SSO for SAP NetWeaver Portal

Overview

Why SAP NetWeaver Portal Needs Modern SSO

SAP NetWeaver Portal (Enterprise Portal) is the central access point for SAP and non-SAP applications in thousands of enterprise deployments. It aggregates iViews, Web Dynpro applications, BEx reports, and knowledge management content into a unified portal experience. Despite SAP's push toward SAP Fiori and SAP BTP, many organizations still depend on NetWeaver Portal for role-based dashboards, ESS/MSS scenarios, and custom portal content built over many years. The portal's authentication model relies on SAP's User Management Engine (UME), which can connect to LDAP, SAP backend systems, or a local database — but lacks native support for modern SAML 2.0 SP or OIDC relying party flows without SAP Identity Authentication Service or SAP Single Sign-On 3.0 licensing. OnePAM solves this by placing an identity-aware reverse proxy in front of the SAP NetWeaver Portal's Java-based web container. Users authenticate through your corporate IdP, and OnePAM injects a trusted session via SAP Logon Ticket (MYSAPSSO2) or header-based authentication. All portal content — iViews, Web Dynpro, BEx, KM — gains SSO without UME reconfiguration or Java stack modifications.

The Problem

Authentication Challenges with SAP NetWeaver Portal

These are the security and operational challenges organizations face when SAP NetWeaver Portal relies on its native authentication model.

UME Configuration Complexity

SAP's User Management Engine supports multiple data sources (LDAP, SAP, database) but configuring federation with modern IdPs requires SAP SSO 3.0 or custom UME modules.

SAP SSO Licensing

Enabling SAML on NetWeaver Portal natively requires SAP Single Sign-On 3.0 or SAP Identity Authentication — both adding licensing cost and infrastructure.

Java Stack Maintenance

NetWeaver Portal runs on a Java stack (SAP NetWeaver AS Java) that is separate from ABAP systems, requiring specialized administration for security changes.

Portal Content Dependencies

Hundreds of iViews, Web Dynpro applications, and KM repositories rely on portal session authentication, making auth changes high-risk.

Multi-System SSO Gap

Portal content often calls backend ABAP systems. Achieving end-to-end SSO from IdP through the portal to SAP ECC requires complex ticket trust chains.

Aging Infrastructure

Many NetWeaver Portal deployments run on older NetWeaver 7.x versions that are difficult to upgrade and lack modern security features.

The OnePAM Solution

How OnePAM Adds SSO to SAP NetWeaver Portal

A step-by-step guide to deploying modern SSO for SAP NetWeaver Portal using OnePAM's identity-aware reverse proxy.

1

Deploy OnePAM Gateway

Install OnePAM as a reverse proxy in front of SAP NetWeaver Portal's web dispatcher or ICM component.

OnePAM deploys as a container or VM and handles TLS termination. It intercepts all HTTP/HTTPS requests to the portal before they reach the NetWeaver Java stack.

2

Configure IdP Federation

Connect OnePAM to your corporate IdP (Okta, Azure AD, Google Workspace, ADFS, or any SAML/OIDC provider).

OnePAM handles the full SAML/OIDC handshake: metadata exchange, assertion validation, MFA enforcement, and token lifecycle management. SP-initiated and IdP-initiated flows are supported.

3

Map IdP Users to Portal Users

Define how IdP user attributes map to SAP NetWeaver Portal UME user accounts.

OnePAM maps IdP assertions to UME user IDs using email, employee ID, or custom attribute matching. Support for UME's multiple data sources (LDAP, SAP, database) is included.

4

Enable SAP Logon Ticket Injection

OnePAM creates trusted SAP sessions via MYSAPSSO2 logon ticket or HTTP header authentication.

After IdP authentication, OnePAM generates a valid SAP Logon Ticket (MYSAPSSO2 cookie) that the NetWeaver Portal Java stack accepts. The user lands on their portal desktop without a second login.

5

Activate Policies & Monitoring

Define access policies per portal role, iView, and content area. Enable audit logging and session recording.

Every portal access event is logged with full IdP context: user, MFA method, device, location, and portal content accessed. Session recording captures the full portal session for compliance.

