Single Sign-On Configuration
This page details the setup of SAML 2.0 authentication against systems like SAP and Oracle E-Business Suite. The Clear platform authenticates against your existing identity provider, such as Active Directory, and retrieves any special attributes needed by the legacy system. Below is a flow diagram depicting SAML 2.0 integration with Clear and an SAP system (click to enlarge):
You can attempt this step on your own, but it is recommended that your Clear contact help you on this as a mistake could result in locking your users out of a Clear server:
Configuring an Authentication Service
You will need to configure a Relying Party Trust on your identity provider for each of your Clear instances. The following instructions are for Microsoft Active Directory. All identity providers that support SAML are supported by Clear, but you will need to configure non-Microsoft services on your own:
Every SAP server in your landscape that needs to communicate with Clear over SSO needs to follow these configuration steps:
Troubleshooting the SAP Connection
After following all of the configuration steps on this page, if you still cannot establish an SNC connection to your SAP system, try the following:
- Check your version of sapgenpse and sapcrypto by going to transaction SE38 and running program RSBDCOS0. Once inside, run the command sapgenpse to see the versions. They need to be at least version 8 (SAP CommonCryptolib). If they are not, download the latest libraries from SAP and upload them to the /usr/sap/yourSapSystemId/DVEBMGS00/sec/ directory.
- Enable SNC tracing on your SAP server by setting the logging level to 4 in your sectrace.ini file. Typically this file can be found in /usr/sap/yourSapSystemId/DVEBMGS00/sec/. If it’s not there, download this sample and upload it to that directory. You will then be able to see a full trace of security issues in your /usr/sap/yourSapSystemId/DVEBMGS00/work/ directory. The trace files will have the naming convention sec-someNumber.trc.