In such a scenario, Tivoli Federated Identity Manager with SAML is responsible for handling the authentication flow by using Security Assertion Markup Language. For the SAP integration into WebSphere
® Portal, the supported SAML scenario is named Service Provider initiated single sign-on
. To use such a scenario, you need technical expertise for all three participating systems: IBM WebSphere Portal, IBM Tivoli Federated Identity Manager and SAP NetWeaver Portal.
To use Tivoli Federated Identity Manager (TFIM) for single sign-on to SAP NetWeaver Portal with WebSphere
Portal Integrator for SAP, follow these instructions:
- Make sure that your Tivoli Federated Identity Manager is configured correctly for authentication of the participating service providers and the users in a service-provider initiated single sign-on scenario. The service providers are the SAP NetWeaver Portal instance and the WebSphere Portal instance.
- For the navigation integration you need to set up a Web Service Single Sign On for the Web Service Client NavigationWS. This Web Service Client is hosted in the enterprise application IntegrationSAP in the WebSphere Integrated Solutions Console.
- For both the SAP navigation integration and the SAP integrator portlet, you need to set up Web Single Sign On to the SAP NetWeaver Portal.
- To make the Integrator for SAP use TFIM do not set any other authentication configuration:
- For the SAP navigation integration do not set the parameters sap.CredentialSlotId and sap.SSOTokenUrl. Also do not configure single sign-on for browsers as described under the topic about Configuring basic authentication for single sign-on to SAP NetWeaver Portal.
- For the SAP integrator portlet do not select a Credential Vault slot and do not set an SSO domain.
- Do not add the login or logout filter of the SAP integration to the filter chains.
- To test and verify your environment, proceed in small steps. When you test the complete environment with WebSphere Portal Integrator for SAP, it is complex to monitor. For example, you can proceed by the following steps:
Configuring logout handling
- Start by testing web single sign-on. For example, you can do this by using by using Web Clipping.
- To verify the configuration of the WebSphere Portal Integrator for SAP using SAML, test the SAP integrator portlet.
- As a final test, test the SAP navigation integration. This test requires the steps that you verified before, and additionally the web service single sign On.