Skip to Content
Author's profile photo Nico Luhr

SAML Webservice Authentication in Portal 7.3

System Landscape

SAP Netweaver Portal 7.3 SPS 7

SAP HR 604  SP 0061

EA HR 605 SP 0038

General Recommendations

SAML requires Single Sign On with a 2048 Bit certificate.

Enable trust between Backend and Portal using 2048 bit certs

Logon to http://host:port/nwa

Navigate to Configuration > Security > Certificates and Keys > Ticket Keystore

Delete entry SAPLogonTicketKeypair and SAPLogonTicketKeypair-cert

Click on Create to create a new SAPLogonTicketKeypair:

create LogonTicketKeyPair1.png

In the popup name the new entry SAPLogonTicketKeypair, be sure that the algorithm is DSA and the checkbox Store Certificate is checked

create LogonTicketKeyPair2.png

In the next step fill the form according to your company needs and click Finish:

create LogonTicketKeyPair3.png

Now export the newly created TicketKeypair and import it to your backend system (according to the release you have to import in client 000 or the production client (check for messages when opening TA strustsso2))

Also do this the other way round:

Export the backend certificate and import it into your portal.

Preparing the backend for SAML Authentication

In your backend system you have to run the report WSS_SETUP

Go to transaction SA38 and run WSS_SETUP, the program creates a user DELAY_LOGON, this user is used for any Webservice using Message Based Authentication for example SAML Authentication. The ICF Framework cannot acces SOAP Messages, that’s why you first get logged in with the Delay Logon user and afterwards it switches to the user maintained in table USREXTID.

Maintain users for table usrextid:

Goto transaction SM30 and maintain table rsusrextid:



Add new entries:


The external ID has to be set as follows Issuer:ExtUserID, in the field user the mapped backend user has to be maintained.

Sample Entry in Table usrextid

the following Screenshot shows a sample entry of the user mapping table usrextid


Set the SAML Issuer

Logon to http://host:port/nwa

Navigate to Configuration > Security > Trusted Systems > Web Service Security SAML > Local SAML Attesters


Confifure the Services

In the backend system call Transaction soamanager to maintain your webservice, you have to select the checkbox single sign on with saml


On the portal side we implemented consumer proxies to consume the webservices provided by the backend system. To maintain the consumer proxis logon to http://host:port/nwa and navigate to SOA > Application and Scenario Communication > Single Service Administration > Consumer Proxies


Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.