SAML Identity Provider
Hi all,
As WAS6.0 acts as a Serice Provider only for SAML, what are the free Identity Providers that I can use to implement Single Sign-On in WAS. From where can I get these free external products/servers?
As of SAP IdM 7.20 (which runs as a component on the SAP Java Application Server) SAML 2.0 as identity provider is supported.
So it is not just any SAP J2EE system (e.g. EP) and also not all releases.
I was also disappointed by this
Cheers,
Julius
Similar Messages
-
Can J2EE act as SAML identity provider?
Hi all,
I've been going through the various documents and help files and found contradicting and confusing info. So can anyone tell me: do I have to use a 3rd party component to enable SSO to EP based on SAML or to able server-to-server authentication from EP to another IIS based site?
Are the following components enough?
1. Active directory (any version required)
2. EP (any version required)
3. IIS/MOS (any version required)
Thanks,
EricAs of SAP IdM 7.20 (which runs as a component on the SAP Java Application Server) SAML 2.0 as identity provider is supported.
So it is not just any SAP J2EE system (e.g. EP) and also not all releases.
I was also disappointed by this
Cheers,
Julius -
Third-Party SAML (1.1 or 2.0) as Identity Provider
From documentation, it appears that in theory you should be able to use SAML 1.1 or SAML 2.0 using a third-party Identity Provider... however I cannot seem to find any examples or collection of documentation on how this can be done.
When trying to follow through some of the examples out there, it won't let me configure/enable the Service Provider, complaining that I haven't setup an Identity Provider... but I don't want to use WebLogic as the Identity Provider... but instead a third-party solution that allows for flexible PKI usage...
Has anyone else setup WebLogic with a Third-party SAML solution?well that might be a bit harsh, but anyway this is
reported as Oracle Bug No. 4450233 and possibly fixed
in 10.1.2.99pstrachan,
You can ask support for a patch for this fix.
10.1.2 passed CTS 1.3 and is J2EE 1.3 compliant. Please note that CTS does not cover all possible testcases in J2EE 1.3
-Debu -
SAML assertion Identity provider - SSO for ALL users
Hi ,
If we have a Corp AD configured on Windows 7/ Windows 8
but SAP-EP-UME is hooked up to the Corp AD ( read only ).
Can we consider the Active directory system(Windows ) to be the IDENTITY PROVIDER
and configure the SAP-EP ( portal to be the SERVICE PROVIDER) for SSO ?
Edited by: Franklin Jayasim on Aug 7, 2010 12:47 AMHi,
I don't have any experience with AD as IdP but you can find on net that AD can be SAML 2.0 indentity provider. The question is if it's part of standard installation or there is an extra cost. SAP supports only subset of standard but I assume that it covers all basic scenarios so it should be possible.
But if you want to play then have a look at project [Shibboleth|http://shibboleth.internet2.edu/]. It's an open source project and it supports Active Directory as identity store. I want to test it by myself with CE7.2 but I don't know when I'll have time.
Cheers -
HANA XS SAML Configuration - Error when saving Identity Provider
Dear experts,
I'm currently using a SAP HANA SP8 environment from my AWS account. During the creation of the Identity Provider, the following error message is being displayed:
Error: PreparedStatement.setInteger: expected int for second argument, but got: string
The error is triggered in file http://<host>:8000/sap/hana/xs/admin/logic/idp.xsjs
The error is very easy to reproduce. Just follow the steps below:
1. Log into http://<host>:8000/sap/hana/xs/admin/
2. Go to SAML Configuration > Identity Provider
3. Click on the button on the left side of the shell to add a new Identity Provider
4. Paste the IDP Metadata extracted from your IDP on the Metadata field and click on the Parser button
5. Add a name to your IDP Config
6. Click on the Create button. The error will be displayed.
Anyone has faced this problem and know how to fix it?
Regards,
GustavoHi Gustavo,
I also had this error when adding IDP and I found a workaround for this. The error is due to the port in the "Base URL" field. So, before you click "Save", just remove the port number. For example, if the base URL is parsed into https://ids-test.wdf.sap.corp:443, just remove the port number which means https://ids-test.wdf.sap.corp. Save it first, then you choose this IDP and edit it, just add the port number and save it again.
Best regards,
Wenjun -
SAML 2.0 Identity Provider Weblogic
Morning, I have setup my weblogic server to run with only the admin server. I am following the links to run an instance of an identity provider http://docs.oracle.com/cd/E14571_01/web.1111/e13707/saml.htm#i1107127 but I am unable to connect to the site published, any ideas. When my service provider sends a request to the http post or http redirect link I get a failure message like the following:
Error 400--Bad Request
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.1 400 Bad Request
The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
I cannot see anything in the logs to indicate that my identity provider is up and running and do not see any output when attempting to hit the url http://read-auto-01-rv:7001/saml2/idp/sso/post any ideas?
My issue is that I cannot use the identity provider, I've setup the credential mappings, enabled the identity provider and setup a service provider partner, I'm double checking my metadata but believe the issue is on the configuration end in weblogic.
