Show TOC

Configuring Trusted Partners and Attesters for SAMLLocate this document in the navigation structure


You can use the Web services security SAML configuration functions in the SAP NetWeaver Administrator (NWA) to configure system trust between the systems involved in the SAML Token Profile SSO process.

You can use the following configuration options to support the SAML sender-vouches subject confirmation scenario.

  • Trusted Partners - allows you to set up trust relationships to SAML-assertion-issuing systems.

  • Local SAML Isser of Assertion - enables you to configure local attesters used to vouch for users who logged on to the SAML attesting system.

  1. In SAP NetWeaver Administrator, start Start of the navigation path Configuration Management Next navigation step  Security  Next navigation step  Trusted Systems  End of the navigation path.

  2. Choose the Web Service Security SAML. tab page.

1. Configuring the Attesters (Consumer)

In every AS Java, there is a default attester saml_default_attester. You can also create additional attesters using the following procedure:

  1. Choose the Local SAML Issuers of Assertion tab page, and switch to edit mode.

  2. Choose Add to add a new local SAML attester.

  3. In the Attester Name field, enter the name of the attester.

  4. In the Keystore View field, enter the keystore that contains the private key.

  5. in the Private Key field, choose a private key with which the attester can confirm the SAML assertion.

  6. In the Issuer Name field, enter the name of the issuer for which the attester vouches.

  7. Save your entries.

2. Configuring the Trusted Partners (Provider)

  1. Choose the Trusted Partners tab page and switch to change mode.

  2. In the Trusted SAML Issuer field, enter the issuers, as they are listed in the SAML assertion.

    • If the issuing system is an AS Java, the issuer name is shown in the consumer under Start of the navigation path Configuration Management  Next navigation step  Security  Next navigation step  Trusted Systems End of the navigation path on the Local SAML Issuer of Assertion tab page, in the row of the local attester, in the field Issuer Name .

    • If the issuing system is an AS ABAP system, the issuer has the following format <SID>/<client> , such as XYZ/000.

    In the following example assertion, the system ID (SID) is XYZ, the client is 000, and the user name of the user in the SAML-issuing system for whom an assertion was generated is BAUERK. The issuer name in the example is XYZ/000.

                         <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="saml-0018FE864EEE1DEDA4F3C40551F831D5" 
    " IssueInstant="2008-10-06T11:58:48Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2008-10-06T11:58:48Z" NotOnOrAfter="2008-10-06T12:03:48Z"/>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2008-10-06T11:58:48Z">
     NameQualifier="" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
  3. Save your entries.