Skip to Content
Technical Articles
Author's profile photo Mohammed Ashraf

SAML Integration between SAP Netweaver AS ABAP and ADFS (Active Directory Federation Services)

This blog describes implementing a single sign on mechanism with SAML between Active Directory Federation Services and SAP Netweaver AS ABAP

In summary, the configuration provided in this document have been executed on the below mentioned platform versions.

  • Microsoft ADFS (Windows Server 2012 R2) as Identity Provider
  • SAP Netweaver AS ABAP 7.50 SP10 as Service Provider

1. HTTPS configuration on ABAP system

Before we run into the configuration make sure you have HTTPS enabled for your gateway system and certificates are signed

2. Activation of SICF

Activate secure session management to enable SAML 2.0 on the client server

To activate the security session management, perform the following steps.

  1. Goto transaction SICF_SESSIONS
  2. Choose corresponding client
  3. Select Activate

Ensure to activate the following services in the transaction SICF


3. Download ADFS server metadata

From the ADFS, you can export the metadata file to build a secure trust with the relying party.

Download metadata file from your ADFS server using the following URL

https://<hostname FQDN>/FederationMetadata/2007-06/FederationMetadata.xml

4. Configuring SAP Netweaver AS ABAP

To configure SAML 2.0 for specific client, perform the following steps

Goto transaction SAML2 and select Enable SAML 2.0 support

Add provider name and click next

Continue with default option in General settings screen

In Service Provider settings choose Automatic for Selection Mode

Select Finish

Select Edit —> Include Certificate in Signature to establish connection between SAP Netweaver AS ABAP and Microsoft ADFS

Select Metadata to export metadata

Save a copy of metadata to share this information with the identity provider

In the Service Provider settings tab, you can view the configuration details

5. Importing metadata file of identity provider

To import the metadata file of identity provider, perform the following steps

  1. Select Trusted Providers tab and select Identity Providers in show
  2. Select Add —> Upload Metadata File
  3. On Metadata verification screen, select upload from file
  4. Select Next
  5. On Provider name screen, Name field is pre-filled and select Next
  6. On Signature and Encryption screen, under Artifact profile, select Require Signature Never
  7. Select Next
  8. On Single Sign-On Endpoints screen, select Next
  9. On Single Logout Endpoints screen, select Next
  10. On Artifact Endpoints screen, select Next
  11. Select Binding as HTTP Post and select Finish
  12. Under List of Trusted Providers, select Edit
  13. Select Identity Federation tab and select Add to Name ID
  14. Select Save
  15. To enable the Trusted provider, select Enable

6. Configuring ADFS

This section provides information on how to configure SAML on Microsoft Active Directory Federation Services (ADFS).

Prerequisite – ADFS is successfully installed and configured

Add a Relying Party Trust

Open ADFS Management Tool, navigate to Trusted Relationship —> Relying Party Trusts —> Add Relying Party Trust

Click Start

Select Import Data about the relying party from a file and select Browse to navigate to ABAP metadata file

Click on Next

Click Ok

Provide Name

Select Next

Select Permit all users to access the relying party and select Next

Select Next and go with the default screen

Select Close

Select Add Rule

Click Next

On the Configure Rule screen, perform the following steps

  1. In the Claim rule name field, enter Claim Rule name
  2. Under Attribute store, select Active Directory
  3. In Mapping of LDAP attribute to outgoing claim types

Under LDAP Attribute, select SAM-Account-Name

Under Outgoing Claim Types, select Name ID

  1. Select Finish
  2. Click Apply and Ok

Select Relying Party Trust —> Properties

Goto Advanced tab and change Secure Hash Algorithm to SHA-1

Note – Match this with what you selected on your ABAP system

Exporting ADFS Token Signing Certificate

Open ADFS Management tool

Navigate to Service —> Certificates

On the right-hand panel, under the Token-signing, double click on the Certificate.

On the Certificate window, select Details tab.

