$(function () { pageContext.i18n.modTalk = 'moderation talk'; pageContext.i18n.replyToComment = 'Reply'; pageContext.i18n.modTalkEmpty = 'moderation talk is empty'; pageContext.url.getModTalk = "/comments/%25ID%25/listModTalk.json"; pageContext.url.possibleCommentRecipients = "/comments/%ID%/possibleRecipients.json"; pageContext.url.commentEdit = '/comments/%25ID%25/edit.html'; pageContext.url.commentView = '/comments/%ID%/view.html'; pageContext.i18n.commentVisibility = { 'full': 'Viewable by all users', 'op': 'Viewable by the original poster', 'mod': 'Viewable by moderators', 'opAndMod': 'Viewable by moderators and the original poster', 'other': 'Advanced visibility', 'dialogTitle': 'Comment visibility', 'selectGroups': 'Visible to groups', 'selectOther': 'Other recipients', 'selectOriginalPoster': 'Original poster', 'selectModerators': 'Moderators', 'selectAssignees': 'Asked to answer users' }; pageContext.i18n.commentMenuLabels = { 'comment-edit': 'comments.menu.edit', 'comment-delete': 'comments.menu.delete', 'comment-convert': 'comments.menu.convert' };pageContext.i18n.answer= { bestAnswer: 'Best Answer', controlBar : { accept: 'Accept', unaccept: 'Unaccept', acceptCommand: 'Accept this answer as correct', cancelAcceptedCommand: 'Remove this answers accepted status' } }; window.croles = { u: false, op: false, m: false, og: false, as: false, ag: false, dc: false, doc: false, eo: false, ea: false }; tools.init({ q: { e: false, ew: false, eo: false, r: false, ro: false, d: false, dow: false, fv: false, c: false, co: false, p: false, tm: false , ms: false, mos: false }, n: { f: false, vf: false, vfo: false, vr: false, vro: false, c: false, co: false, vu: false, vd: false, w: false, wo: false, l: false }, c: { e: false, eo: false, d: false, dow: false, ta: false, tao: false, l: false }, a: { e: false, ew: false, eo: false, d: false, dow: false, a: false, aoq: false, ao: false, tc: false, tco: false, p: false, tm: false }, pc: croles }, { tc: true, nsc: true }); commandUtils.initializeLabels(); }); Skip to Content

How to configure an ABAP system as an Identity Provider

Feb 28, 2017 at 10:55 AM


avatar image

Hello :)

As the title says: How to configure an ABAP system as an Identity Provider?

On this SAP Page underneath "Securely Integrate with On-Premises Identity Infrastructure" is a picture where an ABAP-System is used as a User Store/Identity Provider, connected with a SAP Cloud Identity Service.

I want to do this too. In the end, i want to be able to login into my HCP-apps using my ABAP-System login credentials "hidden" by the Cloud Identity Service.

Or if possible without the Cloud Identity Service.

Many documentations use a AS Java between the ABAP System and the HCP/Cloud Identity Service, but i would like to not have to use this constellation.

But i don't know how to use my ABAP System as an identity provider with SAML 2.0.

Is this even possible? And if yes, how?

thanks in advance :)


I know there is a transaction SAML2, where you can setup the ABAP System as a Service Provider. There is a field named "Operation Mode", which indicates that there could be an option the switch from Service Provider (gray, unchangeable default) to Identity Provider.

In this question is a component mentioned for Java-Systems. Is there something for ABAP?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Christopher Leonard
Mar 15, 2017 at 02:30 PM

Hello Tim,
as Matt said this isn't an IdM question however from general knowledge the ABAP system cannot directly act as an IDP but rather just as a Service Provider. Probably what the documentation you saw refer to is that the source of users for user federation in terms of SAML could be taken from the ABAP system (typically the IDP works off either LDAP server (e.g. ADS) or some other source like UME in the SAP IDP As Java server. Most likely once you authenticate against the on-premise the IDP then issues a SAML token which then allows access to other service providers. Probably the SAP Cloud Identity colleagues can further confirm however

Hope this clarifies.

@Matt guess this is not an IdM issue here

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Christopher,

as you say, the documentations use ABAP as the source of users, but not as the SAML-IdP.

But my problem is the documentations (like this) do not say "Java-Only" or "Non-ABAP" (maybe my englisch isn´t good enough). It is just like "We describe for java" "with java you can do this and that", but it does not sound like you have to use java or you just can use java. Example "As an identity provider, SAP NetWeaver Application Server (SAP NetWeaver AS) Java can provide cross-domain SSO(...)"

The Product Availability Matrix isn't really helpful either. The requirement (for SAP NW IDM 7.2) is just kind of "SAP NETWEAVER x.x", not Java only. Some of the product instances are commented with "Java 2 Enterprise Edition" and seem to be "java-only", but i´m not 100% sure about this.

So the SAP NW IDM does not seem to be Java-only, but the Component "Identity Federation" (containing the IdP-Part) seems to be java-only(?).

This is why i thought it could be an IDM issue.

And i thought it could be a cloud identity issue to, because the picture mentioned is part of the cloud platform/identity homepage.

Matt Pollicove
Mar 15, 2017 at 11:49 AM

Hi Tim,

I don't think this is necessarily a question about using SAP IDM as an Identity Provider or using Cloud Identity. Please confirm so I can move it to the correct forum.


Matt (Moderator)

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Since I noticed that IDM seems to be for Java only, I can confirm. Thanks.