Single-Sign-On SAML + OpenID auth in heterogeneous landscape with web/SAP/cloud/on-premise apps

Question

What is the best way to achieve SSO authentication between SAP web-apps with SAML and web-applications with OpenID Connect authentication?

Can Microsoft ADFS be used to generate a SAML token to the SAP web-app user and reissue the token, e.g. JSON Web Token, when the user switches to a non-SAP web-app without double login?

Thank you!

Answer 1

Yes, ADFS can be used for this. Make sure to use ADFS in Windows Server 2016 [ADFS 2016], which supports OIDC (ADFS in Windows 2012 R2 doesn't support OIDC).

So assuming your users are stored in Active Directory on premises, you can install ADFS and configure several applications in it, with different protocols (SAML, WS-Federation, OIDC, OAuth).

In the case of web applications, when an user open the browser and accesses the web application URL, them will be redirected to ADFS for authentication. Typically, if the user is in the internal network, the authentication will be IWA [Integrated Windows Authentication - Kerberos], and if the user is in the external network, the ADFS Web Application Proxy [WAP] will present a FBA [Form Based Authentication] form - in either case the user will be validated against Active Directory. After authentication, the user will be redirected again to the web application. If the user opens another web application, them will be already authenticated against ADFS - no need to authenticate again.

A couple of additional comments:

• ADFS 2016 can also authenticate users via LDAP
• If you are using Azure Active Directory [AAD] and you have synchronized the on premises users to the cloud , then this SSO scenario can be achieved with AAD as well.