Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML 2.0 SSO for SAPGui windows

Koen_VL
Participant
‎2015 Jan 29 6:19 PM
36,461
NOTE:

This scenario is based on logon tickets, which are no longer recommended: http://service.sap.com/sap/support/notes/2117110

- SAP Moderator

Scenario


You want to enable SAML Single Sign On for SAPGui windows.

You have these components in place: IdP, SAPGui windows, Internet Explorer and SAP NetWeaver AS ABAP 7.02 or higher.

SAPGui does not offer native support for SAML. To make this happen, we combine the legacy support feature of the ABAP SAML service provider with the SAPGui shortcut SSO using the MYSAPSSO2 cookie.


Solution components



  1. Enable SAML authentication on the ABAP system using transaction SAML2 and exchanging the metadata with your IdP.
    http://help.sap.com/saphelp_nw70ehp2/helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htm
    The important setting in this case is to set the value of "Legacy Systems Support (Issue Logon Ticket) to "On" in the SAML Local Provider Configuration.

  2. Build a BSP application that will establish the SAML SSO with the IdP. This BSP application takes the cookie from the browser and puts it in a SAPGui shortcut. More information around SAPGui shortcut SSO can be found here Single Sign-On for SAP Shortcuts - User Authentication and Single Sign-On - SAP Library


BSP application:






    • Start page launchGui.htm: grabs the cookie and navigates to the BSP page creating the shortcut file.





(source code attached in launchGui.txt.zip)






    • Page createSapGuiShortcut.htm parses the cookie and creates a SAPGui shortcut file containing the MYSAPSSO2 logon ticket.





(source code attached in createSapGuiShortcut_OnRequest.txt.zip )


Put this BSP application in the "Default Application Path" of the "Assertion Consumer Service" setting of the SAML Service provider.



Now start an IDP initiated request. After successful authentication against the IdP, the BSP application takes the MYSAPSSO2 cookie from the browser session and puts it in the SAP shortcutfile. Opening the SAP shortcut file will initiate a SAP logon ticket SSO to SAPGui. Depending on a registry setting in windows, the user will get a popup to open the shortcut file or start the SAPGui immediately. More details about this setting and how to influence it can be found in this SAP note: http://service.sap.com/sap/support/notes/604324.



User mapping


In a typical scenario, the user names of the ABAP system will not be identical to the ones on the IdP. To facilitate this, you can use the user mapping as described here Mapping SAML Principals to AS ABAP User IDs - User Authentication and Single Sign-On - SAP Library


To enable this mapping, set the "Supported NameID Formats" in the trusted provider in the SAML configuration to "unspecified" and then in the details of "NameID Format" specify the source "Mapping in USREXTID table". Then go to "Name ID Management", select the user you want to map and select the Name ID Format "Unspecified" and add the user there. This will generate an entry in the table VUSREXTID. Alternatively, you can also populate that table directly as described in note http://service.sap.com/sap/support/notes/1362866

30 Comments
Labels in this area
Popular Blog Posts