Show TOC

SAP Gateway Host as the SAML2 Service ProviderLocate this document in the navigation structure

Configure SAML 2.0 authentication in the SAP Gateway host as follows:

  1. In your SAP Gateway host, start transaction SAML2.

  2. Create a local provider of type SAML2 Service Provider.

    1. Click Enable SAML2 Support. A wizard displays. It prompts you for a name for the SAML2 entity.

      For example, you can specify some URI or just simple string that is enough descriptive, such as, SAP Gateway.

      Note that this provider will be created and will be functional only for the specific client.

    2. Click Next to complete with the default settings.

    3. Open the tab, Service Provider Settings, and verify that Automatic is the selected value for Selection Mode.

    4. Click Finish.

      The option, Sign Metadata can be disabled, and the option Include Certificate in Signature is enabled.

  3. Export the metadata of SAML2 Configuration of ABAP System (for import into the Identity Provider system).

    For metadata export you need to access SAML2 Configuration of ABAP System using the reverse proxy’s host and port (rather than directly).

    Click the link Metadata in the SAML2.0 UI and save the file in a target file location.

    Alternatively, export SP metadata through the following URL: https://<proxy host>:<proxy port>/saml2/sp/metadata?sap-client=<ABAP_CLIENT>

  4. Go to your Identity Provider system and configure it as per the documentation of the supplier.

    After, you must continue with the configuration process in the SAP Gateway host by adding the SAML2 authentication as a trusted provider.

    For more information, go to Configuring AS ABAP as a Service Provider at:

  5. Add IdP to the Trusted Providers list:

    1. In SAML2 Configuration of ABAP system, select the tab, Trusted Provider, and click Add.

    2. Once you have the trusted metadata from your Identity Provider system, click Add and then choose Upload from file. A new Trusted Provider wizard is started.

    3. Select the metadata from the file system and upload it.

      If it is signed, you will need the proper X509 certificate to verify the signature.

      You can either upload the certificate from the file system or get it from the Address Book of the SAP Gateway system if the certificate was already uploaded there.

      After successful signature verification, the name of the trusted provider is shown. Some more descriptive alias could be set.

    4. Click Next.

      Following are the signature and encryption requirements for the different messages. Because artifact will be used, look at the “Artifact Profile” area.

      1. Change the default setting of Require Signature to Never. This means that SAP Gateway will not require the Identity Provider to sign SAML 2.0 artifact messages over HTTPS back channel.

      2. Click Next. Continue by using the default values.

      3. In Authentication Response, change the setting, Binding to HTTP Artifact and click Finish. After the trusted provider has been added, specify the NameID format.

    5. Click Edit, and click the tab, Identity Federation.

    6. Click Add and select which NameID format you want to use.

    7. Save the changes of the trusted provider and click Enable to activate it. Select it as default.

      For artifact binding, SAP Gateway initiates an artifact resolution via a back-channel communication.

      This is done via SOAP over HTTPS. This call requires the SSL server certificate of the Identity Provider to be available on the SAP Gateway host under SSL Client Standard PSE using transaction STRUST.