Show TOC

SAML 1.xLocate this document in the navigation structure

Use

SAP NetWeaver enables you to use the standard-based Security Assertion Markup Language (SAML) assertions for user authentication and Single Sign-On (SSO) in open system environments such as the Internet.

SAML is a standard driven by the Organization for the Advancement of Structured Information Standards (OASIS). You can use SAML as a protocol for encoding security-related information (assertions) into XML and exchanging this information in a request/response fashion.

The figure below illustrates the authentication process when using SAML.

Figure 1: SAML Authentication Process Flow

When using SAML, the authentication of users is performed by a system configured as an SAML Authentication Authority or an SAML Source Web site. SAML authorities produce assertions in response to client requests. An assertion can be either an authentication or an authorization assertion, with the following respective functions:

  • Authentication assertion: a piece of data that represents an act of authentication performed on a subject (user) by the authority

  • Authorization assertion: a piece of data that represents authorization permissions for a subject (user) on a resource

You can use SAML for authentication and authorization requests to SAML assertion accepting systems, or SAML destination sites.

SAP NetWeaver supports only the use of SAML authentication assertions with the Java technology stack. The portal can act as a SAML source site and both the AS Java and the AS ABAP can act as SAML destination sites.

Constraints

The following constraints apply to the use of SAML with SAP NetWeaver:

  • Version 1.0 and 1.1 of the SAML specification are supported.

  • The condition element AudienceRestrictionCondition is accepted by the AS Java, although it is not evaluated. Any other child elements of the Conditions element result in processing errors.

  • Assertions must have exactly one AuthenticationStatement element. The authentication statement must have a NameIdentifier element.

  • If they are present, the elements AuthorizationDecisionStatement and AttributeStatement are ignored.

  • Creating digital signatures for outgoing documents is not supported. Digital signatures present with incoming documents are not verified.

Security Considerations

SAML is a standard for encoding authentication information that relies for message exchange on standard security protocols like SSL and TLS use XML signatures. Therefore, to protect the data exchange, SSL is required for the connection between the source and destination sites.

For more information, see Network and Transport Layer Security .

Note

SSL is required by the SAML specification, and therefore its use is enforced by default in the SAML configuration. However, for testing purposes, you can disable the enforcement of SSL for the SAML-based document exchanges. In this case, you can receive warnings in the log files for your system.

SAML also relies on the exchange of several messages over the network to authenticate access. This can lead to performance lags, related to network performance, and affect the availability of the systems enabled to authenticate access with SAML.

Configuration

For more information about configuring the use of SAML 1 for SAP NetWeaver systems, see Using SAML Assertions .