Show TOC

Trusting a Security Token ServiceLocate this document in the navigation structure

Prerequisites

  • You have configured an STS in your network.

  • You have activated SAML configuration in your system.

    More information: Enabling the SAML Service Provider.

  • If you want to add the STS manually, that is, without an XML metadata file, you have imported the public key certificates of the STS for encryption and the digital signature of the SAML messages. Import these certificates in the Trust Manager of hte SAP NetWeaver Application Server (AS) ABAP. More information: Trust Manager.

  • If you want to add the STS from a metadata file, you can access the provider's metadata from a secure source. If you are uploading the metadata from a file, we assume that you have received the file from a trusted source. The STS accepts the metadata. However, if the metadata is signed by the STS, the WS provider checks whether the (AS) ABAP trusts the certificate issuer of the signer. If the AS ABAP does not trust the issuer, the WS provider rejects the metadata.

Context

With this procedure, you specify a Security Token Service (STS) that the WS provider AS ABAP can trust. The WS provider requests identity information from the trusted STS for the applications that it protects.

Procedure

  1. Start SAML configuration (for example, by calling transaction SAML2).
  2. On the Trusted Providers tab page, from the Display drop-down list, choose the STS option.
  3. Start the configuration assistant by choosing Add, and choose one of the following options:
    • Manual

    • Upload Metadata File

      Specify the path for the XML metadata file for the STS. If the XML metadata file is signed, you then need to specify the storage location of the public key certificate with which the STS can check the signature. You can select the following storage locations:

      • The address book of the Trust Manager

      • The file system

  4. If you chose Manual, enter the required data in the steps of the assistant: name, signature certificate, and endpoints.

    The XML metadata file provides the bindings supported by the STS. If you add new bindings, you need to configure the STS so that it supports these.

  5. Choose Finish.
  6. Specify the Name ID formats for the account link.
  7. Select the row for your STS, and activate it by choosing Activate.