Skip to Content

Scenario

You want to enable SAML Single Sign On for SAPGui windows.

You have these components in place: IdP, SAPGui windows, Internet Explorer and SAP NetWeaver AS ABAP 7.02 or higher.

SAPGui does not offer native support for SAML. To make this happen, we combine the legacy support feature of the ABAP SAML service provider with the SAPGui shortcut SSO using the MYSAPSSO2 cookie.

/wp-content/uploads/2015/01/scenario_634328.jpg

Solution components

  1. Enable SAML authentication on the ABAP system using transaction SAML2 and exchanging the metadata with your IdP.
    http://help.sap.com/saphelp_nw70ehp2/helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htm
    The important setting in this case is to set the value of “Legacy Systems Support (Issue Logon Ticket) to “On” in the SAML Local Provider Configuration.
    issueLogonTicketOn.jpg

  2. Build a BSP application that will establish the SAML SSO with the IdP. This BSP application takes the cookie from the browser and puts it in a SAPGui shortcut. More information around SAPGui shortcut SSO can be found here Single Sign-On for SAP Shortcuts – User Authentication and Single Sign-On – SAP Library

BSP application:

    • Start page launchGui.htm: grabs the cookie and navigates to the BSP page creating the shortcut file.

bspLaunchGui.png

(source code attached in launchGui.txt.zip)

    • Page createSapGuiShortcut.htm parses the cookie and creates a SAPGui shortcut file containing the MYSAPSSO2 logon ticket.

bspCreateSapGuiShortcut.htm.png

(source code attached in createSapGuiShortcut_OnRequest.txt.zip )

Put this BSP application in the “Default Application Path” of the “Assertion Consumer Service” setting of the SAML Service provider.

defaultApplicationPath.jpg

Now start an IDP initiated request. After successful authentication against the IdP, the BSP application takes the MYSAPSSO2 cookie from the browser session and puts it in the SAP shortcutfile. Opening the SAP shortcut file will initiate a SAP logon ticket SSO to SAPGui. Depending on a registry setting in windows, the user will get a popup to open the shortcut file or start the SAPGui immediately. More details about this setting and how to influence it can be found in this SAP note: http://service.sap.com/sap/support/notes/604324.

User mapping

In a typical scenario, the user names of the ABAP system will not be identical to the ones on the IdP. To facilitate this, you can use the user mapping as described here Mapping SAML Principals to AS ABAP User IDs – User Authentication and Single Sign-On – SAP Library

To enable this mapping, set the “Supported NameID Formats” in the trusted provider in the SAML configuration to “unspecified” and then in the details of “NameID Format” specify the source “Mapping in USREXTID table“. Then go to “Name ID Management“, select the user you want to map and select the Name ID Format “Unspecified” and add the user there. This will generate an entry in the table VUSREXTID. Alternatively, you can also populate that table directly as described in note http://service.sap.com/sap/support/notes/1362866

To report this post you need to login first.

14 Comments

You must be Logged on to comment or reply to a post.

  1. Vikas Bansal

    Hi Koen,

    We are implementing your scenario.  We have a non-sap vendor Identity Provider and that is connecting to our ABAP system which has been configured as you specified to act as a Service Provider.  Then on the ABAP system, we deployed the BSP application with the source code you had provided.  Now, when we enter the bsp application URL via the internet explorer browser, we see that it is redirecting to the identity provider where we provide our user credentials, then it comes back to our ABAP system domain and immediately we get the pop-up to launch the SAPgui shortcut.  When we open the shortcut, instead of automatically logging us into the system, we are having to type in our ABAP user ID and password.  Can you let us know what we might be missing?  Here is a workflow of what we are doing with screenshots:

    1) Initiate test by entering to URL of BSP application in browser:

    Capture.PNG

    2) URL is directed to Identity provider domain for authentication where we enter AD user credentials of the Identity provider:Capture2.PNG

    3) After Identity provider authenticates, URL is now redirected back to Service Provider domain and BSP application is launched, which creates the sapgui shortcut pop-up:

    Capture3.PNG

    4) After opening the pop-up, get this prompt and say allow:

    Capture4.PNG

    5) Then, here is where we have the issue.  Instead of automatically logging into the SAP ABAP System, it is prompting for our ABAP User that is defined through SU01 (we have kept it same as Identity Provider AD account user).  So, I am forced to enter the abap user password:

    Capture5.PNG

    6) After entering the password, it asks for it another time.  Not sure why this is happening either.  Please advise on this as well:

    Capture6.PNG

    7) After entering it, now it finally logs into the system. Can you please advise where we are missing something?  Why does it prompt for ABAP user password?

    Capture7.PNG

    8) I have attached screenshots of how we defined the BSP application via SE80 as per downloading your source code:

    Capture8.PNG

    Capture9.PNG

    Capture10.PNG

    Does this mean SAML is not working?  Or is it a problem with the BSP application that you have given us?  Thanks for any feedback or help!

