Show TOC

Configuring AS ABAP as a Service ProviderLocate this document in the navigation structure


  • You are using the SAP Cryptographic Library.

    For more information, see SAP Note 1848999 Information published on SAP site.


    The service provider can still function without SAP Cryptographic Library, but at the risk of not being interoperable with SAML providers that require RSA signatures and encryption.

  • The user must have a role that allows him or her to create aliases in the Internet Communication Framework (ICF). This role must include the authorization object S_ICF_ADM.

  • You have been assigned the role SAP_ SAML2_ CFG_ ADM.

    This role enables you to edit with the SAML 2 configuration user interface. There is also a read-only role, SAP_ SAML2_ CFG_ DISPLAY.

  • You have configured the AS ABAP to use HTTP security sessions.

    For more information, see Activating HTTP Security Session Management on AS ABAP.

  • There is a SAML 2.0 identity provider in your SAML network.

    The identity provider can be in the same local area network or in another domain.


This procedure provides an overview of the steps to take to configure SAP NetWeaver Application Server (AS) ABAP as a Security Assertion Markup Language (SAML) 2.0 service provider. As a service provider, the AS ABAP enables you to off-load the authentication of users onto an identity provider. The identity provider enables you to federate identities across domains for single sign-on (SSO). Once logged on, SAML 2.0 enables single logout (SLO).


  1. Enable SAML 2.0 support.

    For more information, see Enabling the SAML Service Provider.


    If you decide to replace the signing and encryption key pairs you can do it using the Trust Manager. The names of the Secure Store and Forward (SSF) applications that correspond to the signing and encryption Personal Security Environments (PSEs) are SAML2 Service Provider - Encryption and SAML2 Service Provider - Signature.

    For more information about managing PSEs on AS ABAP, see:

  2. Determine how your service provider communicates with identity providers.

    For more information, see the following:

  3. Trust an identity provider.

    For more information, see Trusting an Identity Provider.

  4. Determine how to federate the identities on the identity provider and service provider.

    For more information, see the following:

  5. Configure the applications you want to protect with SAML.

    Applications either use the default application contexts and policies defined for the identity provider or custom application context and policies defined in a Web application policy.

    • For more information about enabling SAML for an application including the option to select a Web application policy, see Logon via SAML.

    • For more information, about how to define Web application policies, see Protecting Resources with SAML.