Show TOC

Using SAML 2.0Locate this document in the navigation structure

The Security Assertion Markup Language (SAML) version 2.0 provides a standards-based mechanism for Single Sign-On (SSO). The primary reason to use SAML 2.0 is to enable SSO across domains. SAML 2.0 provides other advantages illustrated by the following scenarios:

  • You want to shift the burden of authentication from the system hosting the applications to another system.

    Instead of a host of one-to-one trust relationships between a client and the systems in your landscape, SAML 2.0 enables you to create a star-based trust relationship, with an identity provider at its center. All service providers trust the identity provider and rely on the identity provider to authenticate users before providing access to a resource. There is no requirement for user IDs (and passwords) to be identical between the identity provider and any service providers.

  • You want to protect authentication information with encryption or with opaque IDs.

    SAML 2.0 provides encryption functions to protect authentication information passed between the identity provider, service provider, and client agent. With identity federation the identity provider also provides for opaque IDs. The service provider does not need to know the ID of the user at the identity provider or any of the other service providers. SAML also provides for SAML artifacts to hide authentication messages passed between the identity provider and the service provider from any eavesdroppers watching traffic passed over the user agent. The identity provider and service provider exchange these messages over a back channel.

  • You want to map user accounts automatically.

    Identity federation with persistent name identifiers enables automatic mapping of user accounts, based on attributes passed in SAML messages. You can also enable users to map their accounts themselves. If there is no user account to map to, you can use identity federation to create user accounts in the target system. You can have the user accounts created automatically based on attributes in SAML messages or enable users to register themselves on the system and map their new account automatically.

  • You want to provide access to external partners without having to maintain user identities.

    Identity federation with transient name identifiers enables you to grant access to external users. SAML 2.0 enables rule-based mappings for attributes and access rights. Your partner maintains the users and you maintain the mappings.

  • You want users to log off from all systems, where they have a session.

    SAML enables Single Log-Out (SLO). When a user logs off from a service provider, the service provider notifies the identity provider, which in turn notifies all other service providers, where the user has a session.

  • You want to move your system landscape away from proprietary logon mechanisms.

    SAML 2.0 is an XML-based standard developed by the Organization for the Advancement of Structure Information Standards (OASIS).

You can configure SAP NetWeaver Application Server as a SAML 2.0 service provider. SAP applications can take part in cross-domain SSO. SAP NetWeaver Application Server can also issue logon tickets while operating as a service provider, enabling you to integrate legacy systems in your landscape.

Related Information