Setting up the SAML authentication

The connector and the SAP application server, ABAP, communicate through SOAP web services. The communication requests are authenticated and authorized by using the industry standard SAML. The authentication process requires that the connector and the application server store the ABAP SAML trust certificate.

About this task

You export certificates from one application server and import them into the other.

Procedure

Avoid SAML restriction on servers. The system clocks of the Solution Manager/Service Desk and the Rational® Connector servers must be within 90 seconds of one another in terms of Coordinated Universal Time (UTC) or the communication can fail. Requiring synchronized clocks prevents against replay attacks, as SAML headers use embedded time stamps. You can use any of the following solutions to avoid this restriction.

  1. Manually change the clocks on the two systems to be within 90 seconds of one another, adjusting for the timezone.
  2. On AIX®, UNIX, and Linux systems, the TZ environment variable affects the difference between local and UTC time. Generally it is set to the local timezone, but with offset value; for example, EST+5 means the Eastern Standard Time, 5 hours behind UTC.
  3. Use NTP (network time protocol) servers to synchronize the times of the two servers.

Export the certificate from the connector

  1. Update the SAML Issuer Name to something that is unique to the connector you are configuring and identifiable later when you import the certificate.

    Solution Manager instances can have multiple Rational Connectors attached to them, so the issuer name must identify a particular connector.

  2. Export the Connector Trust Certificate.
    1. Click the Generate Self Signed Certificate tab, enter values for each of the fields, and click Submit.
    2. Write down the location of the downloaded file because you need this information when you import the certificate to Solution Manager.
    Tip: Consider using the Generate Certificate Signing Request and Import CSR Response Certificate tabs to get a certificate authority signed SAML certificate instead of generating a self-signed certificate.

Import the certificate to Solution Manager

  1. Import the certificate from the connector:
    1. Enter the transaction code SAML2. Log in to the browser that opens.
    2. Go to the Trusted Providers tab and change the view to show: Security Token Services.

      Change view to Security Token Services

    3. Click Add > Manually.

      Add Manually

    4. Enter the Provider Name, and click Next.
    5. Upload the Signing Certificate, and click Next

      Step 2 Signature and Encryption

    6. In the Step 3 Endpoints, click Finish.

      Step 3 Endpoints

    7. Select the provider that you just added, and click Edit.
    8. Ensure that Supported SAML Versions has SAML 1.1 selected.

      Supported SAML Versions selected

    9. On the Identity Federation Tab, click Supported NameID Formats, and click Add.

      Add Supported NameID Formats

    10. Click Unspecified and click OK.
    11. Click Save; then click Enable.
  2. Export the certificate to the connector:
    1. Use the transaction code STRUST.
    2. SelectSSF SAML2 Service Provider -S.

      SSF SAML2 Service Provider -S selected

    3. From Own Certificate, double-click the self-signed certificate.

      Self-signed certificate

    4. From Certificate, click Export Certificate.

      Export certificate

    5. Ensure that the file format is Binary and select a file path. Write down this location because you need it when you import the certificate to the connector.
    6. Select the check box.

Import the certificate from SAP to the connector.

  1. Go to Manage SAML Certificates > Import SAP Trust Certificate.
  2. Locate the file that you saved when exporting the certificate to the connector.
  3. Click Upload.
  4. Restart the connector.

Feedback