on 2024 Feb 20 5:27 PM
Hey there, fiends of the well-groomed SSO world!
So, here I am, fancying myself quite the expert on the subject, but hey, who says there's no room for a little community chitchat, right? This time it's about SAML and its implications on an SAP system. All of this in connection with those scenarios that are not in the sense of "user opens the launchpad".
Had a classic case at a client's place today. Just after introducing SAML, bam! Developers screaming bloody murder, their test scripts getting served up a delicious 401 error from the development environment.
We're talking about accesses from specific user groups on the system who:
...and whatever else you can think of!
Question: So, how do you folks tackle configuring your ICF services or defining exceptions for these situations?
Give the info below a quick read, and let's dish out some helpful, tried-and-true advice. Oh, and a lively exchange of ideas wouldn't hurt either, if that's still a thing around here!
Here's the backstory
All SAP systems (ABAP, essentially meaning S/4HANA, possibly residing on ECS) at CUSTOMER have been configured to utilize SAML. This configuration is applied system-wide (and per client) and impacts every ICF service. This setup achieves Single Sign-On for HTTP access. Authentication is no longer handled by the S/4HANA system itself (Basic Password Authentication), but instead, it is forwarded via SAML to SAP Cloud Identity Services (IAS), which delegates authentication to the Entra ID at CUSTOMER.
This facilitates seamless and secure access to web-based applications such as SAP Fiori Launchpad, WEBGUI, SOAMANAGER, NWBC, and others, without users needing their SAP password anymore. Instead, employees simply authenticate with their CUSTOMER account, and their identity is federated to the user in the SAP system (SU01 email address) via their email address.
There are also other scenarios, such as developers accessing specific services with hardcoded user credentials, using test scripts, or other cases where an exception is needed. In such instances, SAML can be selectively disabled to no longer delegate authentication to the Identity Provider via HTTP redirect/post for that specific service.
To address these requirements, the following measures can be implemented:
Oh, and if you're eager for more bedtime stories, check out these links:
https://community.sap.com/t5/technology-q-a/ui5-app-in-scp-how-to-disable-saml/qaq-p/12301269
https://me.sap.com/notes/0002577263
I stumbled upon this one yesterday: The requirement is that all web-based logins should be compelled to use SAML, and anyone attempting to use 'saml2=disabled' should be denied or How to enforce all web-based logins to use SAML2 in an ABAP system: https://me.sap.com/notes/0003280746
Thx & Cheers
Carsten
Request clarification before answering.
User | Count |
---|---|
47 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.