The following is an overview of the sequence of tasks for configuring SAML for use in SAP Gateway:
Complete the listed processes in the SAP Gateway host.
Configure the SAP Gateway host as a SAML2 Service Provider.
Configure an Identity Provider (for example, Active Directory Federation Services, SAP Identity Management) for use with SAML2.
Configure the SAP Gateway host (SAML2 service provider) to trust the Identity Provider.
Use this procedure to identify an identity provider for your service provider to trust.
Prerequisites Processes
Before you implement and use SAML2 authentication, make sure that you complete the following on the underlying SAP NetWeaver AS for ABAP system for SAML 2.0.
Configure SSL.
The CommonCryptoLib is required for the use of SAML 2.0, to enable SSL and to provide signing and encryption functionality. For more information, see SAP Note 1848999 .
When the user accesses SAP Gateway applications using client browsers, SAML 2.0 authentication must preserve the original HTTP GET method. Thus SAML 2.0 Artifact binding must be used instead of POST.
Activate Secure Session Management on each SAP system client in which you want to enable SAML 2.0.
To activate security session management, start transaction SICF_SESSIONS, and then choose the client and click Activate.
Apply the following SAP notes to fix SAML 2.0 related issues in SAP NetWeaver AS for ABAP 7.02 SP6 to SP8
SAP Note 1607892 fixes an error in SAML 2.0 UI (trusted provider wizard), when choosing a certificate (F4 help button) from the Address Book that was previously installed.
SAP note 1590701 provides support for SAML 2.0 authentication, when a reverse proxy is used.
Configure the following settings on the reverse proxy:
To set ClientProtocol header value to HTTPS, if incoming connection is HTTPS-based:
Configure SAP Web Dispatcher as follows: wdisp/add_client_protocol_header=true
Add the following in the Apache proxy: RequestHeader set ClientProtocol https
Preserve Host header value.
SAP Web Dispatcher always preserves the Host header.
Add the following to the Apache proxy: ProxyPreserveHost on
The proxy notifies SAP Gateway with what scheme and port it was initially called.