7/23/2019 Saml 2.0 at Sap Gateway and Msft Adfs http://slidepdf.com/reader/full/saml-20-at-sap-gateway-and-msft-adfs 1/34 1 SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS Applies to: SAP Gateway 2.0 Summary This guide describes how you install and configure SAML 2.0 on Microsoft ADFS server and SAP NetWeaver AS ABAP server. Author(s): Navin Sahadev Company: SAP Labs India Created on: 23 July 2014 Author Bio Navin Sahadev works in SAP Gateway for the Customer Product Success organization and the Infrastructure team at SAP Labs India. He has also worked in Duet, Duet Enterprise. He has more than 9 years of Experience in SAP Technology.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Table of Contents ...................................................................................................................................... 2
3.2.2 Installing Microsoft ADFS:............................................................................................................................. 9
3.2.4 ADFS – Add a trust Relying Party ............................................................................................................... 13
3.2.5 Configuring Single Sign-On Authentication for IIS ............ ............. ............. ............. ............. ............. ........... 18
5.1 Mapping Domain user to an ABAP user .......................... ........................... .......................... .............. 29
5.2 Mapping Domain user to SAP NetWeaver AS ABAP user from a Table View .............................. ....... 305.3 User Mapping for the Same User ........................... ........................... .......................... ....................... 30
This document provides information on how to configure:
ADFS on Windows Server 2008 R2 (with Basic Authentication)
SAML 2.0 on SAP NetWeaver AS ABAP 7.02 SP08
1.1 Target AudienceThis document aims to assist SAP and Microsoft Consultants and System architects who are interestedin understanding both functional and operational modes of SAML 2.0 at Network (Intranet).
2. Introduction
Using the SAP NetWeaver AS ABAP 7.02 underlying infrastructure, SAP Gateway 2.0 supportsexchange of authentication and authorization of a user via SAML 2.0.
Security Assertion Markup Language (SAML) 2.0 is an XML-based standard for exchanging
authentication and authorization data between an Identity Provider (IdP); producer of SAML assertionsand Service Provider (SP); consumer of assertions.
An assertion is a package of information that supplies zero or more statements made by a SAMLauthority. For assertion, SAML version 2.0 includes the following authentication response bindings:
HTTP POST: This is a push model that enables transfer of SAML assertion directed to ServiceProvider through a browser intermediary;
HTTP Artifact: This is a pull model that enables SP to retrieve SAML assertion directly from IdPusing a reference (generated by IdP, and passed through the browser).
Along with web-based authentication and authorization, SAML 2.0 also enable cross-domain Single
Sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication
tokens to the user.
The Interactions between a user and SAP Gateway during SAML 2.0 service provided-initiated flow isdepicted in the following figure:
During SAML 2.0 Service Provided-initiated flow following interactions are observed on the User agent side:1. The user request for a resource (for example: OData service) to SAP Gateway.
2. On receiving the request, SAP Gateway redirects to Identity provider.
3. The user is redirected to Identity provider (ADFS).
4. Identity provider responds with the 401 (Integrated Windows authentication or Basic Authentication).
5. The User provides the authentication information.
6. Identity provider redirects the user to Assertion Consumer Service (ACS) endpoint, where your service
provider will receive assertions.
7. The user calls ACS with SAML artifact in the SAP Gateway.
8. The ACS validates the SAML artifact information with Identity provider (ADFS).Note: Step 7 and 8 execution takes place in background.
9. The ACS redirects the user to the requested SAP Gateway resource.
10. The user requests SAP Gateway resources with SAML cookie.
11. The SAP Gateway responds with a secure SAML cookie. Using this cookie user can communicate with
SAP Gateway for accessing resources until this cookie expires.
Note: This document provides information on configuring SAML HTTP Post. However, you can also
configure the SAML Artifacts. SAML Artifact handling is easier due to missing of CSRF token, andtherefore does not require 403 Forbidden errors handling.
Before you start using SAML 2.0, we recommend you to install the latest SAP crypto library for enabling SSL and providing signing and encryption functionality.
Note: You can use different versions of SAPCRYPTOLIB for different Operating Systems. When
Gateway applications are accessed using a client browser, it is essential that SAML 2.0
authentication preserves the original HTTP GET method. Thus, SAML 2.0 Artifact binding must
be used instead of POST. ICM should be able to load crypto functionality in order to establish
SSL connection for back channel system-to-system communication to IdP
If you have latest version of the Kernel then you can avoid importing of the cryptolib.
In Transaction STRUST, select Environment > Display SSF Version.
Note: In case you are using integrated Windows authentication, ignore this section.
