Skip to Content

This is work in progress. I’ll add more information as I go along setting up the landscape.

 

Having problems using SAML on AS ABAP 7.4/7.5 together with ADFS 3.0, with or without WAP, as IdP? Even a simple Connection Test in SM59 fails for the destination?

You should know that recent ADFS (and WAP) versions require client SNI. By default, SAP systems have it switched off. Non-SNI client connections will be disconnected, you’ll see SSSLERR_CONN_CLOSED errors in the ICM trace.

To make AS ABAP talk to ADFS / WAP, set the following instance profile parameter on AS ABAP

icm/HTTPS/client_sni_enabled = TRUE

the parameter can be set dynamically, so no need to restart the SAP system.

It is also recommended to set the client cipher suite, do it by setting the instance profile parameter on AS ABAP

ssl/client_ciphersuites = 150:PFS:HIGH

the parameter can’t be set dynamically, so the system needs to be restarted.

 

Update May 3, 2017

Turns out the out-of-the-box configuration works only in a internal network setup. If you configure a proxy in front of ADFS (such as WAP or even a hardware one such as NetScaler), you’ll have to adjust the Authentication Context to explicitly call out PassworProtectedTransport. Also change the Comparison Method to Exact and binding type to HTTP POST.

Now if you need to support both scenarios (internal and external), you have to list both Authentication Contexts (PasswordProtectedTransport, unspecified) and set the Comparison Method to Minimum. When accessing ADFS directly (internal), it defaults to using Windows Integrated authentication. There is no such Authentication Context, thus unspecified is used.

 

Update August 2, 2017

We found out that Windows Integrated Authentication (WIA) based Single Sign-On (SSO) isn’t working with Chrome. The default whitelist of browsers in ADFS 3.0 doesn’t include Chrome, only different versions of Internet Explorer. The relevant property is called WIASupportedUserAgents. Add Mozilla/5.0 to the list to have WIA SSO in Chrome. Also, remember that the ADFS host has to be included in the Local Intranet Security Zone for WIA to work.

Update November 17, 2017

When accessing transaction SAML2 to configure SAML on AS ABAP, be sure to access the Web Dynpro using HTTPS. When you export the metadata to be used by ADFS, it has a significant role because the schema used will be included in the metadata. ADFS, when importing the metadata, will silently reject HTTP URLs as Endpoints, which can be observed by looking at the Endpoints tab after creation (it will be blank). So remember to use HTTPS when accessing SAML2 so that the Endpoints are automatically configured when importing the metadata to ADFS.

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Mark Manuel

    Just wondering if you have encountered an issue where multiple SAP Instances (DEV, QAS, PRD) as SPs configured to use ADFS and SSO will only work on the first site that you’ll connect to and fails on the other sites. What solution did you use to resolve it? Thank you.

    (0) 
    1. Samuli Kaski Post author

      Not yet as we are still in sandbox/development. Since the certificates on the SAP systems are different from system to another, I would recommend you to use a different endpoint for each.

      (0) 

Leave a Reply