SAML CONFIGURATION (single sign on- SSO) IN HYBRIS 6.7
To enable the Single Sign-On (SSO) feature on SAP Commerce side so that the user logged into storefront without entering the username and password again.
Enable single sign-on using Security Assertion Markup Language (SAML). SAML is an XML-based open standard for exchanging authentication and authorization data between SAML authority and a SAML consumer.
A SAML authority is an identity provider (IdP) and a SAML consumer is a service provider.
Install the B2C accelerator and install the b2c_acc_plus recipe in your 6.7 hybris suite.
Add the saml extension in localextensions.xml file under the config folder
<extension name='samlsinglesignon' />
Restart the hybris server.
The samlsinglesignon extension allows you to connect SAP Commerce with external identity provider (IDP) systems.
Here I am using SAP Netweaver as the identity provider. You could also use other IdPs to maintain the trust relationship.
Procedure to generate certificate, idp- pfx file(keypair for encryption) and metadata of the IdP from SAP Netweaver or Fiori.
1. Configure SAP Netweaver as SAML 2.0 identity provider, and generate a keypair for encryption and signing on behalf of the identity provider.
2. Export the certificate and metadata of the IdP to configure the service providers to trust the IdP.
3. On the IdP, configure a trust relationship with SAP CRM as the service provider.
4. Configure SAP CRM as an SAML service provider.
5. Establish a trust relationship between SAP CRM and SAP Netweaver as the IdP.
Note: For More on
See the below image for generated files.
IDP: Generated a signed certificate with High Grade key size, which you will use for signing and communicating between your service provider and the IDP. It’s in pfx format.
Establishing Trust between SAP Commerce (Hybris) and the Identity Provider:
After installing the b2c_acc_plus recipe go to the below path for samlkeystore files.
Now Import the generated certificate (which includes the private key) to your samlKeystore.jks file.
Go to the java bin directory and run the below command.
keytool -importkeystore -srckeystore E:\SAML\sap_idp_private.pfx -srcstoretype pkcs12 -destkeystore E:\SAML\samlKeystore.jks -deststoretype JKS
Note: Please change the paths of pfx file and samlKeystore.jks accordingly in the above command.
Give the destination keystore password as: changeit.
Please enter the source keystore password- While generating pfx file they will give the password use that password.
After successfully command it will generate the samlKeystore.jks in the given path and also it will generate alias key in command prompt. Please note the alias key for later use in spring.xml file
Replace The generated samlKeystore.jks file to your saml single sign on extension at: <HYBRIS_HOME>/hybris/bin/ext-integration/samlsinglesignon/web/webroot/WEB-INF/security/
Configure the IDP’s metadata and certificate to enable the communication between your service provider (Hybris) and identity provider.
Copy the IDP’s metadata.xml file to <HYBRIS_HOME>/hybris/bin/ext-integration/samlsinglesignon/web/webroot/WEB-INF/security/ folder.
Note: If you don’t have signing certificate then crate it from IDP’s metadata.xml between the X509Certificate tags.
Copy the certificate information and paste it into a file named sso_circle_cert.cer and look like below
Run the below command in java bin directory with admin rights.
keytool -importcert -alias ssoIDPCert -file E:\SAML\sso_circle_cert.cer -keystore E:\Hybris67Saml\hybris\bin\ext-integration\samlsinglesignon\web\webroot\WEB-INF\security\samlKeystore.jks
When prompted, enter the keystore password: changeit
When asked whether you trust this certificate, enter yes.
After configuring the metadata and installing the IDP certificate, you need to reflect these configurations in the spring-security-config.xml
Path: <HYBRIS_HOME>/hybris/bin/ext-integration/samlsinglesignon/web/webroot/WEB-INF/security/ spring-security-config.xml
Replace both the default values (hybris ) with alias key tp-d5aa6ee3-c837-4144-b87c-2f6fe3999961
You need to update the metadataGeneratorFilter bean in spring-security-config.xml to provide value for the entityId parameter to be unique, for example urn:ssoextension:hybris:de
Here I given samltraining if possible give your project name or leave it as hybris only.
Add the below properties in local. Properties file under the config folder. If need more see the project.properties file in samlsinglesignon extension.
Note: In sso.redirect.url please provide your external url instead of local host or ip address.
Now do ant build and restart the server. You will see the metadata successful loaded log in hybris console.
Download the service provider metadata (Hybris):
To obtain the metadata for the service provider, you need to do is requesting the following URL: http://localhost:9001/samlsinglesignon/saml/metadata
This automatically downloads an XML file that contains all the information for your service provider that the identity provider needs.
Please see the below screenshot for metadata file.
The file contains the information of service provider (Hybris)
Note: Please download the metadata with external url. And this XML file contains all the information for your service provider (Hybris) that the identity provider needs.
Upload the service provider metadata to the identity provider (SAP Netwear/ Fior etc).
After uploading the service provider metadata , signing to neatwear or fiori then it will automatically assign the login session to the hybris commerce.