To configure SSO for IIS, perform the following steps:
1. Navigate to Sites > Default Web sites > adfs, right click on ls and select Explore.
2. Open the web.config file in a Notepad.
3. In the localAuthenticationTypes, comment the following lines:<add name="Integrated" page="auth/integrated/" /><add name="Forms" page="FormsSignIn.aspx" /><add name="TlsClient" page="auth/sslclient/" />
Note: By commenting the above lines, the ADFS application will authenticate the Login Page before
8. Subsequently select Next to export the certificate.
3.2.8 Exporting the AFDS server Metadata
From the ADFS server, you can export the metadata file to build a secure trust with the relying party usingthe following URL https://<hostname FQDN>/FederationMetadata/2007-06/FederationMetadata.xml
This section provides information on how to configure SAML 2.0 on SAP NetWeaver AS ABAP server.
3.3.1 Importing Certificates and Clearing Cache
Before you proceed to configure SAML 2.0 on SAP NetWeaver AS ABAP server, import the downloaded IIscertificate and clear cache by performing the following steps:.1. Import ADFS IIS certificate to SAP NetWeaver ABAP server.
To import an IIS certificate, go to Transaction Strust and select SSL Client SSL Client (standard).
2. Once the certificates are imported, go to Transaction SMICM.3. Select Administration > ICM > Exit Soft > Local.
3.3.2 Configuring SAML Configurations for a specific client
To configure SAML 2.0 for a specific SAP NetWeaver ABAP client, perform the following steps:1. Go to Transaction SAML2 and select Enable SAML 2.0 Support .
This section provides information on how to map a domain user to an ABAP user on the SAP NetWeaver AS ABAP server. We would be using Unspecified Name ID format, Source as “Mapping in USREXTID Table”(Mapping in table VUSREXTID)
5.1 Mapping Domain user to an ABAP user
To map a domain user to an ABAP user through Transaction SAML2, perform the following steps:
1. Select the Name ID Management tab and search for the ABAP user.
2. Select the NAME ID Format as Unspecified and select Go.
3. Under the list of Trusted Providers, select a Provider name.
4. Select Add to map Windows users to the SAP user.
Note: Ensure to check with your Exchange server admin for the text case sensitive (i.e. uppercase or
lowercase) for the user name.
5.2 Mapping Domain user to SAP NetWeaver AS ABAP user from a Table View
Alternatively, you can also map user from the table view in SAP NetWeaver AS ABAP. To do this, performthe following steps:1. Go to Transaction SM30 and enter the table/View VUSREXTID.
2. Select Maintain.
3. In Determine Work Area pop-up, set External ID type to SA.
4. Select Continue.
You will find entries added in the table. However, in case of missing entries, you can add new entries by
selecting New Entri es.
5.3 User Mapping for the Same User User mapping maps a user ID on the domain server to the user ID in the SAP NetWeaver AS ABAPserver for the same user.1. If the saml:Assertion/saml:Subject/saml:NameIdentifier element contains the SAP user ID, go to
Transaction SA38.
2. On the Program Execution screen, set RSUSREXTID for Program.
Using this, you can create mappings for all users or a subset of users. For more information, see
Note: You can get the Identity Provider name from SAML2 transaction screen.
Once you have mapped the User ID, perform a check by selecting Test Mode. Once you havechecked the user mapping entries for correctness in the table view, and ensure to uncheck the Test
Mode.
6. Trouble ShootingThe following section provides information on how to troubleshoot issues encountered while configuring
SAML 2.0.
To debug SAML at SAP NetWeaver ABAP, see the following links
a. Troubleshooting SAML 2.0 Scenarios
b. Common Problems encountered when configuring SAML 2.0 for AS ABAP
c. Single Sign on With SAML 2.0
d. http://wiki.scn.sap.com/wiki/display/BSP/Using+Proxies
For debugging SAML flow, activate the below service at SAP NetWeaver ABAP. Refer the link
Diagnosing SAML 2.0 Problems with the Security Diagnostic Tool for ABAP and also ensure you
have SEC_DIAG_TOOL_VIEWER role assigned to your user to view traces at following link:
No part of this publication may be reproduced or transmitted in anyform or for any purpose without the express permission of SAP SE.The information contained herein may be changed without prior notice.
Some software products marketed by SAP SE and its distributors contain proprietary software componentsof other software vendors. National product specifications may vary.
These materials are provided by SAP SE and its affiliated companies (“SAP SE Group”) for informationalpurposes only, without representation or warranty of any kind, and SAP SE Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE Group products andservices are those that are set forth in the express warranty statements accompanying such products andservices, if any. Nothing herein should be construed as constituting an additional warranty.
SAP SE and other SAP SE products and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP SE in Germany and other countries.