Show TOC

Configuring SAML for Use in SAP GatewayLocate this document in the navigation structure


The following is an overview of the sequence of tasks for configuring SAML for use in SAP Gateway:

Complete the listed processes in the SAP Gateway host.

  1. Configure the SAP Gateway host as a SAML2 Service Provider.

  2. Configure an Identity Provider (for example, Active Directory Federation Services, SAP Identity Management) for use with SAML2.

  3. Configure the SAP Gateway host (SAML2 service provider) to trust the Identity Provider.

Use this procedure to identify an identity provider for your service provider to trust.


Prerequisites Processes

Before you implement and use SAML2 authentication, make sure that you complete the following on the underlying SAP NetWeaver AS ABAP system for SAML 2.0.

  1. Configure SSL

    The CommonCryptoLib is required for the use of SAML 2.0 to enable SSL and to provide signing and encryption functionality. For more information, see SAP Note 1848999 Information published on SAP site.

    When the user accesses SAP Gateway applications using client browsers, SAML 2.0 authentication must preserve the original HTTP GET method. Thus SAML 2.0 Artifact binding must be used instead of POST.

  2. Activate Secure Session Management on each SAP system client in which you want to enable SAML 2.0.

    To activate security session management, start transaction SICF_SESSIONS, and then choose the client and click Activate.

  3. Apply the following SAP Notes to fix SAML 2.0 related issues in SAP Netweaver AS ABAP 7.02 SP6 to SP8

    • SAP Note 1607892 Information published on SAP site fixes an error in SAML 2.0 UI (trusted provider wizard), when choosing a certificate (F4 help button) from the Address Book that was previously installed.

    • SAP note 1590701 Information published on SAP site provides support for SAML 2.0 authentication, when a reverse proxy is used.

      Configure the following settings on the reverse proxy:

      1. To set ClientProtocol header value to HTTPS, if incoming connection is HTTPS-based:

        • Configure SAP Web Dispatcher as follows: wdisp/add_client_protocol_header=true

        • Add the following in the Apache proxy: RequestHeader set ClientProtocol https

      2. Preserve Host header value.

        • SAP Web Dispatcher always preserves the Host header.

        • Add the following to the Apache proxy: ProxyPreserveHost on

          The proxy notifies SAP Gateway with what scheme and port it was initially called.