SAML: AS ABAP as SP and ADFS as IdP
This is work in progress. I’ll add more information as I go along setting up the landscape.
Having problems using SAML on AS ABAP 7.4/7.5 together with ADFS 3.0, with or without WAP, as IdP? Even a simple Connection Test in SM59 fails for the destination?
You should know that recent ADFS (and WAP) versions require client SNI. By default, SAP systems have it switched off. Non-SNI client connections will be disconnected, you’ll see SSSLERR_CONN_CLOSED errors in the ICM trace.
To make AS ABAP talk to ADFS / WAP, set the following instance profile parameter on AS ABAP
icm/HTTPS/client_sni_enabled = TRUE
the parameter can be set dynamically, so no need to restart the SAP system.
It is also recommended to set the client cipher suite, do it by setting the instance profile parameter on AS ABAP
ssl/client_ciphersuites = 150:PFS:HIGH
the parameter can’t be set dynamically, so the system needs to be restarted.
Update May 3, 2017
Turns out the out-of-the-box configuration works only in a internal network setup. If you configure a proxy in front of ADFS (such as WAP or even a hardware one such as NetScaler), you’ll have to adjust the Authentication Context to explicitly call out PassworProtectedTransport. Also change the Comparison Method to Exact and binding type to HTTP POST.
Now if you need to support both scenarios (internal and external), you have to list both Authentication Contexts (PasswordProtectedTransport, unspecified) and set the Comparison Method to Minimum. When accessing ADFS directly (internal), it defaults to using Windows Integrated authentication. There is no such Authentication Context, thus unspecified is used.
Update August 2, 2017
We found out that Windows Integrated Authentication (WIA) based Single Sign-On (SSO) isn’t working with Chrome. The default whitelist of browsers in ADFS 3.0 doesn’t include Chrome, only different versions of Internet Explorer. The relevant property is called WIASupportedUserAgents. Add Mozilla/5.0 to the list to have WIA SSO in Chrome. Also, remember that the ADFS host has to be included in the Local Intranet Security Zone for WIA to work.
Update November 17, 2017
When accessing transaction SAML2 to configure SAML on AS ABAP, be sure to access the Web Dynpro using HTTPS. When you export the metadata to be used by ADFS, it has a significant role because the schema used will be included in the metadata. ADFS, when importing the metadata, will silently reject HTTP URLs as Endpoints, which can be observed by looking at the Endpoints tab after creation (it will be blank). So remember to use HTTPS when accessing SAML2 so that the Endpoints are automatically configured when importing the metadata to ADFS.