Edited by: Philip O on 10-Jan-2013 01:17found the answer: SAML2 -> Local Provider -> Service Provider Settings -> Selection Mode -> Automatic
-
I need to CHANGE my SAML Claims Identity Provider from Siteminder to Okta
I went ahead and got specific on the title .... but, the question is a general question actually.
I currently have SAML-provider-A. I need to move my Sharepoint Claims Webapplication from SAML-A over to SAML-provider-B. I THINK that I should be able to simply remove SAML-A TIP and add SAML-B tip and as long as I retain
the same TIP-NAME - I think that my profiles shoudl not have to be migrated etc. etc.
When I DELETE the connection for UPA - and reCREATE the connection to AD via the TIP.
My fear is that there is something that will cause the UPA to duplicate the profiles. But, I dont THINK that'll happen.
Does anybody know?
if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)Hi ,
According to your description, my understanding is that you need to change your SAML Claims Identity Provider from Siteminder to Okta.
For achieving your demand, you can refer to the steps as the guide:
https://support.okta.com/entries/55886993-Microsoft-SharePoint-On-Premises-Deployment-Guide#setup
And you need to associate your existing web application with the Okta identity provider and perform IIS Reset:
http://technet.microsoft.com/en-us/library/hh305235(v=office.15).aspx#CreateWebApp
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
contact [email protected]
Eric Tao
TechNet Community Support -
Can PeopleSoft act as a Identity Provider for Federation?
Hi All,
We would like to know about a trust federation (SSO) with PeopleSoft and following is my question:
Can we use PeopleSoft as a Identity Provider for Federation Scenarios? we would like to onboard PeopleSoft as a Identity Provider for Microsoft ADFS v2, in this regard we want to know whether PeopleSoft expose a FederationMetadata.XML to any Federation Service providers that are there in exisisting market...?
ADFS : Active Directory Federation Services
Thanks & Regards,
VDeevi.As of SAP IdM 7.20 (which runs as a component on the SAP Java Application Server) SAML 2.0 as identity provider is supported.
So it is not just any SAP J2EE system (e.g. EP) and also not all releases.
I was also disappointed by this
Cheers,
Julius -
FedAuth cookie not geneatred in SP2013 with SiteMinder as Trusted Identity Provider
Hello,
We have configured Site Minder (with SAML 1.1) as trusted identity provider in SP2013. We have mapped Email Address as claim type. But we found in Fiddler that FedAuth cookie is not getting generated so users are not able to access the site and redirects
to sign in page again.
Any help provided here much appreciated.
Thanks
ShitalHi Shital,
The default expiration time of the FedAuth cookie is 10 hours, you could change the expiration time of the FedAuth cookie per the link below:
http://dotnetfollower.com/wordpress/2013/07/sharepoint-how-to-change-the-expiration-time-of-the-fedauth-cookie/
Fiddler you will not be able to see these cookies as they are generated client side.
http://blogs.msdn.com/b/mcsnoiwb/archive/2012/06/10/lost-authentication-cookies-in-sharepoint.aspx
If you are using load balancing solution, don’t forget affinity:
http://blogs.technet.com/b/speschka/archive/2011/10/28/make-sure-you-know-this-about-sharepoint-2010-claims-authentication-sticky-sessions-are-required.aspx
For more information:
http://fredericloud.com/2011/01/11/connecting-to-sharepoint-with-claims-authentication/
Regards,
Rebecca Tu
TechNet Community Support -
SharePoint Workflow send the notification to External email address fine but do not work when Trusted Identity Provider/SSO feature Checked. Please Advice!
Hi,
I am trying to involve someone familiar with this topic to further look at this issue.
Regards,
Rebecca
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Rebecca Tu
TechNet Community Support -
Need help in customizing an identity provider using SPI
We are customizing the sample identity provider in note 1194815.1 . We were able to assign tasks to users but the problem is whenever we assign a task to a group, the task does not appear in group members job basket.
No exceptions or errors thrown.Hi, I managed to find the refresh cached option. However there is still one thing which i need some clarification on.
The problem for me is to quantize the image into 2 bits per pixel per channel. I understand from the previous post that i need to use posterize and set it to 4. My questions are as follow.
1) why must the value be 4? if the value is 4 then there should be 8 bits, but my question require a total of 6 bits only
2) After saving my quantized image, the properties of the image still show me the bit depth being 24, thus is there any where whereby i can check that each color pixel is exactly represented by 2 pixels?
Hope you can advise. Tks -
Getting Internal Error 500 on redirect from the Identity Provider(Google)
Hi All,
The issue happens when my web application is trying to obtain access token from the ACS using Google as Identity Provider.
The redirect to the Google authentication page works. It is possible to authenticate an user. However, after getting an authentication, accounts.google.com redirects the GET request to the redirect URL specified in the authentication request(mycompany.accesscontrol.windows.net/v2/openid).
And this request fails with HTTP status 500. The error details in the response body does not point to the reason of the problem:
An error occurred while processing your request.
HTTP Error Code: 500
Trace ID: a1de23aa-b142-49e1-8e83-ee737ab61984
Timestamp: 2015-04-02 06:26:48Z
Could you please advice?
