Hi,
I have gone through all the links that you included from the beginning but it's not clear how SSO based on SAML works on MS Domain environment. I understand about the connection and trust relationship between service provider (SAP Application Server) and identity provider (NW IDM Federation). However, the connection to authentication server, in this case, Microsoft Active Directory is not clear or explained in the links I read in SAP Help Portal. The questions are still remained:
- According to your feedback, SAP Application Server is required to be in Microsoft domain. But for example, SAP Application Server is in domain A, while the user's computers is in domain B (and thus will be authorized by domain B domain controller). Then will a trust relationship between domain A or domain B needed if SAML-based solution is used?
- As far as I understand, the Identity Provider (and maybe STS) can issue SAML assertions to authenticate the users. But in other to verify the user credentials, the Identity Provider need to contact the Authentication Server (Microsoft Active Directory). How this will be done is still unclear to me, though I know that there is a mapping procedure for Windows qualified domain name of the users, but before this can happen, is there any configuration needed for Active Directory and Identity Provider to "know" each other?
Regards,
Duy
