SAP NetWeaver Application Server Java (AS Java) supports the SP lite implementation of the Security Assertion Markup Language (SAML) version 2.0. The following section describes implementation considerations for the use of AS Java as a SAML 2.0 provider.
Transient users in AS Java are realized as virtual users. AS Java records the creation of these virtual users in the security audit log. The audit log includes the transient name ID and the name of the identity provider that created it. In this way, AS Java supports auditing of transient users. However, the identity provider must also support auditing of transient pseudonym federation to identify the real user behind the transient name ID.
The AS Java delivers authorizations to protect access to the user interface for the configuration of SAML 2.0. The table below lists the user management engine (UME) actions and the default role assignments for access to the configuration user interface.
Service/Application |
Name |
Description |
Default Role Assignments |
---|---|---|---|
saml2_cfg |
editSAML2Cfg |
Provides read/write access to the SAML 2 and Key Storage Web Dynpro applications. |
|
saml2_cfg |
viewSAML2Cfg |
Provides read-only access to the SAML 2 and Key Storage Web Dynpro applications. |
|
The SAML 2.0 implementation delivers the roles listed in the table below with AS Java.
Name |
Assigned Actions |
Description |
---|---|---|
SAML2_READONLY |
viewSAML2Cfg |
Provides read-only access to the SAML 2 and Key Storage Web Dynpro applications. |
SAML2_SUPERADMIN |
editSAML2Cfg |
Provides read/write access to the SAML 2 and Key Storage Web Dynpro applications. |
Note
The access that these roles and actions grant to the Key Storage application is not sufficient for general usage of that application, but rather sufficient access for the administration of your SAML 2.0 configuration.