Configure Single Sign-On (SSO)

The EdgeReady platform supports Single Sign-On(SSO) with multiple authentication mechanisms.  The SSO can be configured in the EdgeReady platform, if the Authentication system generates the token and the connecting system is configured to consume the token. The EdgeReady platform provides the following Authentication methods :

• Password Authentication – The EdgeReady platform provides a user management engine with password authentication. This is the default authentication mechanism available out of the box and this authentication method does not support SSO.
• SAP Logon Tickets – The EdgeReady platform supports SAP NetWeaver Authentication using the EdgeReady Plugin component of the platform. The EdgeReady Plugin is installed on the SAP NetWeaver for authentication. This authentication mechanism can be used for SSO configuration.
• LDAP/ADFS – The EdgeReady platform provides integration with LDAP or ADFS to provide authentication. This authentication mechanism can be used for SSO configuration.
• Custom IDP – The EdgeReady platform also supports other off-the-shelf or custom / homegrown Identity Providers (IDP) using its platform extension capabilities i.e., the EdgeReady platform can integrate with any off-the-shelf or custom IDP leveraging SAML 2.0 / ECP and OAuth to provide authentication. This authentication mechanism can also be used to configure SSO.

The following sections elaborate on the configuration of SSO specifically for SAP implementations.

Single Sign-On using SAP Logon Tickets

The following procedure explains how to set up Single Sign-On using SAP Logon Tickets for the EdgeReady Apps:

A. Export Certificate from JAVA Server

The following steps explain how to export certificates from a JAVA server:

1. Go to Net weaver Admin and select the Configuration Management tab.
2. Select the security sub-tab and click on the Certificates and Keys link.
3. Under the Key Storage tab content select TicketKeystore.
4. You can view the details in the lower pane. Select SAPLogonTicketKeypair-cert.
5. Click Export Entry and select the export format : Binary X.509
6. Download the certificate file to the local computer.

B. Export Certificate from ABAP Server

The following steps explain how to export certificates from an ABAP server:

1. Login into ABAP server.
2. Go to Transaction STRUSTSSO2 and select the certificate you want to export.
3. Click Export certificate.
4. Save the certificate to the local drive.

B. Import Certificate to JAVA Server

The following procedure explains how to Import a certificate to a JAVA server:

1. Log into the Net-weaver Admin and select the Configuration Management tab.
2. Select Security > Trusted Systems.
3. From Add Trusted System, choose By Uploading Certificate Manually.
4. Enter System ID , Client and in Certificate File - choose an ABAP certificate to import.
5. Confirm and click Finish to import the certificate.

Import Certificate on ABAP System

The following procedure explains how to Import a certificate to a ABAP server.

1. Go to Transaction STRUSTSSO2 and click Import certificate.
2. Select the Java certificate you want to import.
3. Once Certificate is imported, click Add to certificate List.
4. Click Add to ACL and give the SID of the Java system and client. (Most cases it is 000)

The RFC destination defined here will be used during EdgeReady platform configuration, such that the destination value of each SAP system specified in the platform remains synchronized with that of EdgeReady Plugin.

When there is a data request from the EdgeReady platform, the EdgeReady Plugin will establish connection with the specific SAP system based on RFC Destination configuration.