You can use SAML for Single Sign-On in a scenario where a user is authenticated on an authentication system that acts as an SAML authority. Based on this authentication, the user receives an SAML assertion (upon request) that he or she can use to access a resource on a different system without having to authenticate again.
You can use SSO with SAML assertions with all usage types of SAP NetWeaver. In this case, the underlying AS Java or AS ABAP supports the configuration and execution of the SSO and the SAP NetWeaver system acts as a SAML destination site. In addition, the portal can act as a SAML authority, or a SAML source site, to issue SAML assertions.
There are some limitations of the SAML implementation on the AS Java. The following constraints apply:
To protect the data exchange, SSL is required for the connection between the source and destination sites. For more information, see Using SSL and SNC for Transport Layer Security .
SSL is required by the SAML specification, therefore its use is enforced by default in the SAML configuration. However, for testing purposes, you can disable the enforcement of SSL for the SAML-based document exchanges. In this case, you receive warnings in the log files.
There are several components involved in the SAML Single Sign-On scenario:
The artifact receiver is a component defined by the SAML specification. However, in SAP NetWeaver, any resource can accept assertion artifacts in the request URL.
The figure below shows in detail a server landscape with AS Java as a SAML destination site:
The figure also shows the process flow when the user accesses the AS Java applications using authentication with a SAML assertion.
The requested resource may also be the assertion receiver. In this case, the user is allowed access directly and no redirect is necessary. This is the case for applications in SAP NetWeaver. See (3') in the graphic above.
SAP NetWeaver enables you to use SAML for SSO with both the AS ABAP and AS Java. You can configure the portal (which runs on an AS Java) to be a SAML source site that issues SAML Browser Artifacts. These can then be used to access the AS ABAP, the AS Java or the portal as destination sites in the SAML-enabled SSO environment.
For more information about the available configuration options, see SAML Parameters .
For the case where users have different user IDs in the different systems, you have to configure the use of user mapping. For a scenario where you use an AS ABAP as a UME data source for the AS Java, you can use the user mapping features of the AS ABAP. For more information, see Mapping SAML Principals to SAP NetWeaver User IDs .
For the case of AS Java standalone installations with local database user store, the source site must include the user name in the assertion.
Configuration
For more information about configuring the use of SAML on the AS ABAP and AS Java, see the following sections:
Monitoring
For the AS Java, SAML authentication functions record log data to the category /System/Security/SAML . You can view the data using the AS Java log viewer tools in the server's log system_security_log .
By default, the log file used is <instance_dir>\j2ee\cluster\server<n>\log\system\security.<x>.log .
In the AS ABAP, errors during the SAML protocol are reported in the system log (message numbers SM0 and SM1) as well as in the developer trace of the work process.