Configure SAML for SAP AS Abap with multiple end points
If you have multiple end points i.e more than one ABAP application server in your environment, you will come across below error when you configure ICF services for SAML authentication.
Error
No RelayState mapping found for RelayState value
We resolved this issue by using a F5 load balancer
High level steps
1. Create a SSL server standard PSE in strustsso2.
2. Use a system wide DN instead of using instance-specific DN because we don’t want to hit these application servers directly but want to reach them via load balancer
3. Create a certificate request.in AS Abap and get it signed by any trusted CA.
4. Import the certificate response in AS Abap.
5. Import the key file (private key) and certificate in load balancer.
6. Test the SSL connection with load balancer
7. Setup SAML in AS Abap,
8. Make sure Metadata.xml to be imported in ADFS is generated using load balancer URL. This will enable single end point for all the requests.
Hi Ujval,
Can you please explain a little bit about point 2 - "Use a system wide DN instead of using instance specific DN"
We are using load balancer from netscaler. Do we need to put the load balancer url in system wide DN?
Thanks,
Abhi Thandra.
I have a similar situation. I have configured SAML SSO with AS ABAP, downloaded the XML from the WD URL, but the SSO only works when it hits a particular application server, it doesn't work for the other 2. Do I need some relay states here? I'm also guessing no as I have set up SP initiated SSO,
Should the end points be downloaded in the XML from SAML2? I'm thinking yes, but not entirely sure as they don't appear in the XML itself, anyone any ideas?
Michael Healey did you ever have any luck with this using F5 or without F5 with multiple end points? I am in the same situation where i have multiple servers.
Are there instructions i could get for using F5? Ujval Razdan
My issue was that the SAML priority had to be increased on the list to a higher priority. Didn’t use f5 sorry.