The easiest way to trust a SAML 2.0 service provider is to import its metadata XML file. The metadata XML file includes the following:
The address and name of the service provider
The list of endpoint configurations the service provider supports
The public-key certificates for decrypting and checking of the service provider's digital signature
This procedure explains how to access the metadata XML file of the service provider of the SAP NetWeaver Application Server (AS) ABAP.
The SAML service provider is enabled.
You have configured the endpoints for Single Sign-On (SSO), Single Log-Out (SLO), artifacts, and SOAP you want to support. Any endpoints you configure later require you to manually reconfigure your identity provider or reimport the metadata XML file.
You have determined how you want to access the metadata XML file.
Caution
The hostname and protocol generated for the service provider endpoints in the metadata XML file are the same as the hostname and protocol you use to access the metadata XML file. Use the same hostname and protocol you expect the identity provider to use, when it accesses the service provider endpoints. If you use a hostname that the identity provider cannot resolve, or a protocol that the identity provider cannot use, connections from the identity provider fail.
You have the following options for accessing the metadata XML file:
Download the metadata XML file from the AS ABAP.
Access the URL of the metadata XML file on the AS ABAP.
You have determined whether metadata must be digitally signed or not.
A digital signature ensures that other systems that trust the service provider check that the metadata XML really comes from that service provider.
To access the metadata XML, you can either download the metadata XML file or access the URL of the metadata XML file. The first option is preferable.
Start the SAML 2.0 configuration application (transaction SAML2).
On the Local Provider tab, choose the Download Metadata pushbutton.
Save the XML file.
When configuring the service providers you want your SAML identity provider to trust, enter the following URL for the AS ABAP host system:
<protocol>://<host>:<port>/saml2/sp/metadata?sap-client=<client>