    (0) 
    1. Koen Van Loocke Post author

      Hi Vikas,

      most probably the issue is that you are not having a mySAPSSO2 logon cookie.

      check these settings:

      1. The parmeters as described here: Activating HTTP Security Session Management on AS ABAP – User Authentication and Single Sign-On – SAP Library
      2. on the ABAP system in transaction strustsso2, make sure that your system is added to the ACL for logon ticket.
      3. In the configuration of the SP (transaction SAML2), make sure the flag “Legacy Systems support is set to “on”

      hope it helps

      Koen

      (0) 
      1. Vikas Bansal

        Hi Koen,

        Yes, I suspect the mySAPSSO2 cookie being as issue as well, but I have already done all the settings you had mentioned and still SSO doesn’t seem to work.

        1. Here are our http security session settings which show it is active.  Parameters are correct as well as per Activating HTTP Security Session Management on AS ABAP – User Authentication and Single Sign-On – SAP Library

        Capture12.PNG

        2.  In strustsso2, the SSF SAML2 Service Provider – E and SSF SAML2 Service Provider – S both have the ABAP system (ECD) defined in the ACL.

        Capture10.PNG

        Capture11.PNG

        3.  The SAML2 config settings for the service provider have already been turned on for legacy support so that it can issue logon tickets:

        Capture3.PNG

        As you can see all our settings match with the requirements of an SSO setup, yet still having issues.  Can you please advise?  Thanks!

        (0) 
        1. Koen Van Loocke Post author

          Hi Vikas,

          all settings seem to be correct.

          can you test if you execute the function module CREATE_RFC_REENTRANCE_TICKET in SE37 if you get the SSO ticket?

          koen

          (0) 
  2. Wenscelao Lacaze

    Hi,
    Im implementing SSO with Google for work, the SAML part is working well , I try to implement the solution that you propouse in your blog but is not working.
    The system dont take the cookie from the launchgui.htm to the createsapguishortcut page, I see the MYSAPOOS2 cookie on the launchgui.htm
    you have any advice?_
    thanks

    (0) 
  3. Diego I. Yaryura

    Hi all,

    I had the same issue with the cookie not being passed to the shortcut. Instead of getting the cookie from the browser I used the FM CREATE_ RFC_REENTRANCE_TICKET mentioned by Koen to get the MYSAPSSO2 token directly from ABAP application into the var “mysapsso2” and it worked for me.
    Wondering if this is working only in my scenario due to some config or it also works for you…

    Thanks
    Diego I. Yaryura

    (0) 
    1. Koen Van Loocke Post author

      Hi Diego,

      thanks for the response. That is actually how I have implemented it now too. Getting the cookie from the browser is often problematic since getting the cookie from the browser it is typically blocked for security reasons.

      koen

      (0) 
    1. Koen Van Loocke Post author

      sure,

      put this code in the onCreate event of the bsp page.

       

        DATA:
         shortcut_file      TYPE string,
         X_shortcut_file    TYPE xstring,
         mysapsso2_cookie   TYPE string,
         codepage           TYPE abap_encod,
         exceptioncx_bcs    TYPE REF TO cx_bcs.
      
        CALL FUNCTION 'CREATE_RFC_REENTRANCE_TICKET'
          IMPORTING
            ticket                 = mysapsso2_cookie
          EXCEPTIONS
            ticket_logon_disabled  = 1
            ticket_creation_failed = 2
            kernel_too_old         = 3
            OTHERS                 = 4.
      
      
        CONCATENATE              '[System]'                             cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT
        CONCATENATE shortcut_file 'Name='          sy-sysid             cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT
        CONCATENATE shortcut_file 'Client='        sy-mandt             cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT
        CONCATENATE shortcut_file '[User]'                              cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT
        CONCATENATE shortcut_file 'Name='          sy-uname             cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT
        CONCATENATE shortcut_file 'at="MYSAPSSO2=' mysapsso2_cookie  '"' cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT
        CONCATENATE shortcut_file '[Function]'                          cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT
        CONCATENATE shortcut_file 'Command=SMEN'                        cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT
        CONCATENATE shortcut_file '[Options]'                           cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT
        CONCATENATE shortcut_file 'Reuse=0'                             cl_abap_char_utilities=>cr_lf INTO shortcut_file. "#EC NOTEXT
      
        TRY.
            X_shortcut_file  = cl_bcs_convert=>string_to_xstring( iv_string = shortcut_file ).
          CATCH cx_bcs INTO exceptioncx_bcs.
      *   Shortcutfile creation failed in creating xstring.
        ENDTRY.
      
       cl_bsp_utility=>download(
           object_s            = X_shortcut_file
           content_type        = 'application/x-sapshortcut'
           response            = runtime->server->response
           navigation          = _M_navigation ).
      

       

      (0) 
  4. Deb Nugent

    Koen Van Loocke,

    The code attachments for the BSP application appear to still be missing. Would it be possible to re-attach them or provide a way for us to see them?

    We are trying to enable SAML2 authentication for use with the SAPGui for accessing the ABAP systems and this blog appears to be exactly what we need.

    Any assistance would be greatly appreciated.

    Thank-you in advance,

    Deb Nugent.

     

    (0) 
  5. Ronnie Lau

    Koen Van Loocke,

     

    We are trying to install the BSP application. Would you mind to let us know where can I download the source zip files.

    Thanks

    Ronnie Lau

     

    (0) 

Leave a Reply