Skip to Content

SAML2 Web Single Sign-on updates too many services.

We have just gone through the process of setting up Microsoft ADFS to be our Identity Provider for SAML2.  This allows our users to access web content in SAP based on their windows PC logon. 

After going through the process of using the SAML2 transaction to establish the trust relationship, we find that SAML2 web single sign-on is now enabled for way more than we ever intended.  Two examples of where this is a problem include: 1) OData web services (/default_host/sap/opu/odata/sap) and 2) the Netweaver Business Client (/sap/bc/nwbc).

What is the best process for selectively enabling SAML2 web single sign-on?  It seems that we could go into SICF and switch individual service nodes to using the 'Alternate Logon Procedure' and then remove 'SAML Logon' from the Logon Procedure list.  However, this requires us to touch way too many nodes.  This process is, in effect, selectively disabling SAML2 web single sign-on.  We are looking for a process where we can selectively enable SAML2 web single sign-on for the few places where we want it to be enabled (e.g. /default_host/sap/bc/webdynpro/sap).

Thank you in advance for your help.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Oct 06, 2014 at 10:02 PM


    SICF uses inheritance. So children inherits logon procedure unless you specify otherwise. Hence it's not that much work. You can go to top one - disable SAML and then enable SAML for nodes that you wish for.


    Add comment
    10|10000 characters needed characters exceeded