Show TOC

 Accessing an Application that Accepts SAML AssertionsLocate this document in the navigation structure

Use

There are two different methods you can use to access the application using SAML assertions:

  • Directly

    In this case, you have to pass the SAML assertion to the application in the URL.

  • Using the SAML receiver on the AS Java

    The AS Java provides a generic SAML receiver that you can use as a single entry point to access all applications that accept SAML assertions. The SAML receiver then redirects the user to the desired application.

    Note

    If you are using a portal as your SAML source site and users access the application through the portal, the portal automatically generates the correct URL for the application (direct access).

Prerequisites
  • The target application is configured to accept SAML assertions.

    For applications on the AS Java:

    • The login module stacks for the applications contain the SAMLLoginModule .
      Note

      Even if you use the SAML receiver, the login module stack for the target application has to contain the SAMLLoginModule .

    • The name of the parameter to use for the SAML artifact is specified in the ParameterNameArtifact parameter (default: SAMLart ).

    For applications on the AS ABAP:

    • SAML authentication is in the list of authentication methods for the application.
    • The name of the URL parameter containing the assertion artifact must be SAMLart .
      Note

      When you test the connection between the AS ABAP and the AS Java, if the AS Java has a different setting for this parameter, it is reported as a warning because both stacks are not consistently configured. This also has implications if requests are sent to the artifact receiver servlet on the AS Java. The receiver servlet redirects the requests to the AS ABAP with the same SAMLart name as in the incoming requests. If the URL parameter names are different, the AS ABAP will not recognize the parameter.

  • If you are using the SAML receiver, the parameter to use for the target application is specified in the PartnerNameTarget parameter (default: TARGET ).
    Note  

    For more information about the configuration parameters, see SAML Parameters .

  • The SAML Service is running on all of the AS Java server instances.
Procedure

Accessing an Application Directly

You can access the Web application directly and transfer the SAML artifact as a URL parameter.

Tip

Example:

https://myHost/myResource?SAMLart=3f6zdlU7...

Accessing an Application Using the SAML Receiver

Alternatively, you can access the application using the SAML receiver. The SAML receiver on the AS Java is the sap.com/tc~sec~saml~app application. Access it using the path /saml/receiver in the URL. Include the parameters for the target application and the SAML artifact in the URL.

Tip

Example URL:

https://.../saml/receiver?TARGET=http%3A%2F%2FmyHost...&SAMLart=3f...

Note the URL encoding to represent the target URL in the URL TARGET parameter.

Note

The SAML receiver does not return the requested data itself but sends an HTTP redirect command to the target application, which then analyzes the SAML artifact using the SAMLLoginModule for the AS Java or in the Internet Connection Framework for the AS ABAP.

Result

If the SAML artifact can be successfully verified, then access to the target resource is allowed.