Show TOC

Configuring SSO/STS Scenario SAML Holder-of-key in the WS Provider AS ABAPLocate this document in the navigation structure


  • If you are using one of the following SSO/STS scenarios, the following prerequisites must be fulfilled.

    • STS Scenario with Symmetric Key for Endorsing Signature (Authentication Only)

    • STS Scenario with Asymmetirc Consumer Key for Endorsing Signature (Authentication Only)

    Messages between the WS consumer and WS provider are secured, either at transport level with the Secure Sockets Layer protocol (HTTPS) or at message level (symmetric message encryption/signature). With symmetric message encryption, you need to import the encryption certificate of the provider (which is in the Trust Manager in the PSE WS Security Keys, under Own Certificate) into the consumer.

  • Keep in mind the following when assigning users:

    If the element saml:Assertion/saml:Subject/saml:NameIdentifier contains the SAP user name, you can use the program RSUSREXT (for example, with transaction SE38) to assign all users, or a subgroup of users.


    If the SAP user name is not in the saml:Assertion/saml:Subject/saml:NameIdentifier element, refer to SAP Note 1254821 Information published on SAP site.

  • SAP Cryptographic Library 1.555.28 or higher is installed in the WS provider system.

    You can check the version of the library in the Trust Manager (transaction STRUST). To do this, choose Start of the navigation path Environment Next navigation step Display SSF Version End of the navigation path.

    The installation package for the SAP Cryptographic Library is available to authorized customers on the SAP Service Marketplace ( published on SAP site) under Start of the navigation path SAP Software Distribution Center Next navigation step Download Next navigation step SAP Cryptographic Software End of the navigation path.

  • You have called the program WSS_SETUP once in the WS provider to activate message authentication (that is, SAML authentication, X.509 authentication with XML-signature, UsernameToken).

    More information about WSS_SETUP: Message-Based Authentication with WS-Security.

  • The external Security Token Service (STS) has been configured in your system landscape and you have its data and signature certificate.

  • You have decided which SSO/STS Scenario to use.


This procedure provides a detailed sequence of all of the necessary steps that you need to perform in the AS ABAP WS provider. This example uses the SOA Manager individual configuration.


  1. Make the external Security Token Service known to the WS provider. To do this, use the SAML configuration (transaction SAML2) to set up the following:
    1. A trust relationship to an STS, which you also activate.

      More information: Trusting a Security Token Service.

    2. A Web Service policy that is based on the STS from the previous step.

      More information: Protecting Web Services with SAML.

  2. In the SOA Manager of the provider, on the Business Administration tab page, choose the Single Service Administration link.
    1. Find the service that the WS consumer is to access using the SAML token profile and for which you now want to define an end point.

    2. Select the service in the list of search results and choose Apply Selection.

    3. On the Configurations tab page, choose the Create Service button.

    4. In the dialog box, specify the name of the new service, its description, and the name of the end point (binding name, such as SYM_SC_SAML), and choose Copy settings.

    5. Scroll down, to specify the options for security at transport and message levels on the Provider Security tab page:

      • Depending on your system landscape, under Transport Guarantee under Connection Security, choose either the Symmetric Message Signature/Encryption radio button, or HTTPS (Security at Transport Level).

      • Under Authentication Method under Authentication at Message Level, check the Single Sign-On Using SAML checkbox.

      • Under Security Token Service Settings, use the input help to specify the Security Token Service (STS) and the Web Service policy defined in step 1 of this procedure.

    6. Save your entries.

    7. Determine the WSDL URL of the end point that you have just created to configure the WS consumer with it. To do this, perform the following steps:

      1. On the Overview tab page, use the input help to select the end point defined above. Choose the link Display WSDL URL for Selected Binding.

      2. Enter the name and password of the user that has access authorization for the WSDL document.