Business Impact

Benefits of SSO for SAP NetWeaver Portal

Measurable business outcomes from deploying OnePAM SSO in front of SAP NetWeaver Portal.

End UME Password Management

Users log in with their corporate credentials — no separate NetWeaver Portal password to maintain, expire, or reset.

90% fewer portal password tickets

Enforce MFA for Portal Access

Apply your IdP's MFA policies to all portal content — push notifications, FIDO2 keys, or biometrics — without Java stack changes.

100% MFA-protected portal access

Instant Deprovisioning

Disable a user in your IdP and their portal access stops immediately. No UME account cleanup, no orphan sessions.

Real-time access revocation

No SAP SSO Licensing

OnePAM replaces SAP Single Sign-On 3.0 and SAP Identity Authentication for portal SSO — significant licensing savings.

Save on SAP SSO licenses

Unified Compliance

Portal access events appear alongside all other application access in a single audit trail with IdP context and device information.

Audit-ready in minutes

No Java Stack Changes

No UME module development, no NWA configuration changes, no portal application redeployment. OnePAM works at the HTTP layer.

Zero stack changes

SSO Features

SAP NetWeaver Portal SSO Capabilities

Every feature needed to provide enterprise-grade SSO for SAP NetWeaver Portal.

SAML 2.0 & OIDC SSO for SAP NetWeaver Portal

SAP Logon Ticket (MYSAPSSO2) injection

iView and Web Dynpro SSO pass-through

BEx and Business Intelligence content SSO

Knowledge Management SSO coverage

ESS/MSS scenario support

UME user-to-IdP attribute mapping

Session recording for portal interactions

Security

Security Features

Enterprise-grade security controls protecting the SSO integration layer.

End-to-end TLS between user, OnePAM, and NetWeaver Portal

Signed SAP Logon Tickets with certificate pinning

Portal role-based access policies from IdP groups

IP allow-listing and geo-restriction per portal area

Device compliance verification before portal access

Automatic session invalidation on IdP sign-out

Real-World Scenarios

SAP NetWeaver Portal SSO Use Cases

Common scenarios where organizations deploy OnePAM SSO for SAP NetWeaver Portal.

1

HR departments accessing ESS/MSS iViews on NetWeaver Portal with corporate SSO

2

Finance teams using BEx analyzer via the portal with MFA enforcement

3

Executives accessing role-based dashboards with device-trust verification

4

External contractors given time-limited, recorded portal access

5

Multi-subsidiary organizations unifying portal access across IdPs during mergers

6

Organizations planning SAP Fiori migration needing SSO now for NetWeaver Portal

Frequently Asked Questions

SAP NetWeaver Portal SSO FAQ

Common questions about deploying OnePAM SSO for SAP NetWeaver Portal.

Does OnePAM require changes to the SAP NetWeaver Portal Java stack?

No. OnePAM operates as a reverse proxy in front of the portal's web dispatcher or ICM. It handles authentication at the HTTP layer via SAP Logon Ticket injection. No UME changes, no NWA configuration, no Java stack modifications.

Which NetWeaver Portal versions are supported?

OnePAM supports SAP NetWeaver Portal 7.0, 7.01, 7.02, 7.3, 7.31, 7.4, and 7.5. Any version running on SAP NetWeaver Application Server Java is compatible.

Does SSO extend to backend ABAP systems called by portal iViews?

Yes. OnePAM generates SAP Logon Tickets that can be trusted by backend ABAP systems (ECC, BW, CRM). This enables end-to-end SSO from your IdP through the portal to backend SAP systems.

How does OnePAM handle portal roles and permissions?

OnePAM maps IdP groups to portal roles. When a user authenticates, their IdP group memberships can be used to assign portal roles, enabling centralized role management from your IdP.

Can we use OnePAM alongside SAP Identity Management (IdM)?

Yes. OnePAM handles authentication (SSO/MFA) while SAP IdM manages provisioning and role assignments. The two systems are complementary.

What about SAP Fiori running on the same NetWeaver stack?

If SAP Fiori is deployed on the same NetWeaver instance, it automatically gains SSO through OnePAM. The SAP Logon Ticket is valid for both portal and Fiori content.