Configuring a Grant Type Extension with an OAuth 2.0 SAML Bearer Assertion

Before you can authenticate and get an access token to access resources using an OAuth 2.0 client, you must configure OAuth 2.0 to use a SAML 2.0 bearer grant type.

Prerequisites

Before you can configure OAuth 2.0 with a SAML 2.0 bearer grant type, you must fulfill the following prerequisites:

SSL must be set up in the AS ABAP (for details, see Configuring the AS ABAP for Supporting SSL).
A trusted SAML identity provider must be available in the network (see Configuring a Trusted Identity Provider for OAuth 2.0). This identity provider issues the SAML 2.0 assertion that the OAuth 2.0 client sends to the OAuth 2.0 token endpoint.
You have configured a trusted relationship to this identity provider.
In the AS ABAP, there is a user with the type System for each OAuth 2.0 client. For more information on how to set up users of this type, see User Administration Functions.

Procedure

Start OAuth 2.0 Administration (transaction SOAUTH2).
In the subsection Resource Owner Authentication, use Grant Type SAML 2.0 Bearer Active.

Note It is also possible to use several resource owner authentication methods, for example SAML 2.0 bearer assertion and authorization code.
Go to the Trusted OAuth 2.0 IdP field and select the trusted identity provider using the input help.
(Optional) To provide an additional level of security in the SAML assertion, mark the checkbox Requires Attribute "client_id".
Go to the OAuth 2.0 Scope ID column in subsection Scope Assignment.
Use the input help to select the OAuth 2.0 scopes you want to access.

Note For example, SAP NetWeaver Gateway provides the scopes. For more information, see OAuth 2.0 Scopes and SAP NetWeaver Gateway SAP NetWeaver Gateway Cookbooks .
Save your changes.