Skip to Content
Author's profile photo Gov TOTAWAR

WS_AAE Adapter – SAML

In this blog we will see how to configure WS_AAE adapter (Sender) for SAML.

WS_AAE Adapter supports SAML 1.1 – Sender Vouches

For more information please refer below links to get head around SAML (old but good one)

http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/com.sap.nw.wpc.runtime.docs/media/streamingmedia/events/teched/sap-tech…

Single Sign on for Web Services – Security and Identity Management – SCN Wiki

You would have three different role players in a Web Services SSO with SAML scenario:

  • WS Consumer – User authenticates at the Token Issuer (STS) and requests a SAML Token with the WS-Trust protocol. Uses its private key to create a signature over the SAML Token and the message body
  • STS (Token Issuer) -Token Issuer authenticates the User and issues a SAML Token in the response to the WS Consumer with the WS-Trust protocol
  • WS Provider – To confirm the WS Consumer identity, WS Provider verifies the signature and compares the identity information in the SAML Token with the identity information of the WS Consumer’s Public Key certificate

Sender Vouches.pngSender Vouches

*Source – SIM 207  (link)

In this scenario we will configure SOAP UI which plays WS Consumer and STS Role and SAP PO plays WS Provider Role.

Scenario.png

https://www.soapui.org/soapui-projects/ws-security.html#3-Outgoing-WS-Security-configurations

Follow below steps to establish trust relationship between WS Consumer (Soap UI) and WS Provider (PO)

  • Generate Key Pair for SOAP UI (soap UI support JKS key store format) ( You can use any key generation tool keystore-explorer)
  • Export Public Key Certificate
  • Import the Public Key Certificate into NWA – Configuration – Certificates and Keys – WebServiceSecurity  (Key storage View)

Setting Up soapUI to generate SAML Token (STS) and Sign the SAML Token and Message (WS Consumer)

  • Create a SoapUI Project
  • Create WS Security Configuration
    • Select your project and right click, select “Show Project View” from context menu
    • Select “WS-Security Configuration” Tab
      • Import Key Store (jks) file with key pair (* you need to enter the keystore password) .

                              Keystore-soapui.png

      • Select “Outgoing WS-Security Configuration” Tab and click on “+”

                                  Outgoing WS-Configuration.png

      • Enter a Unique name

                                      Outgoing WS Config Name.png

                                          Outgoing WS Config Name2.png

      • Click on “+” and add sequence of configuration steps

                                        1. Timestamp (optional)

                                        2. SAML

                                        3. Signature

                                            Timestam.png

                                              SAML.png

                                                  Singnature.png

      • Configure Authorization for the project

                                                      Auth.png

                                                          Auth2.png

                                                            Auth3.png

                                                              Done with SoapUI configuration

  • Create a PO scenario with WS_AAE sender adapter
      • Configure sender communication channel

                        /wp-content/uploads/2016/06/2016_06_09_09_38_57_971148.png

                            WS_AAE2.png

        

Once you done with configuration of ICO , you are ready to test

end point for soapUI : https://<host name>:<port>/WSAdapter/<Custom Endpoint Address>


Configuring the Sender WS Adapter – Advanced Adapter Engine – SAP Library


Assigned Tags

      25 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Revelatory and very informative blog 🙂

      Author's profile photo Emre Torun
      Emre Torun

      Nice blog, it's good to know that PI supports SAML for integrations.

      Author's profile photo Sunil Chandra
      Sunil Chandra

      Very detailed and well explained! Thanks for sharing.

      Author's profile photo Raj Kumar
      Raj Kumar

      Hi GOV ,

      I followed your document, but while testing in SOAPUI , I am getting error "No Service Found".

      Plz Help.error in WSRm.PNGwsrm error 2.PNG

      Author's profile photo Gov Totawar
      Gov Totawar
      Blog Post Author

      Hi Raj,

      Did you configure "<Custom Endpoint Address>" in Sender adapter .

      Check section "Configure sender communication channel" in the blog.

      Author's profile photo Raj Kumar
      Raj Kumar

      Hi Gov,

      Yes I did put custom endpoint in sender adapter.

      I tried with removing "/" from endpoint also, but still the same response.custom endpoint.PNG

      Author's profile photo Gov Totawar
      Gov Totawar
      Blog Post Author

      Sorry apologies you need to remove "/" (updated the blog) it should be "testwrms" and not "/testwrms"

      your endpoint in soapaui should be

      http://<host name>:<port>/WSAdapter/testwrms

      Author's profile photo Raj Kumar
      Raj Kumar

      Hi ,

      Did the same, and now error is :

      error in soap.PNG

      Author's profile photo Gov Totawar
      Gov Totawar
      Blog Post Author

      Did you import soapUI public key (used for sigining the message) in NWA key store ?