Thank you,Hi Oleksiy,
Thanks for posting here!
I hope you are not using Open ID 2.0, as you might aware of Google moving to OpenID Connect, there is a requirement that you explicitly register your ACS Namespace as application with Google.
Token request failures that return HTTP 500-series error codes typically respond to retries. In some scenarios, the client is an application or service that makes automated requests to ACS. In other scenarios, such as web-based federation that uses the WS-Federation
protocol, the client is a web browser and the end-user must retry the operation manually.
For more information see this link:
https://msdn.microsoft.com/en-us/library/azure/jj878112.aspx
Also you might want to refer this link:
https://msdn.microsoft.com/en-us/library/azure/gg185976.aspx
Hope this helps!
Regards,
Sadiqh -
11g Forms and SSO Third-party / custom identity provider
For 11g Forms, we currently use database accounts to authenticate users.
With a custom written identity provider, I was wondering if anyone knew the high-level of how a user could be SSO authenticated with a Forms session.
Here are some questions:
Do you need other Oracle products (OAM or OID) to use Weblogic / Forms SSO authentication with a third-party identity provider?
If you continue to use unique database accounts, don’t you need OID to bridge the link between an SSO account and an oracle database user account?
If you don’t use unique database accounts (i.e. only use schema name for all users), what products are need to allow Webgate / Forms to use a third-party identity provider to launch a forms database session? i.e would the SSO name be passed to the database layer for user auditing.
I would appreciate if anyone had concepts of what products/techniques are needed.For 11g Forms, we currently use database accounts to authenticate users.
With a custom written identity provider, I was wondering if anyone knew the high-level of how a user could be SSO authenticated with a Forms session.
Here are some questions:
Do you need other Oracle products (OAM or OID) to use Weblogic / Forms SSO authentication with a third-party identity provider?
If you continue to use unique database accounts, don’t you need OID to bridge the link between an SSO account and an oracle database user account?
If you don’t use unique database accounts (i.e. only use schema name for all users), what products are need to allow Webgate / Forms to use a third-party identity provider to launch a forms database session? i.e would the SSO name be passed to the database layer for user auditing.
I would appreciate if anyone had concepts of what products/techniques are needed. -
Portal Java as SAML2 Identity Provider
Hi all,
I'm trying to configure Netweaver Portal 7.4 SP3 as Identity Provider to issue SAML2 assertion tickets to establish trust connections between SAPUI5 apps and SAP NW Gateway.
Anyone has a how to, useful links or tutorial to configure all components¿?
We've configured SAP Portal as IDp and SAP NW GW to trust SAML2 tickets but a GW logon screen appears when SAPUI5 apps access to GW services.
Thanks in advance,
Kind regardsHi Angel
Thanks for the your reply,
Did you achieve it using the Netweaver SSO?
Let me just explain our scenario, We want our Fiori application to be available to users over mobile devices, and we want them to use LDAP password to login but not Gateway. So to achieve this single password/login mechanism, we want to launch Fiori through a Portal iview which is integrated with our corportae LDAP, and user uses respective LDAP passwords then it generates a SAP Logon ticket which can be cascaded to gateway and ERP(since Trust is established between Gateway and ERP) so please let me know how we can acheive this without actually buying a new product i.e., NW SSO.
Regards
Khaja -
Is OAM server as a SAML seecurity provider ?
Hi Guys ,
Thanks for your opening this thread , Now I had a question about OAM as below :
I had a system act as SP who support SAML ,and we use OAM as our SSO server act as IDP, do we regard OAM as a SAML security provider ? if the answer is yes ,how can I configure it to integrate my system to OAM for implementing SSO ?
High appreciated for your suggestion!
Regards
MervinFor SAML support OIF is there...OAM can as authenticator or Service provider integrator for authorization of protected page....you need to use weblogic od OIF for SAML request response and then request can be forwaded to OAM to authorize the user...
i hope this answered your question....please let me know if you have any query
Harpreet
Maybe you are looking for
-
I have a download problem with a movie on ipad mini.
Hi, I have an ipad mini for my son and bought a movie for him but it didn't download properly the first time and so I deleted it and tried to reload it from iTunes. My problem is that the blue bar for the download time is full but the movie isn't in
-
i'd like to use iwork futures, but in appstore do find only iwork for lion and a have 10.6.8 leopard - i do not want to update to lion, because i would no longer be able syncing with nokia n8-oo
-
Program to activate trasformation in BI&
Hi All, Could anyone please tell me if there is any standard ABAP program through which we can activate transformations in BI7. Currently i have to reactivate some transformation in Production systems so immediate response would be highly appreciated
-
Stock transfer between two subcontractors:
Dear Experts, I posted some material using movement type 541 to first subcontractor(SC). This SC returned the material, for this GR is made. Now some quantities are left with this SC. Now, I want to transfer this stock with first subcontractor to ano
-
CPU usage 99% when painting ScrollPane
I have a scollpane with specified view by setViewportView. When change the dimension of the view and the size is less than the dimension of viewport of the scrollpane, the cpu usage of javaw.exe is up to 99% and other components are painted slowly. T