Select Copy to File and Select Next

Select Base-64 encoded X.509 (.CER).

Subsequently select Next to export the certificate.

7. Enabling SAP Netweaver AS ABAP server to perform User Authentication using SAML

This section provides information on how to enable SAML on of the services.

To enable SAP Netweaver server to perform user authentication using SAML, perform the following steps

  1. Go to Transaction SICF
  2. Navigate to sap/opu/odata/iwfnd/catalogservice service and Edit
  3. Select Logon Data tab and perform the following sub-steps
    a. Set Procedure field to Alternate Logon Procedure.
    b. Set Security Requirement to SSLOnce the “Alternative Logon Procedure” has been changed, you can scroll down within the Logon Data tab area and you will see a list of Logon Procedures. By default, SAML Logon is item 7 in the list.To change this order, simply overtype the number in the left-hand column with 1 (or 2).
  4. To change this order, in the left-hand No column, overwrite the number. The list is automatically sorted according to the new order, but Logon Through HTTP Fields will always be item one.
  5. Save your changes.
  6. Go to Transaction SAML2, on the Trusted Provider tab, select Disable and Enable it again.

8. Verification

On executing Gateway service, the client will be redirected to the logon screen of the external SAML 2.0 IdP server.

Note: To test the service, edit the following link with server details –

https://<FQDN>:<port>/sap/opu/odata/iwfnd/catalogservice/?sap-client=<client no>&$format=xml

Learn More:

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Amol Raut
      Amol Raut

      Hi Mohammed

      Good blog.  But can you please explain the authentication flow. For e. If I want to put my odata services on mobile and want application to authenticate using AD, will this work?

      Also you have mentioned that "On executing Gateway service, the client will be redirected to the logon screen of the external SAML 2.0 IdP server." does that  mean we have to setup external SAML 2.0 IdP server for this.




      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf
      Blog Post Author

      Hi Amol,

      Thanks for your comment.

      We have not tried odata services scenario and regarding "On executing Gateway service", yes it will redirect to Idp server for authentication. so we need SAML Idp server and in this scenario we tried it using external SAML Idp server ADFS.


      Author's profile photo Frank Rick
      Frank Rick

      Hi there,
      we carried out the configuration similarly for our systems with one client. This works well so far, but we fail in systems with two clients. When importing the metadata into ADFS we get the message:

      "MSIS7612: Each identifier for a relying party trust must be unique across all relaying party trusts in AD FS 2.0 configuration."

      If we look at the XML file, the service endpoint is indeed the same as the FQN of the server for both clients.

      Does anyone have experience setting up with two clients?



      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf
      Blog Post Author

      Hi Frank,

      Thanks for your comment.

      No, i did not tried setting up with two clients. but for two clients as well, i believe it would be the same.

      You can try out the following.

      1. Since the error message states that you already have one trusted party with the same identifier, that means you dont need to add metadata into ADFS again
      2. So, while configuring for second client you can skip step 6 and continue with other steps.

      Hope it helps.


      Author's profile photo Kay-Uwe Haeckel
      Kay-Uwe Haeckel

      Hello Ashraf

      I think is not possible but in the endpoint you have the client number.

      I hope we have a solution for 2 clients?

      Author's profile photo Frank Rick
      Frank Rick


      thanks for your reply. I have found the solution. If i export my own metadata for the ADFS,only the checkbox for the service provider may be activated.



      Author's profile photo Kenneth Monge
      Kenneth Monge


      I have a problem when I use the Web Dispatcher, outside the domain, the ADFS asks for the credential and then redirects me to fiori, but with the URL of the ABAP System (fiori hostname) and not the Web Dispatcher, here is the error, because I do not I am in internal net.

      How can I change this? The ADFS has to redirect to the URL of the Web Dispatcher, right?



      Author's profile photo Tong Yong Yang
      Tong Yong Yang

      Hi  Mohammed

      Can you share SU01 user attributes you are how to configure?