We have just gone through the process of setting up Microsoft ADFS to be our Identity Provider for SAML2.  This allows our users to access web content in SAP based on their windows PC logon. 

After going through the process of using the SAML2 transaction to establish the trust relationship, we find that SAML2 web single sign-on is now enabled for way more than we ever intended.  Two examples of where this is a problem include: 1) OData web services (/default_host/sap/opu/odata/sap) and 2) the Netweaver Business Client (/sap/bc/nwbc).

What is the best process for selectively enabling SAML2 web single sign-on?  It seems that we could go into SICF and switch individual service nodes to using the 'Alternate Logon Procedure' and then remove 'SAML Logon' from the Logon Procedure list.  However, this requires us to touch way too many nodes.  This process is, in effect, selectively disabling SAML2 web single sign-on.  We are looking for a process where we can selectively enable SAML2 web single sign-on for the few places where we want it to be enabled (e.g. /default_host/sap/bc/webdynpro/sap).

Thank you in advance for your help.