Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Getting started with SAML2.0 for ABAP

Go to solution
Former Member

‎08-07-2013 6:14 PM

0 Kudos

Hello

I am attempting to setup SAML authentication for our ERP system as a Service Provider.  My end goal is SSO for deliverying HR ESS/MSS via ABAP Web Dynpro (i.e. no portal involved).  I have read a few notes/blogs/wikis, but might be getting lost along the way.  I don't have deep expertise in this area, so hoping for some assistance to point me in the right direction

Our Identity Provider is Microsoft Active Directory Federated Services (ADFS).

I've run the wizard configuration on the ABAP system and imported the metadata XML from ADFS.

- using Front Channel HTTP POST approach

In addition to any general guidance you can offer, I have two questions

1. I did not see any steps where you have to make changes on the Identity Provider side - is this normal?

2. I'm attempting to do a test and am using the 'ping' service (host:port/sap/bc/ping)  --- when I access the URL it simply prompts for the id/password as it always has.  Wondering if I need to figure out how to get SAML to be higher up on the logon procedure list?!

Any advice?

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎08-14-2013 3:54 AM

0 Kudos

See 's excellent document on how to setup SAML in AS ABAP together with ADFS. The context is SAP Fiori but it is applicable to other scenarios too.

6 REPLIES 6

Go to solution
mvoros
Active Contributor

‎08-12-2013 12:12 AM

0 Kudos

1. Not sure about this. It could work out of the box but there might be some config required. Unfortunately, Microsoft does not have special document for SAP but I would have a look in documentation for other products (Microsoft Documentation)

2. I believe that by default SAML is not active. So you have to activate it in SICF (SAP documentation).

Cheers

Go to solution
Former Member
In response to mvoros

‎08-12-2013 12:41 PM

0 Kudos

Hello Martin

Thanks for replying! 

I was mostly interested there was not a step in the SAP documentation to say "at this point you need to perform configuration on the IdP side."

I have subsequently realized that when I went through the wizard process I missed a step to save the NameID setting (to use email) so the SAML configuration was not active!  I'll blame the UI of course

My next roadblaock is that I am attempting to provide the SAP Service Provider metata export so that the ADFS folks can import it into the SAML configuration on the IdP side.  After activating the service /sap/bc/public/sec/saml2 I am able to click "download metadata" in the second screenshot below

When I do that, a new browser launches to the URL below but then immediatey goes away (the HTTP response code is 200).

https://host:44300/sap/saml2/sp/metadata?sap-client=100&exclude_asp_descriptor=X&exclude_sts_descrip...

Thanks for any advice!!!

Preview file
7 KB
Preview file
9 KB

Go to solution
mvoros
Active Contributor
In response to mvoros

‎08-13-2013 10:25 AM

0 Kudos

Maybe a stupid question. Does not your browser block popup window? You can use Developer tools (in IE, other browsers have similar tools) to track what is happening on network.

Go to solution
Former Member
In response to mvoros

‎08-13-2013 11:31 AM

0 Kudos

No stupid questions!  Turns out the URL in the application was incorrect somehow in the application. 

Instead of

/sap/saml2/sp/metadata?sap-client=100

it was using

/saml2/sp/metadata?sap-client=100

...and there is no alias in SICF for that.  I manually browsed to that and was able to download the file.

I have provided the metadata.xml file to the ADFS folks....fingers crossed it works out-of-the-box.

I'll post new forum topics if I encounter problems, but I was curious if you an provide general advice : how would you recommend learning SAML2 at a slightly lower level of detail?   The high level powerpoint description becomes somewhat useless once you get into the myriad of options that are available.  The SAP documentation is nice, but for the most part I am just accepting defaults without understanding what they mean!  I suppose if it works, I won't need to dig into it, but given that it is security/authentication I would prefer knowing a bit more. 

Go to solution
mvoros
Active Contributor
In response to mvoros

‎08-14-2013 3:03 AM

0 Kudos

Hi,

I don't know. Reading specs of SAML is not the best way but you can find everything there.

Honestly, I wouldn't be worried too much about defaults. SAML is a complex protocol and complexity in security is not a good thing. So sticking to default values provided some smart people is a good idea. Fiddling with settings without deep understanding can have severe consequences. Crypto is exceptionally good example.

Cheers

Go to solution
Former Member

‎08-14-2013 3:54 AM

0 Kudos

See 's excellent document on how to setup SAML in AS ABAP together with ADFS. The context is SAP Fiori but it is applicable to other scenarios too.