Show TOC

 Using SAML with the AS ABAPLocate this document in the navigation structure

Purpose

With SAP NetWeaver, you can use SAML to access applications both on the AS ABAP and the AS Java. In both cases the SAML service of the AS Java performs the SAML protocol execution with the source site.

In Using SAML Browser Artifacts for Single Sign-On you saw an example of what happens in the system when a client tries to access a protected resource on AS Java. You can use this section for information about using SAML for SSO access to a protected resource on AS ABAP.

Note

On the AS ABAP, you can use SAML to access any resource that is registered in the Internet Communication Framework (ICF) of the AS ABAP and that can therefore be accessed with HTTP or HTTPS.

Process

The figure below shows a server landscape with a source site (for example a portal), an AS ABAP as destination site, and a SAML service running on the AS Java.

The figure illustrates the system events that occur when a user tries to access a resource on the AS ABAP using SAML:

  1. The user authenticates him or herself at the source site, for example, using user ID and password.
  2. He or she requests a resource at the destination site (via the source site), for example, a BSP service on an AS ABAP.

    The resource on the AS ABAP can be any service that is registered in the Internet Communication Framework (ICF) of the AS ABAP.

  3. The source site then sends the target URL for the requested resource and an assertion artifact to the ICF of the AS ABAP.
  4. The ICF checks that the requested resource accepts SAML as an authentication method. If yes, it looks up the SAML configuration for the requested resource, where it finds the RFC destination to the AS Java that provides the SAML service for the AS ABAP.
  5. The ICF sends the request to the SAML service on the appropriate AS Java.
  6. The SAML service requests the user's authentication assertions from the source site's responder. This request occurs using the SOAP over HTTP binding of the SAML protocol.
  7. The source site's responder service sends the user's assertions back to the SAML service on the AS Java.
  8. The SAML service sends the user's assertions to the ICF.
  9. The ICF analyzes the assertions and authenticates the user. If necessary, the mapped internal user ID is obtained from the USREXTID table if a mapping entry is available.
  10. The resource is sent to the user.
Activities

The figure below illustrates the configuration steps required so that you can use SAML to access resources on AS ABAP. The numbers in the figure correspond to the numbers in the figure above. The letters define the configuration steps and are described below.

From the figure, you can see that the following configuration steps are required to set up SAML with a resource on AS ABAP:

Make sure that the SAML service on the AS Java is running .

B    Make sure that a connection is established between the AS ABAP and the AS Java (only necessary if you are accessing resources on AS ABAP with SAML). This requires an

  • RFC destination in on the AS Java
  • RFC destination on the AS ABAP

C    Configure the SAML source site. If you are using a portal as a source site, this requires creating a set of PartnersOutbound parameters. See Configuring a Portal as a SAML Source Site .

Configure the AS Java as a destination site . This requires creating a destination to the source site's responder and defining a set of PartnersInbound parameters.

Activate SAML for resources in the AS ABAP (only necessary if you are accessing resources on AS ABAP with SAML). Here you define the name of the RFC destination to the SAML service on the AS Java and you define that SAML is an allowed authentication method for the resource.

F    You must map the external user IDs on the source site (SAML principal) to the user IDs in the AS ABAP even if the external ID and AS ABAP ID are identical (only necessary if you are accessing resources on AS ABAP with SAML).