Show TOC

 Configuring the Portal as a SAML Source SiteLocate this document in the navigation structure


You can use this topic to configure the Portal usage type of SAP NetWeaver for a SAML source site.


The source site functionality of SAP NetWeaver is implemented in the portal. An AS ABAP or a AS Java without the portal cannot act as a source site (with the exception of the SAML test application in the AS Java).

For the SAML source site, you define a set of parameters for each SAML destination site that requests SAML assertions from the source site. These parameters include the URL of the artifact receiver on the destination site and the user with which the destination site accesses the responder on the source site.

When you use a portal for a SAML source site, you configure Partners Outbound parametersfor each destination with the SAML management functions of the SAP NetWeaver Administrator (NWA).

  • The SAML service is started.
  • For the callback from the destination site to the source site you must have a user in the source site portal that is assigned to a role with the action "SAML_RESPONDER".
  • You have the required parameters for the destination site. These include:
    • The URL of the artifact receiver on the destination site. For SAP applications, you do not need to specify this parameter.
    • The source ID.

      The source ID is a 20-byte sequence that the source site uses to identify itself uniquely in the assertion artifact. It can either be specified in hexadecimal format or in base 64 encoded format.

    • You have communicated the URL for the responder service to the administrator of the destination site.

      When you use a portal for the source site, the responder can be found at<http_port>/saml/responder


If you have a cluster installation, you only have to perform the following configuration for a single server. The configuration applies to all of the servers.

  1. In the NWA, go to Configuration Management Security Management Trusted Systems SAML Browser Artifact.
  2. Switch to Edit mode.
  3. Choose the Partners Outbound tab to maintain the parameters that apply to the partner site.
    1. To add a new outbound SAML partner choose Add.

      The Enter Partner Key dialog appears.

    2. Enter a unique name for the destination site in the Partner field and choose Continue.

      The system creates a new entry for a destination site Partner and displays input fields for entering additional Details for the Selected Partner .

    3. Enter values for the required parameters. For more information, see Outbound Partner Parameters .
      1. Enter parameters to identify the AS Java as a SAML assertion source site in the Issuer Name field. For example, you can enter the URL of the AS Java or the portal.
      2. Enter the Source ID. From the dropdown list choose whether you enter the Source ID in hexadecimal or in base 64 format. You can let the system generate a Source ID that is derived from the content of the "Issuer name" field.
      3. Choose values for the Validity before issue and Validity after issue parameters.
      4. Choose the SAML version to use for the created assertion.
      5. Choose the URL parameter for artifact .

        The URL parameter for artifact option configures the name of the URL parameter into which the artifact will be transferred. Change the default value SAMLart only if your communication partner explicitly deviates from the standard name.

      6. Choose the access type for the destination site partner.

        For the case when the destination site uses a SAML receiver, enter the required Receiver URL and URL parameter for target . Change the default value "TARGET" only if your communication partner explicitly deviates from the standard name. For more information, see Accessing an Application that Accept SAML Assertions .

      7. Use the dropdown list Responder Access if you want to restrict access to assertions created for this partner in the responder service to a fixed user ID.

        You can configure this parameter to ensure that only the destination site for which the assertion was issued can retrieve it. For such a scenario only the destination site can supply the correct logon data for the fixed user.


The portal is configured to issue SAML authentication assertions for authentication to external systems.