Show TOC

Setting SAML 2.0 Policies for AuthenticationLocate this document in the navigation structure


SAML 2.0 policies enable you to override the authentication contexts of the authentication requirements you defined for an identity provider while configuring the trust relationship. The authentication requirements you defined apply wherever you use the SAML2LoginModule. With the SAML 2.0 policy, you can override those settings, by using the policy as a login module option. Combined with the policy configurations for authentication stacks, you can define policies that apply to specific applications or groups of applications that have different requirements.


  1. Start SAP NetWeaver Administrator with the quick link /nwa/auth .

  2. Choose Start of the navigation path SAML 2.0 Next navigation step Policies End of the navigation path.

  3. Add a new policy or edit an existing policy.

  4. Determine whether you want to set an authentication type.

    • To force an identity provider to always reauthenticate the user, even if the user already has an active session, enter Forced Re-Authentication .

      Use this option to protect particularly sensitive applications, by ensuring the user is who he or she claims to be.

    • To require the identity provider to only use authentication methods that do not require user interaction, such as certificate logon, enter Passive Authentication .

      Use this option if the process of logging on would disorient or worry the user.

    • Otherwise, enter None .

  5. On the Trusted Identity Providers tab, select an identity provider.

  6. Configure the list of authentication contexts as required.

    For more information about configuring custom authentication contexts, see Adding Custom Authentication Contexts .

  7. Save your entries.

  8. Add the policy as an option of SAML2LoginModule in policy configurations where it is part of the authentication stack.

    For more information, see Protecting Resources with SAML .