Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
This blog describes implementing a single sign on mechanism with SAML between Active Directory Federation Services and SAP Netweaver AS ABAP

In summary, the configuration provided in this document have been executed on the below mentioned platform versions.

  • Microsoft ADFS (Windows Server 2012 R2) as Identity Provider

  • SAP Netweaver AS ABAP 7.50 SP10 as Service Provider

1. HTTPS configuration on ABAP system

Before we run into the configuration make sure you have HTTPS enabled for your gateway system and certificates are signed

2. Activation of SICF

Activate secure session management to enable SAML 2.0 on the client server

To activate the security session management, perform the following steps.

  1. Goto transaction SICF_SESSIONS

  2. Choose corresponding client

  3. Select Activate

Ensure to activate the following services in the transaction SICF


3. Download ADFS server metadata

From the ADFS, you can export the metadata file to build a secure trust with the relying party.

Download metadata file from your ADFS server using the following URL

https://<hostname FQDN>/FederationMetadata/2007-06/FederationMetadata.xml

4. Configuring SAP Netweaver AS ABAP

To configure SAML 2.0 for specific client, perform the following steps

Goto transaction SAML2 and select Enable SAML 2.0 support

Add provider name and click next

Continue with default option in General settings screen

In Service Provider settings choose Automatic for Selection Mode

Select Finish

Select Edit ---> Include Certificate in Signature to establish connection between SAP Netweaver AS ABAP and Microsoft ADFS

Select Metadata to export metadata

Save a copy of metadata to share this information with the identity provider

In the Service Provider settings tab, you can view the configuration details

5. Importing metadata file of identity provider

To import the metadata file of identity provider, perform the following steps

  1. Select Trusted Providers tab and select Identity Providers in show

  2. Select Add ---> Upload Metadata File

  3. On Metadata verification screen, select upload from file

  4. Select Next

  5. On Provider name screen, Name field is pre-filled and select Next

  6. On Signature and Encryption screen, under Artifact profile, select Require Signature Never

  7. Select Next

  8. On Single Sign-On Endpoints screen, select Next

  9. On Single Logout Endpoints screen, select Next

  10. On Artifact Endpoints screen, select Next

  11. Select Binding as HTTP Post and select Finish

  12. Under List of Trusted Providers, select Edit

  13. Select Identity Federation tab and select Add to Name ID

  14. Select Save

  15. To enable the Trusted provider, select Enable

6. Configuring ADFS

This section provides information on how to configure SAML on Microsoft Active Directory Federation Services (ADFS).

Prerequisite - ADFS is successfully installed and configured

Add a Relying Party Trust

Open ADFS Management Tool, navigate to Trusted Relationship ---> Relying Party Trusts ---> Add Relying Party Trust

Click Start

Select Import Data about the relying party from a file and select Browse to navigate to ABAP metadata file

Click on Next

Click Ok

Provide Name

Select Next

Select Permit all users to access the relying party and select Next

Select Next and go with the default screen

Select Close

Select Add Rule

Click Next

On the Configure Rule screen, perform the following steps

  1. In the Claim rule name field, enter Claim Rule name

  2. Under Attribute store, select Active Directory

  3. In Mapping of LDAP attribute to outgoing claim types

Under LDAP Attribute, select SAM-Account-Name

Under Outgoing Claim Types, select Name ID

  1. Select Finish

  2. Click Apply and Ok

Select Relying Party Trust ---> Properties

Goto Advanced tab and change Secure Hash Algorithm to SHA-1

Note – Match this with what you selected on your ABAP system

Exporting ADFS Token Signing Certificate

Open ADFS Management tool

Navigate to Service ---> Certificates

On the right-hand panel, under the Token-signing, double click on the Certificate.

On the Certificate window, select Details tab.

Select Copy to File and Select Next

Select Base-64 encoded X.509 (.CER).

Subsequently select Next to export the certificate.

7. Enabling SAP Netweaver AS ABAP server to perform User Authentication using SAML

This section provides information on how to enable SAML on of the services.

To enable SAP Netweaver server to perform user authentication using SAML, perform the following steps

  1. Go to Transaction SICF

  2. Navigate to sap/opu/odata/iwfnd/catalogservice service and Edit

  3. Select Logon Data tab and perform the following sub-steps
    a. Set Procedure field to Alternate Logon Procedure.
    b. Set Security Requirement to SSLOnce the “Alternative Logon Procedure” has been changed, you can scroll down within the Logon Data tab area and you will see a list of Logon Procedures. By default, SAML Logon is item 7 in the list.To change this order, simply overtype the number in the left-hand column with 1 (or 2).

  4. To change this order, in the left-hand No column, overwrite the number. The list is automatically sorted according to the new order, but Logon Through HTTP Fields will always be item one.

  5. Save your changes.

  6. Go to Transaction SAML2, on the Trusted Provider tab, select Disable and Enable it again.

8. Verification

On executing Gateway service, the client will be redirected to the logon screen of the external SAML 2.0 IdP server.

Note: To test the service, edit the following link with server details –

https://<FQDN>:<port>/sap/opu/odata/iwfnd/catalogservice/?sap-client=<client no>&$format=xml

Learn More: