Show TOC

 Activating SAML for Resources in the AS ABAPLocate this document in the navigation structure


When a user tries to access a resource on the AS ABAP, the Internet Connection Framework (ICF) determines which authentication mechanisms are allowed for the resource and which RFC destination should be used to access the AS Java that provides the SAML service. You must configure these settings in the service maintenance of the ICF beforehand as described in this section.

You can use these settings to enable and disable SAML authentication.


The connection between the AS ABAP and the AS Java is established. See Authentication and Single Sign-On → Integration in Single Sign-On (SSO) Environments → Single Sign-On for Web-Based Access → Using SAML Browser Artifacts → Using SAML with the AS ABAP → Establishing a Connection Between AS ABAP and AS Java.

  1. On the AS ABAP, start transaction SICF (Maintain Services).
  2. Choose Execute (F8) to display the full list of services.
  3. Select the service or node you want to configure.

    If you configure data for a node and do not overwrite these settings on a subordinate node, you can apply the same configuration to multiple services.

  4. Choose Display/Change Service .
  5. Choose Change .
  6. From the Logon Data tab, configure the authentication methods.

If you choose Standard , the settings of the parent node are applied. If there is no other setting than Standard until the root node is reached, SAML authentication is possible because SAML authentication is part of the default list of logon methods.

  • If you choose Alternative Logon Procedure , you can manually change the order in which SAML SSO is attempted or remove SAML from the list of offered authentication methods.
  1. If you choose SAML Configuration , a dialog appears prompting you to enter SAML-specific data for the node.

    The configuration settings for SAML authentication are as follows:

    • If you select Use Configuration Data from Superordinate Node , you apply the parent node's SAML configuration data to the current node.
    • If you do not select Use Configuration Data from Superordinate Node , you must configure the following settings:
      • In RFC Destination , enter the RFC destination of the AS Java on which the SAML service is running and that is to be used for executing the SAML protocol. See Establishing a Connection Between AS ABAP and AS Java.

        Choose Test Connection to verify that the AS Java can be reached and that the SAML service on the AS Java is running and has the proper version.

      • Under Permitted Logon Procedure , you can specify which authentication methods the source site may specify in the AuthenticationMethod attribute of the SAML assertion it creates.

        By restricting the allowed authentication methods, you impose stronger security constraints onto the user authentication to the source site. For example you can specify that only users that authenticated themselves to the source site using client certificates can access a resource on the AS ABAP with SAML.

  2. Save your changes.