      Are you referencing the key store in Sender Adapter "Web service Security" tab

      2016-06-09_09-59-46_@.png

      Author's profile photo Raj Kumar
      Raj Kumar

      I just browsed and got option of selecting the above value.  I imported the keystore in Soap project.keystore certificate.PNG

      values.PNGsender adapter configuration.PNG

      Author's profile photo Raj Kumar
      Raj Kumar

      Hi,

      Are you saying that I need to import the generated certificate to NWA in trustedCAs, as I have not imported.

      Thanks& Regards,

      Raj Kumar

      Author's profile photo Gov Totawar
      Gov Totawar
      Blog Post Author

      Hi

      You need to import the generated public key into WebserviceSecurity Key store.

      Private Key is Used to sign the message

      Public Key is used to verify the signature .

      Author's profile photo Raj Kumar
      Raj Kumar

      Hi,

      Did the same imported keystore webserviceSecurity Key.

      Now getting faultstring as:Message was not received via secure channel.

      soap message.PNG

      Am I missing something

      .

      Author's profile photo Gov Totawar
      Gov Totawar
      Blog Post Author

      Please change the endpoint to https .

      Author's profile photo Raj Kumar
      Raj Kumar

      Could not get you, Are you talking about the URL as https.

      Author's profile photo Gov Totawar
      Gov Totawar
      Blog Post Author

      Yes

      Author's profile photo Raj Kumar
      Raj Kumar

      Did. See the response.

      soap response.PNGbrowser response.PNG
      .

      Author's profile photo Gov Totawar
      Gov Totawar
      Blog Post Author

      It is due to the fact that you are talking to an HTTP server, not an HTTPS server. Probably you didn't use the correct port number for HTTPS.

      Author's profile photo Juan Vasquez
      Juan Vasquez

      Hello Raj

       

      I have this error right now

       

      <soap:Fault>
      <faultcode>soap:Client</faultcode>
      <faultstring>An error was discovered processing the &lt;wsse:Security> header.</faultstring>
      </soap:Fault>

       

      could you please help me,

      how do you solve this issue?

       

      Regards

       

      Juan

      Author's profile photo Pavan kumar
      Pavan kumar

      Hi Gov,

      Excellent blog on the interesting topic how to use SAML in SAP PO/AEX. Expecting more blogs from you and i can proudly say i learnt new topic after reading your blog.

      Keep Blogging.Good Luck.

      Cheers

      Pawan

      Author's profile photo Leonardo Rodrigues Lemos
      Leonardo Rodrigues Lemos

      I'm trying to follow this procedure. But I'm getting the following error message: "Certificate validation failed: Path does not chain with any of the trust anchors"
      Could you further detail the certificate settings within SAP PI?
      I put the public key of the certificate used in the SOAP UI, inside the Certificates and Key: Key Storage ("Trusted CAs" and "WebServiceSecurity")
      Is It Necessary to do some configuration in Trusted Systems: SAML Web Services Security?


      Some links referenced in the blog are broken

       

      Author's profile photo Leonardo Rodrigues Lemos
      Leonardo Rodrigues Lemos

      I solved. You needed to add the root and sender certificate in web service security

       

      Author's profile photo Leonardo Rodrigues Lemos
      Leonardo Rodrigues Lemos

      Now , my problem is propagate principal to RFC Receiver.

      Error: MP: exception caught with cause com.sap.engine.interfaces.messaging.api.exception.MessagingException: com.sap.aii.adapter.rfc.afcommunication.RfcAFWException: error while processing message to remote system:com.sap.aii.adapter.rfc.core.client.RfcClientException: could not get a client from JCO.Pool: com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: Foi recebido um SSO-Ticket não interpretado

      Can you help me?

       

      Author's profile photo Leonardo Rodrigues Lemos
      Leonardo Rodrigues Lemos

      I solved too. I was necessary import SAPLogonTicket from SAP PI into ECC

      Author's profile photo Leonardo Rodrigues Lemos
      Leonardo Rodrigues Lemos

      I'm trying to create a .NET application to consume a webservice in SAP PI NW 7.5, but using ADFS 3.0 as STS. Has anyone done this scenario yet? I'm having trouble making the correct settings in ADFS. Using this scenario with SOAP UI is working, but with ADFS I have received some error messages. ADFS is not sending the "send voucher" as a confirmation method. It is not sending the user id. Is it necessary to register the .NET application server certificate in SAP PI, or only ADFS?