Technical Articles
SAML Integration between SAP Netweaver AS ABAP and ADFS (Active Directory Federation Services)
This blog describes implementing a single sign on mechanism with SAML between Active Directory Federation Services and SAP Netweaver AS ABAP
In summary, the configuration provided in this document have been executed on the below mentioned platform versions.
- Microsoft ADFS (Windows Server 2012 R2) as Identity Provider
- SAP Netweaver AS ABAP 7.50 SP10 as Service Provider
1. HTTPS configuration on ABAP system
Before we run into the configuration make sure you have HTTPS enabled for your gateway system and certificates are signed
2. Activation of SICF
Activate secure session management to enable SAML 2.0 on the client server
To activate the security session management, perform the following steps.
- Goto transaction SICF_SESSIONS
- Choose corresponding client
- Select Activate
Ensure to activate the following services in the transaction SICF
/default_host/sap/bc/webdynpro/sap/saml2
3. Download ADFS server metadata
From the ADFS, you can export the metadata file to build a secure trust with the relying party.
Download metadata file from your ADFS server using the following URL
https://<hostname FQDN>/FederationMetadata/2007-06/FederationMetadata.xml
4. Configuring SAP Netweaver AS ABAP
To configure SAML 2.0 for specific client, perform the following steps
Goto transaction SAML2 and select Enable SAML 2.0 support
Add provider name and click next
Continue with default option in General settings screen
In Service Provider settings choose Automatic for Selection Mode
Select Finish
Select Edit —> Include Certificate in Signature to establish connection between SAP Netweaver AS ABAP and Microsoft ADFS
Select Metadata to export metadata
Save a copy of metadata to share this information with the identity provider
In the Service Provider settings tab, you can view the configuration details
5. Importing metadata file of identity provider
To import the metadata file of identity provider, perform the following steps
- Select Trusted Providers tab and select Identity Providers in show
- Select Add —> Upload Metadata File
- On Metadata verification screen, select upload from file
- Select Next
- On Provider name screen, Name field is pre-filled and select Next
- On Signature and Encryption screen, under Artifact profile, select Require Signature Never
- Select Next
- On Single Sign-On Endpoints screen, select Next
- On Single Logout Endpoints screen, select Next
- On Artifact Endpoints screen, select Next
- Select Binding as HTTP Post and select Finish
- Under List of Trusted Providers, select Edit
- Select Identity Federation tab and select Add to Name ID
- Select Save
- To enable the Trusted provider, select Enable
6. Configuring ADFS
This section provides information on how to configure SAML on Microsoft Active Directory Federation Services (ADFS).
Prerequisite – ADFS is successfully installed and configured
Add a Relying Party Trust
Open ADFS Management Tool, navigate to Trusted Relationship —> Relying Party Trusts —> Add Relying Party Trust
Click Start
Select Import Data about the relying party from a file and select Browse to navigate to ABAP metadata file
Click on Next
Click Ok
Provide Name
Select Next
Select Permit all users to access the relying party and select Next
Select Next and go with the default screen
Select Close
Select Add Rule
Click Next
On the Configure Rule screen, perform the following steps
- In the Claim rule name field, enter Claim Rule name
- Under Attribute store, select Active Directory
- In Mapping of LDAP attribute to outgoing claim types
Under LDAP Attribute, select SAM-Account-Name
Under Outgoing Claim Types, select Name ID
- Select Finish
- Click Apply and Ok
Select Relying Party Trust —> Properties
Goto Advanced tab and change Secure Hash Algorithm to SHA-1
Note – Match this with what you selected on your ABAP system
Exporting ADFS Token Signing Certificate
Open ADFS Management tool
Navigate to Service —> Certificates
On the right-hand panel, under the Token-signing, double click on the Certificate.
On the Certificate window, select Details tab.
Select Copy to File and Select Next
Select Base-64 encoded X.509 (.CER).
Subsequently select Next to export the certificate.
7. Enabling SAP Netweaver AS ABAP server to perform User Authentication using SAML
This section provides information on how to enable SAML on of the services.
To enable SAP Netweaver server to perform user authentication using SAML, perform the following steps
- Go to Transaction SICF
- Navigate to sap/opu/odata/iwfnd/catalogservice service and Edit
- Select Logon Data tab and perform the following sub-steps
a. Set Procedure field to Alternate Logon Procedure.
b. Set Security Requirement to SSL
Once the “Alternative Logon Procedure” has been changed, you can scroll down within the Logon Data tab area and you will see a list of Logon Procedures. By default, SAML Logon is item 7 in the list.To change this order, simply overtype the number in the left-hand column with 1 (or 2). - To change this order, in the left-hand No column, overwrite the number. The list is automatically sorted according to the new order, but Logon Through HTTP Fields will always be item one.
- Save your changes.
- Go to Transaction SAML2, on the Trusted Provider tab, select Disable and Enable it again.
8. Verification
On executing Gateway service, the client will be redirected to the logon screen of the external SAML 2.0 IdP server.
Note: To test the service, edit the following link with server details –
https://<FQDN>:<port>/sap/opu/odata/iwfnd/catalogservice/?sap-client=<client no>&$format=xml
Learn More:
https://blogs.sap.com/2018/02/22/adfs-with-sap-business-intelligence-platform/
Hi Mohammed
Good blog. But can you please explain the authentication flow. For e. If I want to put my odata services on mobile and want application to authenticate using AD, will this work?
Also you have mentioned that "On executing Gateway service, the client will be redirected to the logon screen of the external SAML 2.0 IdP server." does that mean we have to setup external SAML 2.0 IdP server for this.
Regards,
AR
Hi Amol,
Thanks for your comment.
We have not tried odata services scenario and regarding "On executing Gateway service", yes it will redirect to Idp server for authentication. so we need SAML Idp server and in this scenario we tried it using external SAML Idp server ADFS.
Thanks
Ashraf
Hi there,
we carried out the configuration similarly for our systems with one client. This works well so far, but we fail in systems with two clients. When importing the metadata into ADFS we get the message:
"MSIS7612: Each identifier for a relying party trust must be unique across all relaying party trusts in AD FS 2.0 configuration."
If we look at the XML file, the service endpoint is indeed the same as the FQN of the server for both clients.
Does anyone have experience setting up with two clients?
Regrads,
Frank
Hi Frank,
Thanks for your comment.
No, i did not tried setting up with two clients. but for two clients as well, i believe it would be the same.
You can try out the following.
Hope it helps.
Thanks
Ashraf
Hello Ashraf
I think is not possible but in the endpoint you have the client number.
I hope we have a solution for 2 clients?
Hi,
thanks for your reply. I have found the solution. If i export my own metadata for the ADFS,only the checkbox for the service provider may be activated.
regards,
Frank
Hi
I have a problem when I use the Web Dispatcher, outside the domain, the ADFS asks for the credential and then redirects me to fiori, but with the URL of the ABAP System (fiori hostname) and not the Web Dispatcher, here is the error, because I do not I am in internal net.
How can I change this? The ADFS has to redirect to the URL of the Web Dispatcher, right?
Regards.
Hi Mohammed
Can you share SU01 user attributes you are how to configure?