Single Sign-On Configuration
This page details the setup of SAML 2.0 authentication against systems like SAP and Oracle E-Business Suite. The Clear platform authenticates against your existing identity provider, such as Active Directory, and retrieves any special attributes needed by the legacy system. Below is a flow diagram depicting SAML 2.0 integration with Clear and an SAP system (click to enlarge):
You can attempt this step on your own, but it is recommended that your Clear contact help you on this as a mistake could result in locking your users out of a Clear server:
Configuring an Authentication Service
You will need to configure a Relying Party Trust on your identity provider for each of your Clear instances. The following instructions are for Microsoft Active Directory. All identity providers that support SAML are supported by Clear, but you will need to configure non-Microsoft services on your own:
Every SAP server in your landscape that needs to communicate with Clear over SSO needs to follow these configuration steps:
Troubleshooting the SAP Connection
After following all of the configuration steps on this page, if you still cannot establish an SNC connection to your SAP system, try the following:
- Check your version of sapgenpse and sapcrypto by going to transaction SE38 and running program RSBDCOS0. Once inside, run the command sapgenpse to see the versions. They need to be at least version 8 (SAP CommonCryptolib). If they are not, download the latest libraries from SAP and upload them to the /usr/sap/yourSapSystemId/DVEBMGS00/sec/ directory.
- Enable SNC tracing on your SAP server by setting the logging level to 4 in your sectrace.ini file. Typically this file can be found in /usr/sap/yourSapSystemId/DVEBMGS00/sec/. If it’s not there, download this sample and upload it to that directory. You will then be able to see a full trace of security issues in your /usr/sap/yourSapSystemId/DVEBMGS00/work/ directory. The trace files will have the naming convention sec-someNumber.trc.
RFC COMMUNICATION ERROR: RFC connection open failed / 1 / RFC_COMMUNICATION_FAILURE / LOCATION CPIC (TCP/IP) on local host with Unicode ERROR no conversation found with id XXXXXXXX
This means that your server cannot read your security configuration to load your personal security environment. Check your environment variables to make sure that your PSE is loading correctly.
RFC COMMUNICATION ERROR: RFC connection open failed / 1 / RFC_COMMUNICATION_FAILURE / LOCATION CPIC (TCP/IP) with Unicode ERROR GSS-API(maj): Miscellaneous failure GSS-API(min): A2210223: Server does not trust my certificate path target.
This means the SAP server has not loaded your server’s certificate into STRUST. Repeat the Configuring SAP process above.
RFC COMMUNICATION ERROR: RFC connection open failed / 1 / RFC_COMMUNICATION_FAILURE / LOCATION CPIC (TCP/IP) with Unicode ERROR GSS-API(maj): Miscellaneous failure GSS-API(min): A2200223:Peer certificate path not trusted
This means your server does not have the SAP servers root certificate, issuing certificate, or system certificate.
RFC COMMUNICATION ERROR: RFC connection open failed / 2 / RFC_LOGON_FAILURE / SNC name of the partner system not in ACL system.
This can mean 2 things, that the entry does not exist in SNC0 or that an old entry is still in system memory and needs to be cleared.