SAML 2.0 SSO for SAPGui windows
This scenario is based on logon tickets, which are no longer recommended: http://service.sap.com/sap/support/notes/2117110
– SAP Moderator
You want to enable SAML Single Sign On for SAPGui windows.
You have these components in place: IdP, SAPGui windows, Internet Explorer and SAP NetWeaver AS ABAP 7.02 or higher.
SAPGui does not offer native support for SAML. To make this happen, we combine the legacy support feature of the ABAP SAML service provider with the SAPGui shortcut SSO using the MYSAPSSO2 cookie.
- Enable SAML authentication on the ABAP system using transaction SAML2 and exchanging the metadata with your IdP.
The important setting in this case is to set the value of “Legacy Systems Support (Issue Logon Ticket) to “On” in the SAML Local Provider Configuration.
- Build a BSP application that will establish the SAML SSO with the IdP. This BSP application takes the cookie from the browser and puts it in a SAPGui shortcut. More information around SAPGui shortcut SSO can be found here Single Sign-On for SAP Shortcuts – User Authentication and Single Sign-On – SAP Library
- Start page launchGui.htm: grabs the cookie and navigates to the BSP page creating the shortcut file.
(source code attached in launchGui.txt.zip)
- Page createSapGuiShortcut.htm parses the cookie and creates a SAPGui shortcut file containing the MYSAPSSO2 logon ticket.
(source code attached in createSapGuiShortcut_OnRequest.txt.zip )
Put this BSP application in the “Default Application Path” of the “Assertion Consumer Service” setting of the SAML Service provider.
Now start an IDP initiated request. After successful authentication against the IdP, the BSP application takes the MYSAPSSO2 cookie from the browser session and puts it in the SAP shortcutfile. Opening the SAP shortcut file will initiate a SAP logon ticket SSO to SAPGui. Depending on a registry setting in windows, the user will get a popup to open the shortcut file or start the SAPGui immediately. More details about this setting and how to influence it can be found in this SAP note: http://service.sap.com/sap/support/notes/604324.
In a typical scenario, the user names of the ABAP system will not be identical to the ones on the IdP. To facilitate this, you can use the user mapping as described here Mapping SAML Principals to AS ABAP User IDs – User Authentication and Single Sign-On – SAP Library
To enable this mapping, set the “Supported NameID Formats” in the trusted provider in the SAML configuration to “unspecified” and then in the details of “NameID Format” specify the source “Mapping in USREXTID table“. Then go to “Name ID Management“, select the user you want to map and select the Name ID Format “Unspecified” and add the user there. This will generate an entry in the table VUSREXTID. Alternatively, you can also populate that table directly as described in note http://service.sap.com/sap/support/notes/1362866