on 11-30-2011 2:50 PM
Dear experts,
I am trying to configure SSO for users accessing WebDynpro applications on an AS-ABAP 7.02 backend. They access these apps with Internet Explorer. All users are authenticated against ADFS 2.0, and I would like to configure SAML2 based SSO with ADFS 2.0 as the IdP, while the ABAP backend act as the service provider. However I find that there're hardly any documents available for this process, and none of the related questions asked on SDN gets very helpful answers.
So can someone please kindly let me know if this is possible at all? If possible, can you please kindly share some documents or guides on how this can be achieved?
Thanks very much for your help in advance, and any help or hint is appreciated.
Best regards
Luis
Hi together,
did anyone succeded to connect AS ABAP to SAML 2.0 with AD as iDP (ESS with NWBC)?
Regards
Manuel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello - any chance you were able to work through this and can share lessons learned? The link above was related to a Java SAP server, but we (like you) are trying to get this to work with ABAP. Currenlty are stuck on the ADFS side.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
For any ADFS related issues you should familiarize yourself with documentation provided by Microsoft. For any AS ABAP related SAML 2.0 issues see the attached link.
Unfortunately not much progress. SAP support has actually been very helpful, almost borderline consulting in their advice (I hope they don't see this post ), so I definitely encourage you to open a ticket.
Our challenge is primarily on the ADFS side:
Needless to say, it is frustrating. I hope somebody has the bandwdith to figure this out and post an updated wiki. I'll certainly try if I can get this to work!!
Hi Eric,
We did open a ticket also, and I agree that support in this area phenomenal, however, we are still not fully operational with SAML2.
As to your point 2, we are integrating ESS (WebDynpro for ABAP version) and to this purpose we are trying to get the ADFS ObjectID for an account and pass this to SAP. Subsequently, in SAP we use table "vusrextid" to map this ObjectID to a SAP username. From that point on we have the standard conversion from username to PERNR in PA0105.
Would you mind sharing any docs you may have created for point 2?
Perhaps we can collaborate on a wiki, soon.
Regards,
Frank
Hi Frank
We are also trying to do this SAML setup for the new ESS via NWBC!!!
Point 2 was related to SAML with ADFS and SAP's Cloud For Travel system (i.e. not our on-premise ERP). The ADFS sytem changed the attribute they were sending and it just worked.
So, we are actually further behind than you.We have started the SAML with ERP by going with e-mail as the federatoin ID, thinking well, hoping)
that we did not need to do any user mapping....we probably would change to go with the HR central person ID (which would require some code). Anyway, the error we are getting (that SAP support says is on the ADFS side) is below.The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: VP_ADFS
Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
SPNameQualifier:
Exception details:
MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .
This request failed.
User Action
Use the AD FS 2.0 Management snap-in to configure the configuration that emits the required name identifier.
Hi Luis,
Please check the following wiki page http://wiki.sdn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0.
Regards,
Desislava
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
81 | |
25 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.