cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to generate a SAML assertion by Using SAP Cloud Identity Services (IAS)

anna_xu2
Associate
Associate

on ‎2024 Oct 09 8:30 AM

0 Kudos
1,820

Hi,

Could anyone please share details on how to generate a SAML assertion response through API for SAC (SAP Analytic Cloud Embedded Lite) by using SAP Cloud Identity Services (IAS)

 

We are trying to figure out how IAS could provide a SAML assertion response by API so that our application could call it for live connection at SAC.

I know that there is a tiger demo application which used to provide the SAML Assertion for SAC, however, our security expert suggest us to  call IAS API to generate the SAML response directly. 

I would need to know the detailed steps to generate SAML assertions by using IDP (SAP IAS) API.

Thank you,

Anna

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
anna_xu2
Associate
Associate
‎2024 Oct 09 8:31 AM
0 Kudos
Below is the SAML Assertion SAMPLE we needed: <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://onntvudbzxtzccg8gxrtf8x.authentication.us31.hana.ondemand.com/saml/SSO/alias/onntvudbzxtzccg..." ID="_e94f9b08228c6b5a84b97c717ac1f270" IssueInstant="2024-09-30T07:51:59.185Z" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">tiger</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_5c8ef919fd221bb269ef69b20d86bd8d" IssueInstant="2024-09-30T07:51:59.185Z" Version="2.0"> <saml2:Issuer>tiger</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#_5c8ef919fd221bb269ef69b20d86bd8d"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>DSxHzU0f7Ckvg8D48L7AJsiwLHJS6p2IiG1BErn2G3w=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> T86G0LCBtplHQQU61ylqV3m6XvECr3YF847+f9U30RtLR5tmJUbngvsqu91vXs+8CXBrW+HOOpqx&#13; Uy6VkU5Xmv5RRORK/rAKtWJIlyAXMUbsRNQ6qs83ynHIuQvwG7Yk7nmYORcy3ALGK10HS/hQ8e8P&#13; 9TIRlu5jLk7QhEpvkXowMRqhWCDc9XcOYtRJlcwxFa9Yd0jtj7YUsQg0+Ad4yPVwLpMkEfKHSoKc&#13; zrGd+mOgBrycyEQEQ0AMeuUyDIIoZG0MBxaLu/EGjUQGkaHVZ9ok6O/0vw37lfcqR5skupPX8qvm&#13; BWZYYnyHLZiff2+BIjS/RmKvGNfQ/FhQ4vCntw== </ds:SignatureValue> </ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jin.chen06@gmail.com</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2024-10-01T07:51:59.185Z" Recipient="https://onntvudbzxtzccg8gxrtf8x.authentication.us31.hana.ondemand.com/saml/SSO/alias/onntvudbzxtzccg..."/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2024-09-28T07:51:59.185Z" NotOnOrAfter="2024-10-01T07:51:59.185Z"> <saml2:AudienceRestriction> <saml2:Audience>https://onntvudbzxtzccg8gxrtf8x.authentication.us31.hana.ondemand.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2024-09-30T07:51:59.186Z" SessionNotOnOrAfter="2024-10-01T07:51:59.186Z"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </saml2p:Response>
gregorw
SAP Mentor
SAP Mentor
‎2024 Oct 09 10:09 PM
0 Kudos
Can you provide details which target system you want to connect via the live data connection?

Accepted Solutions (0)

Answers (2)

Answers (2)

adityawsharma
Explorer
‎2025 Jun 27 2:56 AM
0 Kudos

Hi @anna_xu2 , not sure if you found the answer to this, you can use the method as described in OSS note 3429585 - How to generate SAML assertion for SuccessFactors using IAS - SAP for Me which can help with the steps in IAS. You can skip the steps within SuccessFactors as mentioned in this note. Hope this helps.

Thanks,

Aditya

Show replies
Show replies
Emileh
Explorer
‎2025 Aug 21 9:52 AM
This note has been removed....
anna_xu2
Associate
Associate
‎2024 Oct 10 7:17 AM
0 Kudos

Hi gregorw,

Our scenario is to use SAC embedded Lite to consume the calculation views exposed by CAP service. And the CAP Service exposed the analytic cube ( the calculation view) to the SAC by live connection through ina protocol. Below shows the analytic cube define in the CAP service. 

anna_xu2_0-1728540705866.png

At SAC, we defined a live connection with type of "SAP Cloud Application Live Connection", in the live connection configuration, type our CAP service Route URL as the host, choose the Authentication Method as SAML Single Sign On as below screenshot shown:

anna_xu2_1-1728540748799.png

Below is the architecture of our service.

anna_xu2_2-1728540776075.png

               RGM-PL Service TAM Diagram

We have an iframe in our UI, within the iframe, story of the SAC will be shown at there. In order to get some information from SAC embedded Lite, we need to send the SAML Assertion Response to SAC for the authentication. (The SAC in this scenario need to get the SAML Assertion Response, while not other authentication approach).

The SAC embedded Lite team provide a demo solution for us to generate a SAML Assertion Response to do the authentication between our Application services and SAC embedded lite. The demo service is named Tiger : https://github.wdf.sap.corp/ies/Tiger/blob/master/README.md

However, our security expert has concerns with the approach of tiger. He think that to handle the certificate and generate the SAML assertion response in our own code like tiger is not secure enough. According to the threat modeling detail excel, we should not use our own code to do the authentication. we should use the mature framework. He suggested us to do the investigation , to see if the IAS ( SAP Cloud Identity Service) could provide the SAML Assertion Response directly for us. If yes, we could fetch the SAML Assertion Response and return to SAC when it asks the SAML Assertion Response as the authentication.

So basically, our expectation is to get the SAML Assertion Response from IAS like the RGM-PL Service TAM Diagram shown.

We would like to ask if we can achieve that according to the architecture of RGM-PL Service TAM Diagram?

Thanks

 

 

 

. BTW, the SAC embeded Lite team provide a wiki regarding the authentication solution https://wiki.one.int.sap/wiki/pages/viewpage.action?pageId=3742275407 , in this solution, they used a backend APP as the "idp" to generate SAML Assertion for tech user. We wanna to find out if there is any approach to replace the method of  "used a backend APP as the "idp" to generate SAML Assertion for tech user" . We are wondering if the IAS provide this approach. if yes, the backend app do not need to write their own code to do so, which is suggested by the threat modeling methodology ( use the platform or framework instead of implement the authentication in your own code).

anna_xu2_0-1728549473724.png

 

Show replies
Show replies
Ask a Question