Show TOC

Function documentationConfiguring Single Sign-On with SAML Token Profiles Locate this document in the navigation structure

 

Security Assertion Markup Language (SAML) is a standard that defines a language to exchange security information between partners. The SAML standard is driven by the Organization for the Advancement of Structured Information Standards (OASIS). SAML uses assertions that contain statements about a subject, authentication, authorization and attributes.

SAML Token Profile is developed by the OASIS Web Services Security (WS Security) Technical Committee as a standard to integrate and use SAML for Web Services Security.

Prerequisites

  • You have called the report WSS_SETUP once in the WS provider to activate message authentication (that is, SAML authentication, X.509 authentication with XML-signature, UsernameToken).

  • SAML Trust Relationship

    You have set up a SAML 2.0 trust relationship and, in report WSS_SETUP, have selected the option Use SAML 2 Trust Relationship (more information: Preparing the WS Provider AS ABAP for Accepting SAML Token Profiles for Validation with the SAML 2 Infrastructure und Message-Based Authentication with WS-Security).

    Note Note

    If you use the SAML trust relationship, the system uses the SAML 2 PSE (SAML 2 Personal Security Environment) for signing locally-issued tokens.

    End of the note.

  • Ticket Trust Relationship

    You have set up a trust relationship between the SAML issuer and the WS consumer. If you have configured your systems for using logon tickets and, in report WSS_SETUP, have selected the option Use Logon Ticket Trust Relationship, this trust relationship has already been set up.

    Note Note

    By default, the system PSE, which is based on DSA, is used for logon ticket configuration. This means that you cannot use this PSE if you want to send encrypted responses.

    Note that:

    In the AS ABAP, you can use a certificate for encryption by the provider other than the client’s signature certificate (which is based on the system PSE with DSA (Digital Signature Algorithm)).

    If you do not want to configure your systems for the use of logon tickets, set up the required trust relationship between systems, as described in Configuring a Trust Relationship for SAML Token Profiles Without Logon Ticket Configuration.

    End of the note.

  • SAP Cryptographic Library 1.555.29 or higher is installed in the WS provider system. You can check the version of the library in the Trust Manager (transaction STRUST). To do this, choose   Environment   Display SSF Version  . The installation package for the SAP Cryptographic Library is available to authorized customers on the SAP Service Marketplace (http://service.sap.com/swdc) under   SAP Software Distribution Center   Download   SAP Cryptographic Software  .

Features

SAP NetWeaver AS ABAP enables you to use the sender-vouches and holder-of-key subject confirmation methods to confirm a subject with SAML token profile authentication.

If you have selected symmetric signature and encryption for connection security in the AS ABAP, use the holder-of-key method. For all other connection security mechanisms, use sender-vouches.

More Information