Single Sign-On Configuration

///Single Sign-On Configuration
Single Sign-On Configuration2019-01-05T13:04:19-04:00

Single Sign-On Configuration

This page details the setup of SAML 2.0 authentication against systems like SAP and Oracle E-Business Suite. The Clear platform authenticates against your existing identity provider, such as Active Directory, and retrieves any special attributes needed by the legacy system. Below is a flow diagram depicting SAML 2.0 integration with Clear and an SAP system (click to enlarge):

SAML Flow

Configuring Clear

You can attempt this step on your own, but it is recommended that your Clear contact help you on this as a mistake could result in locking your users out of a Clear server:

Step 1

The single attribute that drives whether a user logs in using SSO is the Authentication System in the Tools > Subdomain page of ClearWork. If this field is blank, users are directed to a Clear login page where their username and password are passed to directly authenticate against your business software. If it is not blank, users are redirected to a federated login page detailed in the next step:

ClearWork Single Sign-On Step 1

Step 2

In the Tools > Systems page of ClearWork, you will need to have your identity provider and SAP system configured as individual systems. The details on their Data Source names are in Steps 3 and 4:

ClearWork Single Sign-On Step 2

Step 3

The connection to your SAP system should be configured as follows if you are connecting to a specific application server:

{
  "lang": "EN",
  "ashost": "10.0.0.1",
  "extidtype": "UN",
  "snc_mode": "8",
  "snc_partnername": "p:CN=DEV, DC=CLEAR, DC=COM",
  "sysnr": "00",
  "client": "100",
  "snc_myname": "p:CN=dev.clearui.com, OU=IT, O=CSW, C=US",
  "snc_lib": "/home/ubuntu/sec/libsapcrypto.so",
  "sap_cert_attribute": "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version"
}

The connection to your SAP system should be configured as follows if you are using a load-balanced connection:

{
  "lang": "EN",
  "r3name": "DEV",
  "extidtype": "UN",
  "group": "CLEAR",
  "snc_mode": "1",
  "mshost": "10.0.0.1",
  "msserv": "3950",
  "snc_partnername": "p:CN=DEV, DC=CLEAR, DC=COM",
  "client": "300",
  "snc_myname": "p:CN=dev.clearui.com, OU=IT, O=CSW, C=US",
  "snc_lib": "/home/ubuntu/sec/libsapcrypto.so",
  "sap_cert_attribute": "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version"
}

Step 4

The connection to your identity provider should be configured as follows:

{
  "singleLogoutService": {
    "url": "https://yourIdentityProviderUrl/adfs/ls/",
    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
  },
  "ArtifactResolutionService": {
    "url": "https://yourIdentityProviderUrl/adfs/ls/",
    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
  },
  "saml_username_path": "/*Response/*Assertion/*Subject/*NameID",
  "singleSignOnService": {
    "url": "https://yourIdentityProviderUrl/adfs/ls/",
    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
  },
  "sls": "https://yourIdentityProviderUrl/adfs/ls/idpinitiatedsignon.aspx",
  "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "saml_username_is_email": false,
  "entityId": "https://yourIdentityProviderUrl/adfs/serives/trust/",
  "x509cert": "THE CERTIFICATE OF YOUR IDENTITY PROVIDER'S SERVER IN BASE64 FORMAT",
  "sap_cert_attribute": "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version"
}

Configuring an Authentication Service

You will need to configure a Relying Party Trust on your identity provider for each of your Clear instances. The following instructions are for Microsoft Active Directory. All identity providers that support SAML are supported by Clear, but you will need to configure non-Microsoft services on your own:

Step 1

Log in to Active Directory and open the ADFS Management tool. Expand Trust Relationships and right click on Relying Party Trusts, then select Add Relying Party Trust option. In the wizard that displays, select the radio button to enter the data manually:

Active Directory Step 1

Step 2

It is not shown here, but you will need to enter a Display Name, choose your ADFS profile, and then click the New button in the Configure Certificate step. You will then come to the Configure URL screen. Select the second checkbox and enter the Clear server’s URL with <strong>/acs</strong> appended at the end (e.g. https://<strong>yourCompanyName</strong>-dev.clearui.com/acs

Active Directory Step 2

Step 3

It is not shown here, but in the Configure Identifiers screen, set the Relying Party Trust Identifier to the URL entered in the previous step. Then in the Configure Multi-factor Authentication Now? screen check the following and then click Next:

Active Directory Step 3

Step 4

In the Choose Issuance Authorization Rules screen, select the following option and click Next:

Active Directory Step 4

Step 5

Click Next until the wizard is done. The Add Transforms window will pop up. In the Claim Rule Template field, select Send LDAP Attributes as Claims and click Next:

Active Directory Step 5

Step 6

he Edit Rules pop up will display. Enter the following in each of the fields and then click the Apply button.

Active Directory Step 6

Step 7

Now right-click on the new Relying Part Trust and select Properties. Click on the Endpoints tab and click the Add SAML button:

Active Directory Step 7

Step 8

Create an endpoint for each Clear server:

Active Directory Step 8

Step 9

Back on the Properties screen, click on the Advanced tab and select SHA-256 as the Secure Hash Algorithm:

Active Directory Step 9

Configuring SAP

Every SAP server in your landscape that needs to communicate with Clear over SSO needs to follow these configuration steps:

Step 1

Log in to SAP and go to transaction STRUST. Expand the SNC SAPCryptolib folder and double-click on the green icon:

Configuring SAP Step 1

Step 2

Double-click on the Owner hyperlink, then double-click on each of the issuer certificates:

Configuring SAP Step 6

Step 3

For each of the issuer certificates, go to the second section and click the Export Certificate button:

Configuring SAP Step 3

Step 4

For each of the issuer certificates, in the pop-up window, type yourCompanyName-yourSapSystemID.csr, check the Base64 radio button, and pick a download directory on your computer before hitting enter. You then need to send these certificates to your contact at Clear:

Configuring SAP Step 4

Step 5

In that same section click the Import Certificate button:

Configuring SAP Step 5

Step 6

From your Clear contact, request the root and server certificates, then upload them to the SAP server:

Configuring SAP Step 6

Step 7

Click the Add to Certificate list button.

Configuring SAP Step 7

Step 8

Finally click Save. Your SAP server will need to be restarted before this certificate is recognized, but wait to reboot until you have completed Step 9:

Configuring SAP Step 8

Step 9

Go to transaction SNC0 and create the following entries for the certificate you just imported and then click <strong>Save</strong>. Your SAP server will need to be restarted before these entries are recognized:

Configuring SAP Step 9

Troubleshooting the SAP Connection

After following all of the configuration steps on this page, if you still cannot establish an SNC connection to your SAP system, try the following:

  • Check your version of sapgenpse and sapcrypto by going to transaction SE38 and running program RSBDCOS0. Once inside, run the command sapgenpse to see the versions. They need to be at least version 8 (SAP CommonCryptolib). If they are not, download the latest libraries from SAP and upload them to the /usr/sap/yourSapSystemId/DVEBMGS00/sec/ directory.
  • Enable SNC tracing on your SAP server by setting the logging level to 4 in your sectrace.ini file. Typically this file can be found in /usr/sap/yourSapSystemId/DVEBMGS00/sec/. If it’s not there, download this sample and upload it to that directory. You will then be able to see a full trace of security issues in your /usr/sap/yourSapSystemId/DVEBMGS00/work/ directory. The trace files will have the naming convention sec-someNumber.trc.
This website uses cookies and third party services. Please review our privacy policy for additional information. Do you consent? Yes