Start of Content Area

Function documentation Configuring SSO with SAML Token Profiles  Locate the document in its SAP Library structure

Use

Security Assertion Markup Language (SAML) is a standard that defines a language for exchanging security information between partners. The SAML standard is driven by the Organization for the Advancement of Structured Information Standards (OASIS). SAML uses assertions that contain statements about a subject, authentication, authorizations, and attributes.

SAML Token Profile is developed by the OASIS Web Services Security (WS Security) Technical Committee as a standard to integrate and use SAML for Web-Services Security.

Note

Although both the SAML token profile and the SAML browser artifact use the SAML standard for transferring security information, they are used for different authentication purposes, as described below:

        SAML browser artifacts are used or authenticating Web-based access from a Web browser. More information about using SAML browser artifacts in SAP NetWeaver: Using SAML Browser Artifacts.

        SAML token profiles are used for WS access authentication at the SOAP message level.

Prerequisites

You have set up a trust relationship between the WS provider system and the WS consumer system. If you have configured your systems for Using Logon Tickets, this relationship has already been set up.

Note

By default, the system PSA; which is based on DSA, is used for logon ticket configuration. This means that you cannot use this PSE if you want to send encrypted responses.

Note the following:

       In the AS Java, you can use a certificate other than the client’s signature certificate (which is based on the system PSE with DSA) for encryption by the provider.

If you do not want to configure your systems to use logon tickets, set up the required trust relationship between the systems as described in Configuring a Trust Relationship for SAML Token Profiles Without Logon Ticket Configuration.

Features

SAP NetWeaver enables you to use the sender-vouches subject confirmation method to confirm a subject with SAML token profile authentication. For this subject confirmation method, the intermediary WS system also acts as a SAML assertion issuer. The Web Service intermediary (1) authenticates the client and (2) forwards the authentication information for the WS consumer to the back-end WS provider with a SAML token profile. The WS provider, in turn, authenticates access based on its trust relationship with the intermediary system.

The subject confirmation method enables SSO for Web Services by forwarding authentication information of a previous login using SAML assertions. More information: Subject Confirmation Methods for SAML Token Profiles.

Activities

      Preparing the SAML-Token-Profile-Issuing WS Consumer AS Java  

      Setting the WS Provider AS Java to Accept SAML Token Profiles  

      Configuring Trusted Partners and Attesters for SAML 

 

 

 

 

End of Content Area