Skip to Content


This is work in progress. I’ll add more information as I go along setting up the landscape.


Having problems using SAML on AS ABAP 7.4/7.5 together with ADFS 3.0, with or without WAP, as IdP? Even a simple Connection Test in SM59 fails for the destination?

You should know that recent ADFS (and WAP) versions require client SNI. By default, SAP systems have it switched off. Non-SNI client connections will be disconnected, you’ll see SSSLERR_CONN_CLOSED errors in the ICM trace.

To make AS ABAP talk to ADFS / WAP, set the following instance profile parameter on AS ABAP

icm/HTTPS/client_sni_enabled = TRUE

the parameter can be set dynamically, so no need to restart the SAP system.

It is also recommended to set the client cipher suite, do it by setting the instance profile parameter on AS ABAP

ssl/client_ciphersuites = 150:PFS:HIGH

the parameter can’t be set dynamically, so the system needs to be restarted.


Update May 3, 2017

Turns out the out-of-the-box configuration works only in a internal network setup. If you configure a proxy in front of ADFS (such as WAP or even a hardware one such as NetScaler), you’ll have to adjust the Authentication Context to explicitly call out PassworProtectedTransport. Also change the Comparison Method to Exact and binding type to HTTP POST.

Now if you need to support both scenarios (internal and external), you have to list both Authentication Contexts (PasswordProtectedTransport, unspecified) and set the Comparison Method to Minimum. When accessing ADFS directly (internal), it defaults to using Windows Integrated authentication. There is no such Authentication Context, thus unspecified is used.


Update August 2, 2017

We found out that Windows Integrated Authentication (WIA) based Single Sign-On (SSO) isn’t working with Chrome. The default whitelist of browsers in ADFS 3.0 doesn’t include Chrome, only different versions of Internet Explorer. The relevant property is called WIASupportedUserAgents. Add Mozilla/5.0 to the list to have WIA SSO in Chrome. Also, remember that the ADFS host has to be included in the Local Intranet Security Zone for WIA to work.

Update November 17, 2017

When accessing transaction SAML2 to configure SAML on AS ABAP, be sure to access the Web Dynpro using HTTPS. When you export the metadata to be used by ADFS, it has a significant role because the schema used will be included in the metadata. ADFS, when importing the metadata, will silently reject HTTP URLs as Endpoints, which can be observed by looking at the Endpoints tab after creation (it will be blank). So remember to use HTTPS when accessing SAML2 so that the Endpoints are automatically configured when importing the metadata to ADFS.

You must be Logged on to comment or reply to a post.
  • Just wondering if you have encountered an issue where multiple SAP Instances (DEV, QAS, PRD) as SPs configured to use ADFS and SSO will only work on the first site that you'll connect to and fails on the other sites. What solution did you use to resolve it? Thank you.

    • Not yet as we are still in sandbox/development. Since the certificates on the SAP systems are different from system to another, I would recommend you to use a different endpoint for each.



    Can this method be utilized for SAP GUI based logons as well.

    Basically utilize SAML authentication for SAP GUI using ADFS as IdP

    In the past this was possible using SAP Logon tickets but we understand this is deprecated. So, can this be handled differently now.

    Or as an alternative, can we have SAP GUI connecting to ADFS using X.509 certs instead of SAML ?




  • Hi,

    Thanks, but this I believe would require SSO 3.0 as the Secure Login server

    What we are trying to achieve is to do away with SAP SSO server and utilize MS ADFS alone for both https(Fiori) and Sapgui scenarios.

    For Fiori, the method you described in the blog should work, but Sapgui is the question mark.




    • The SAP SSO server is not required. AD(FS) can issue a Kerberos ticket that AS ABAP can consume, as long as the required configuration is done. A SAP SSO license is required to configure SPNEGO in AS ABAP. If you need more information on the subject, submit a new question.