SAML: AS ABAP as SP and ADFS as IdP
This is work in progress. I’ll add more information as I go along setting up the landscape.
Having problems using SAML on AS ABAP 7.4/7.5 together with ADFS 3.0, with or without WAP, as IdP? Even a simple Connection Test in SM59 fails for the destination?
You should know that recent ADFS (and WAP) versions require client SNI. By default, SAP systems have it switched off. Non-SNI client connections will be disconnected, you’ll see SSSLERR_CONN_CLOSED errors in the ICM trace.
To make AS ABAP talk to ADFS / WAP, set the following instance profile parameter on AS ABAP
icm/HTTPS/client_sni_enabled = TRUE
the parameter can be set dynamically, so no need to restart the SAP system.
It is also recommended to set the client cipher suite, do it by setting the instance profile parameter on AS ABAP
ssl/client_ciphersuites = 150:PFS:HIGH
the parameter can’t be set dynamically, so the system needs to be restarted.
Update May 3, 2017
Turns out the out-of-the-box configuration works only in a internal network setup. If you configure a proxy in front of ADFS (such as WAP or even a hardware one such as NetScaler), you’ll have to adjust the Authentication Context to explicitly call out PassworProtectedTransport. Also change the Comparison Method to Exact and binding type to HTTP POST.
Now if you need to support both scenarios (internal and external), you have to list both Authentication Contexts (PasswordProtectedTransport, unspecified) and set the Comparison Method to Minimum. When accessing ADFS directly (internal), it defaults to using Windows Integrated authentication. There is no such Authentication Context, thus unspecified is used.
Update August 2, 2017
We found out that Windows Integrated Authentication (WIA) based Single Sign-On (SSO) isn’t working with Chrome. The default whitelist of browsers in ADFS 3.0 doesn’t include Chrome, only different versions of Internet Explorer. The relevant property is called WIASupportedUserAgents. Add Mozilla/5.0 to the list to have WIA SSO in Chrome. Also, remember that the ADFS host has to be included in the Local Intranet Security Zone for WIA to work.
Update November 17, 2017
When accessing transaction SAML2 to configure SAML on AS ABAP, be sure to access the Web Dynpro using HTTPS. When you export the metadata to be used by ADFS, it has a significant role because the schema used will be included in the metadata. ADFS, when importing the metadata, will silently reject HTTP URLs as Endpoints, which can be observed by looking at the Endpoints tab after creation (it will be blank). So remember to use HTTPS when accessing SAML2 so that the Endpoints are automatically configured when importing the metadata to ADFS.
"I’ll add more information as I go along setting up the landscape" - wonderful. hard to find info about ADFS as IdP.
Just wondering if you have encountered an issue where multiple SAP Instances (DEV, QAS, PRD) as SPs configured to use ADFS and SSO will only work on the first site that you'll connect to and fails on the other sites. What solution did you use to resolve it? Thank you.
Not yet as we are still in sandbox/development. Since the certificates on the SAP systems are different from system to another, I would recommend you to use a different endpoint for each.
Can this method be utilized for SAP GUI based logons as well.
Basically utilize SAML authentication for SAP GUI using ADFS as IdP
In the past this was possible using SAP Logon tickets but we understand this is deprecated. So, can this be handled differently now.
Or as an alternative, can we have SAP GUI connecting to ADFS using X.509 certs instead of SAML ?
I believe the standard solution for the scenario you describe is to use the Secure Login Client (SLC) of the SAP SSO product. See https://www.sap.com/documents/2015/06/2c769c89-5b7c-0010-82c7-eda71af511fa.html for details.
Thanks, but this I believe would require SSO 3.0 as the Secure Login server
What we are trying to achieve is to do away with SAP SSO server and utilize MS ADFS alone for both https(Fiori) and Sapgui scenarios.
For Fiori, the method you described in the blog should work, but Sapgui is the question mark.
The SAP SSO server is not required. AD(FS) can issue a Kerberos ticket that AS ABAP can consume, as long as the required configuration is done. A SAP SSO license is required to configure SPNEGO in AS ABAP. If you need more information on the subject, submit a new question.