Show TOC

Security Assertion Markup LanguageLocate this document in the navigation structure


SAP Gateway supports Security Assertion Markup Language (SAML) 2.0 with single sign-on (SSO) through the underlying SAP NetWeaver AS ABAP (version 7.02) infrastructure.

The diagram below shows SAML 2.0 authentication flow started by the user agent.

Figure 1: SAML authentication flow

The table below shows the processes using the SAML authentication mechanism.


Process Description

Security Measure


User accesses a Web Server behind a reverse proxy in order to get to a Web page.

The page triggers execution of a client-side code (JavaScript) in the User Agent. The reverse proxy is used for bypassing Same Origin Policy (SOP) restrictions.


The script initiates a GET request to the SAP Gateway service via the Proxy (typically HTTPS). The Proxy terminates the original TLS request and makes new (recommended HTTPS) call to SAP Gateway.

A user application should use HTTPS based connection to the proxy that in turn also uses HTTPS call to SAP Gateway.

Using SSL/TSL ensures authentication, confidentiality and integrity of the request.


The Identity Provider (IdP) authenticates the user using one of the supported schemas (for example Integrated Windows or basic authentication).

Upon authentication, the User Agent is redirected back to SAP Gateway. The request contains an artifact value of SAMLart. The artifact is a reference to a SAML assertion stored in the IdP.


We recommend to use SAP NetWeaver single sign-on (SSO) instead of an IdP.

IdP settings on the SAP Gateway side should have a reference to HTTPS based endpoint,


The artifact is sent back to the client and redirected to SAP Gateway.



SAP Gateway prepares a synchronous SOAP request for resolving the received artifact and opens a back channel HTTPS communication to the IdP.

On receiving an assertion SP, SAP Gateway validates it, and authenticates or rejects the request.

The IdP verifies if the artifact has not expired, and wraps the referred Assertion into SAMLResponse message bound in a SOAP response.

SAP Gateway should map user identity in NameID attribute to its user name.


SAP Gateway forwards the request for the specific data to the SAP ERP back-end system.

A trusted connection using RFC is made to the specific SAP ERP back-end.