We have mixed setup of IIS webservers and SAP systems that our users need to access through a browser. We would like to give our desktop users a single sign on experience so that they do not have to logon to SAP systems when they access it through the browser, as they are already accustomed to this on the Microsoft side through the setup of Kerberos. We have found that the best way to implement this scenario is to use the SAP logon ticket as logon mechanism on the SAP side. Basically the users should click on a link which points to the redirect application from SAP note 1250795 which should allow them to logon, and once they are logged once, should issue a SAP logon ticket.
The part mentioned above works flawlessly. We then thought we could give the users an even better experience by allowing them to get authenticated to the system that issues the SAP logon ticket by setting up SAML and using ADFS as an Identity Provider.This can be achieved in various ways but with a lot of help from Desislava Petkovas guide here we managed to set it up, so that it also works very well. End result is that the users click on a link, which points to the SAP logon ticket issuing server, that refers to ADFS for authentication and once authenticated, issues a SAP logon ticket and redirects to the actual link on the requested SAP server. A lot of redirecting takes place behind the scenes, but since the IIS on the ADFS server is setup to use integrated authentication, the Kerberos ticket that the users already have, is automatically translated to a SAML assertion, which is accepted on the SAP logon ticket issuing system.
For desktop users this works fine. We do however also have a number of users that access SAP from a thin client where the desktop is started with an AD user that has no match in the SAP systems. We would like to have a setup that will make ADFS decide that these particular users will need to use forms login. This does not seem to be trivial to setup, so I would like to know if any of you have a similar use case?
Researching a bit with Google it looks like ADFS may be customized to use an incoming parameter in the HTTP request to decide which type of authentication can be used. I found the following two articles that may support this idea on the ADFS side. The first is this one and the second is this one. Assuming some development could solve the problem on the ADFS side, the only question that remains is, whether it is possible by configuration on the SAP side to send a parameter, an authentification context or something similar that could cause ADFS to behave differently for certain users. Would any of you have any suggestions?
Very best regards,
Anders