Show TOC

Configuring Front-Channel CommunicationLocate this document in the navigation structure


Front-channel communication uses HTTP POST or HTTP redirect bindings over the client between the service provider and the identity provider. Use front-channel bindings when response time to the client request is more important than ensuring that SAML messages are not exposed to the client or any malicious third-parties. Back-channel communication increases the number of messages the service provider and identity provider must exchange to log on.

  • You have determined which front-channel bindings you want to support.





    Transports SAML messages in the body of the message. There are no length limitations. See disadvantages of HTTP redirect below.

    • There may be some clients that do not support HTTP POST.

    • To avoid user interaction to send the client from one server to the next, clients employ an auto post function. The auto post function uses JavaScript. Depending on your situation, the use of JavaScript can represent a security risk.

    HTTP redirect

    Client sent from one server to the next without interaction from the user.

    Redirect transports the SAML message in the URL. If the URL is too long, the client truncates the URL. If you use long URLs or include security options such as encryption of message elements, avoid HTTP redirect.

  • SAML 2.0 has been enabled on your SAP NetWeaver Application Server (AS) ABAP.

    For more information, see Enabling the SAML Service Provider.


Disabling Front-Channel Communication

Use this procedure to restrict authentication to back-channel communication.

  1. Start the SAML 2.0 configuration application (transaction SAML2).

  2. On the Local Provider tab, choose the Service Provider Settings tab.

  3. Disable the following bindings:

    • For the assertion consumer service (ACS), deselect the HTTP POST checkbox.


      HTTP redirect is not an option for the ACS, because the assertion is too large to transport as part of the URL.

    • For the Single Log-Out (SLO) service, deselect the HTTP POST and HTTP Redirect checkbox.

  4. Disable HTTP POST and HTTP redirect bindings from trusted identity providers.

    For more information, see the product documentation for your identity provider.

Enabling Front-Channel Communication

Use this procedure to accept front-channel communication and configure the other front-channel parameters.

1. Determining Which Services Accept Front-Channel Communication

  1. Start the SAML 2.0 configuration application (transaction SAML2).

  2. On the Local Provider tab, choose the Service Provider Settings tab.

  3. Determine for which services you want to accept front-channel communication from identity providers.

    • For Single Sign-On (SSO), select the HTTP POST checkbox under Assertion Consumer Service.

    • For Single Log-Out (SLO), select the HTTP POST or HTTP Redirect checkbox under Single Log-Out.

2. Configuring the Endpoints for the Trusted Identity Provider

With this procedure you configure the outgoing connection to the identity provider. This procedure assumes that you have already trusted an identity provider.

For more information about trusting an identity provider, see Trusting an Identity Provider.

  1. On the Trusted Providers tab, select an identity provider and choose the Edit pushbutton.

  2. Choose the Endpoints tab.

  3. Configure the Single Sign-On Endpoints and Single Log-Out Endpoints to use HTTP POST and HTTP redirect bindings as required.

    1. Add any HTTP POST and HTTP redirect bindings.

    2. Enter the endpoint URLs for the services on the identity provider.

  4. Determine if you want to configure any authentication requirements for the authentication request to the identity provider.

    The authentication requirements enable you to override the configuration settings made for the individual resources of the service provider. You can configure the following:

    • The authentication context

    • Whether the identity provider returns the assertion to the ACS or directly to the application.

    • Whether to require the identity provider to use the default binding, HTTP POST, or HTTP artifact to return the assertion.

    To force the identity provider to return the assertion over the front channel, enter HTTP POST in the Binding field.


    If you choose to send the authentication response to the application URL and required HTTP POST binding, you expose the application URL to potential eavesdroppers of the user agent.

  5. Save your entries.

3. Configuring the Identity Provider

  1. Check that the identity provider endpoints are configured to accept HTTP POST or HTTP redirect from the service provider.

  2. Check that the identity provider is configured to use HTTP POST or HTTP redirect to connect to the endpoints of the service provider.

  3. Consider disabling back-channel communication bindings for the identity provider endpoints.

    If the identity provider only accepts front-channel communications, there is no reason to expose the endpoint to back-channel bindings.

For more information about how to configure the identity provider, see the documentation of your identity provider.