Protecting Web Services with SAML

Prerequisites

You have configured the AS ABAP for the use of SAML.
You have configured a trusted STS provider on the WS provider.

More information: Trusting an Security Token Service.

Context

Once you have set up a trust relationship between a Security Token Service (STS) and an AS ABAP, you can use a policy to configure customer-specific requirements that go beyond the trust relationship. You can then assign a policy of this type to one or more Web services.

With this procedure, you create a template for protecting a large number of different resources with the same policy. In this way, you can change a large number of resources by editing a single policy.

Procedure

Start SAML configuration (for example, by calling transaction SAML2).
On the Policies tab page, from the Display drop-down list, choose the Web Services Policies option.
You can change an existing SAML policy template, or create a new one.
- To create a new template, choose the Add button.
- To change an existing template, select it and choose the Edit button.

Enter or change the required data.

Entry	Value	Description
Policy Name	Not applicable	User-defined name of the policy.
Security Token Service	Not applicable	The configured Security Token Services are listed in the input help.
STS Location URL	Not applicable	Configured URL with which the provider accesses the STS. The input help provides the URL associated with the STS provider.
Metadata Exchange URL (MEX URL)	Not applicable	URL for metadata exchange. The consumer configures the connection between the STS and the consumer with the WSDL file that it receives from the STS through the metadata exchange. The system automatically fills the field with the MEX URL associated with the STS Location URL.
SAML Type	Possible values: Symmetric key, full message protection Symmetric key, authentication only Asymmetric consumer key, authentication only	Specify one of the SSO/STS Scenarios: STS Scenario with Symmetric Key for Message Protection (Signature, Encryption, and Authentication) STS Scenario with Symmetric Key for Endorsing Signature (Authentication Only) STS scenario with asymmetric consumer key for confirming signature (authentication only)
SAML Version	Possible values: SAML 1.1 SAML 2.0	SAML 1.x SAML 2.0

Consider whether you want to specify an authentication context on a particular WS provider for this Web service. When you configured the trust relationship on the WS provider, you were able to set all authentication contexts that the WS provider needs to contain to authenticate a user that is requesting access to a resource of this provider. For each SAML 2 policy template, you can override the default authentication contexts for a specific WS provider. Use this option if the authentication contexts are too lax for the resources to be protected by the template.
1. In the policy list, select a policy, and choose the Edit button.
2. Under authentication contexts, choose Add.
3. Select any authentication contexts, and choose OK.
Save your entries.

Results

Once you have configured how a resource is protected with SAML, ensure that the STS provider can also fulfill the configured requirements.