SAP NetWeaver Integration Kit

SAP J2EE setup for NetWeaver 7.0

About this task

  • To allow for deep linking for SP-initiated SSO, the login module appends the target-resource URL to the ssoUrl property. This feature is supported only for NetWeaver portals; for other applications the target resource is not appended and the user will go to the Default URL configured in PingFederate. For more information, see Configuring default URLs in the PingFederate documentation.

  • The login module JAR file (PFLoginModuleJAR.jar), along with supporting JARS included with this distribution, can be used to create a custom SDA for the NetWeaver platform. For more information see the SAP Help.

Steps

  1. Deploy the login module included with this distribution (PFLoginModuleLibrary.sda) to NetWeaver using the Software Deployment Manager (SDM).

    For information on how to deploy a login module, please refer to SAP Help.

  2. Add a reference to the Classloader through the Config Tool, using this value for the library PingIdentity-PFLoginModuleLibrary.

    For information on how to add a reference, see Adding a Reference to the Classloader of the Security Provider in the SAP Help Portal.

  3. Configure the login module through the Visual Administrator, using the class name com.pingidentity.adapters.netweaver.sp.PFLoginModuleClass and the following options:

    Option Description

    agentPropertiesFileName

    Filename with full path to the location of OpenToken properties file. For example, C:\agent-config.txt.

    pfBaseUrl

    Base URL to the PingFederate SP instance.

    enableSPSSO

    If true, PFLoginModule redirects to the ssoUrl (below) if OpenToken is not found in the request. This enables SP-initiated SSO functionality for NetWeaver.

    The default value is false.

    ssoUrl

    URL for redirect if SP-initiated SSO, required only if is enabled (above). The value required is PingFederate’s application endpoint to start the SSO: http[s]://<PF_host>:<port>/SP/startSSO.ping ?PartnerIdpId=<connection_id>

    For more information, see Developer Notes below.

    excludeUrI

    List of excluded resource URIs using regular expressions. For example: /webdynpro.

    enableSSOCookie

    If true and enableSPSSO is set to true, PFLoginModule redirects only if a cookie (an SSO Cookie, defined below) is found in the request. The SP sets an SSO Cookie in the user’s browser during an initial IdP-initiated SSO event. When the user arrives at the NetWeaver SP in the future, with the SSO Cookie, the user is redirected to the ssoUrl.

    If false and enableSPSSO is set to true, the PFLoginModule redirects any user to the ssoUrl, regardless of any SSO Cookie.

    The default value is false

    ssoCookieName

    The name of the SSO cookie to set in the user’s browser, required only if enableSSOCookie is set to true.

    For information on how to configure a login module, please refer to the SAP Help.

  4. Configure an application to use the login module. A sample configuration, which allows for both SSO and direct authentication, is shown below:

    Login Module Flag

    EvaluateTicketLoginModule

    SUFFICIENT

    PFLoginModule

    REQUISITE

    BasicPasswordLoginModule

    REQUISITE

    CreateTicketLoginModule

    OPTIONAL

    For information on how to configure an application, see Configuring an Application to Use the Login Module in the SAP Help Portal.