5. In the Data Import method section, enter the following values:
   1. ACS URL: https://SAP Netweaver domainname/sap/bc/gui/sap/its/webgui
   2. Service Provider Entity ID: The name must match the Issuer Entity ID as configured in the SAP NetWeaver.

6. Navigate to the Identity Provider section. Make a note of the Identity Provider URL, as it will be needed for the SAP NETWEAVER configuration.

7. In the Message Protection section, for SAML Response Protection:
   • Choose IdP signs assertion with response.

8.  Scroll down to the User Identity section, and select the following information:
   1. Identifier Type > emailAddress
   2. Property > mail

9. Click Next Step and select Allow All Authenticated Users
10.  From the dropdown list select the policy for this application.

11.  On the Portal Display page, select Display in Portal.
12. Click Next step.

13. Navigate to Fulfilment section, enter the following values: 

14. Click Publish Changes. After publishing, your application is now enabled for SSO.

The Configuration is complete. 

SAP NetWeaver Configuration

Perform these steps to configure SAP NetWeaver Configuration.  

Procedure

1. Sign in to SAP NetWeaver with admin login, start the SAML 2.0 configuration application (transaction SAML2).
2. Click Enable SAML 2.0 Support.

3. Enter the Provider Name and click Next.

Note: The Provider Name must match the Audience (Service Provider Entity ID) as configured in the RSA ID Plus console.

4. Set the Clock Skew Tolerance and click Next.

5. Set the Identity Provider Discovery Selection Mode to Automatic, mark the checkbox for Assertion Consumer Service HTTP POST binding and click Finish.

Note: None of the other Assertion Consumer Service or Single Logout Service bindings are currently supported in RSA ID Plus.

6. Open the Trusted Providers tab and click Add > Manually.

7. Enter a Name for the new trusted identity provider and click Next.

Note: The Name must match the Issuer Entity ID as configured in the RSA ID Plus Console.

8. In the Primary Signing Certificate section, click Browse and upload the Primary Signing Certificate.
9. Click Next.

Note: The primary signing certificate must match the certificate uploaded to the RSA ID Plus console.

10. Click Add to add a single sign-on endpoint.

11. Select HTTP POST from the Binding dropdown menu, enter the Location URL and click OK.

Note: The Location URL must match the Identity Provider URL as configured in the RSA ID Plus Console.

12. Click Next.

13. Click Next.

14. Click Next.

15. Click Finish.

16. Click Edit, then Add to add a NameID format.

17. Choose a NameID format and click OK.

Note: The NameID format must match the Identifier Type as configured in User Identity section of the RSA ID Plus console.

18. Click Save. 
19. Click  Enable > OK.

The Configuration is complete.