Show TOC

Protecting Web Services with SAMLLocate this document in the navigation structure


  • You have configured the AS ABAP for the use of SAML.

  • You have configured a trusted STS provider on the WS provider.

    More information: Trusting an Security Token Service.


Once you have set up a trust relationship between a Security Token Service (STS) and an AS ABAP, you can use a policy to configure customer-specific requirements that go beyond the trust relationship. You can then assign a policy of this type to one or more Web services.

With this procedure, you create a template for protecting a large number of different resources with the same policy. In this way, you can change a large number of resources by editing a single policy.


  1. Start SAML configuration (for example, by calling transaction SAML2).

  2. On the Policies tab page, from the Display drop-down list, choose the Web Services Policies option.

  3. You can change an existing SAML policy template, or create a new one.

    • To create a new template, choose the Add button.

    • To change an existing template, select it and choose the Edit button.

  4. Enter or change the required data.




    Policy Name

    Not applicable

    User-defined name of the policy.

    Security Token Service

    Not applicable

    The configured Security Token Services are listed in the input help.

    STS Location URL

    Not applicable

    Configured URL with which the provider accesses the STS. The input help provides the URL associated with the STS provider.

    Metadata Exchange URL (MEX URL)

    Not applicable

    URL for metadata exchange. The consumer configures the connection between the STS and the consumer with the WSDL file that it receives from the STS through the metadata exchange. The system automatically fills the field with the MEX URL associated with the STS Location URL.

    SAML Type

    Possible values:

    • Symmetric key, full message protection

    • Symmetric key, authentication only

    • Asymmetric consumer key, authentication only

    Specify one of the SSO/STS Scenarios:

    SAML Version

    Possible values:

    • SAML 1.1

    • SAML 2.0

    • SAML 1.x

    • SAML 2.0

  5. Consider whether you want to specify an authentication context on a particular WS provider for this Web service. When you configured the trust relationship on the WS provider, you were able to set all authentication contexts that the WS provider needs to contain to authenticate a user that is requesting access to a resource of this provider. For each SAML 2 policy template, you can override the default authentication contexts for a specific WS provider. Use this option if the authentication contexts are too lax for the resources to be protected by the template.

    1. In the policy list, select a policy, and choose the Edit button.

    2. Under authentication contexts, choose Add.

    3. Select any authentication contexts, and choose OK.

  6. Save your entries.


Once you have configured how a resource is protected with SAML, ensure that the STS provider can also fulfill the configured requirements.