This blog describes implementing a single sign on mechanism with SAML between Active Directory Federation Services and SAP Netweaver AS ABAP
In summary, the configuration provided in this document have been executed on the below mentioned platform versions.
- Microsoft ADFS (Windows Server 2012 R2) as Identity Provider
- SAP Netweaver AS ABAP 7.50 SP10 as Service Provider
1. HTTPS configuration on ABAP system
Before we run into the configuration make sure you have HTTPS enabled for your gateway system and certificates are signed
2. Activation of SICF
Activate secure session management to enable SAML 2.0 on the client server
To activate the security session management, perform the following steps.
- Goto transaction SICF_SESSIONS
- Choose corresponding client
- Select Activate
Ensure to activate the following services in the transaction SICF
/default_host/sap/bc/webdynpro/sap/saml2
3. Download ADFS server metadata
From the ADFS, you can export the metadata file to build a secure trust with the relying party.
Download metadata file from your ADFS server using the following URL
https://<hostname FQDN>/FederationMetadata/2007-06/FederationMetadata.xml
4. Configuring SAP Netweaver AS ABAP
To configure SAML 2.0 for specific client, perform the following steps
Goto transaction SAML2 and select Enable SAML 2.0 support
Add provider name and click next
Continue with default option in General settings screen
In Service Provider settings choose Automatic for Selection Mode
Select Finish
Select Edit ---> Include Certificate in Signature to establish connection between SAP Netweaver AS ABAP and Microsoft ADFS
Select Metadata to export metadata
Save a copy of metadata to share this information with the identity provider
In the Service Provider settings tab, you can view the configuration details
5. Importing metadata file of identity provider
To import the metadata file of identity provider, perform the following steps
- Select Trusted Providers tab and select Identity Providers in show
- Select Add ---> Upload Metadata File
- On Metadata verification screen, select upload from file
- Select Next
- On Provider name screen, Name field is pre-filled and select Next
- On Signature and Encryption screen, under Artifact profile, select Require Signature Never
- Select Next
- On Single Sign-On Endpoints screen, select Next
- On Single Logout Endpoints screen, select Next
- On Artifact Endpoints screen, select Next
- Select Binding as HTTP Post and select Finish
- Under List of Trusted Providers, select Edit
- Select Identity Federation tab and select Add to Name ID
- Select Save
- To enable the Trusted provider, select Enable
6. Configuring ADFS
This section provides information on how to configure SAML on Microsoft Active Directory Federation Services (ADFS).
Prerequisite - ADFS is successfully installed and configured
Add a Relying Party Trust
Open ADFS Management Tool, navigate to Trusted Relationship ---> Relying Party Trusts ---> Add Relying Party Trust
Click Start
Select Import Data about the relying party from a file and select Browse to navigate to ABAP metadata file
Click on Next
Click Ok
Provide Name
Select Next
Select Permit all users to access the relying party and select Next
Select Next and go with the default screen
Select Close
Select Add Rule
Click Next
On the Configure Rule screen, perform the following steps
- In the Claim rule name field, enter Claim Rule name
- Under Attribute store, select Active Directory
- In Mapping of LDAP attribute to outgoing claim types
Under LDAP Attribute, select SAM-Account-Name
Under Outgoing Claim Types, select Name ID
- Select Finish
- Click Apply and Ok
Select Relying Party Trust ---> Properties
Goto Advanced tab and change Secure Hash Algorithm to SHA-1
Note – Match this with what you selected on your ABAP system
Exporting ADFS Token Signing Certificate
Open ADFS Management tool
Navigate to Service ---> Certificates
On the right-hand panel, under the Token-signing, double click on the Certificate.
On the Certificate window, select Details tab.
Select Copy to File and Select Next
Select Base-64 encoded X.509 (.CER).
Subsequently select Next to export the certificate.
7. Enabling SAP Netweaver AS ABAP server to perform User Authentication using SAML
This section provides information on how to enable SAML on of the services.
To enable SAP Netweaver server to perform user authentication using SAML, perform the following steps
- Go to Transaction SICF
- Navigate to sap/opu/odata/iwfnd/catalogservice service and Edit
- Select Logon Data tab and perform the following sub-steps
a. Set Procedure field to Alternate Logon Procedure.
b. Set Security Requirement to SSLOnce the “Alternative Logon Procedure” has been changed, you can scroll down within the Logon Data tab area and you will see a list of Logon Procedures. By default, SAML Logon is item 7 in the list.To change this order, simply overtype the number in the left-hand column with 1 (or 2).
- To change this order, in the left-hand No column, overwrite the number. The list is automatically sorted according to the new order, but Logon Through HTTP Fields will always be item one.
- Save your changes.
- Go to Transaction SAML2, on the Trusted Provider tab, select Disable and Enable it again.
8. Verification
On executing Gateway service, the client will be redirected to the logon screen of the external SAML 2.0 IdP server.
Note: To test the service, edit the following link with server details –
https://<FQDN>:<port>/sap/opu/odata/iwfnd/catalogservice/?sap-client=<client no>&$format=xml
Learn More:
https://blogs.sap.com/2018/02/28/saml-integration-between-microsoft-azure-portal-and-sap-analytics-c...
https://blogs.sap.com/2017/12/19/sap-analytics-cloud-saml-sso-using-adfs-active-directory-federation...
https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/
https://blogs.sap.com/2018/03/01/saml-integration-between-microsoft-azure-portal-and-sap-business-in...