cancel
Showing results for 
Search instead for 
Did you mean: 

SSO between ADFS 2.0 and AS-ABAP 7.02

Former Member
0 Kudos

Dear experts,

I am trying to configure SSO for users accessing WebDynpro applications on an AS-ABAP 7.02 backend. They access these apps with Internet Explorer. All users are authenticated against ADFS 2.0, and I would like to configure SAML2 based SSO with ADFS 2.0 as the IdP, while the ABAP backend act as the service provider. However I find that there're hardly any documents available for this process, and none of the related questions asked on SDN gets very helpful answers.

So can someone please kindly let me know if this is possible at all? If possible, can you please kindly share some documents or guides on how this can be achieved?

Thanks very much for your help in advance, and any help or hint is appreciated.

Best regards

Luis

Accepted Solutions (0)

Answers (3)

Answers (3)

xymanuel
Active Participant
0 Kudos

Hi together,

did anyone succeded to connect AS ABAP to SAML 2.0 with AD as iDP (ESS with NWBC)?

Regards

Manuel

Former Member
0 Kudos

Hello - any chance you were able to work through this and can share lessons learned?  The link above was related to a Java SAP server, but we (like you) are trying to get this to work with ABAP.  Currenlty are stuck on the ADFS side.

Former Member
0 Kudos

For any ADFS related issues you should familiarize yourself with documentation provided by Microsoft. For any AS ABAP related SAML 2.0 issues see the attached link.

http://wiki.scn.sap.com/wiki/display/Security/Troubleshooting+SAML+2.0+Scenarios#TroubleshootingSAML...

Former Member
0 Kudos

I see that we are not the only ones trying to do SAML2 with ABAP.  I think we have some of it working, but right now we are stuck on simple SOAP communications.

Our goal is to use the ADFS "objectID" not the Windows login name, for authentication purposes.

Did you make any progress?

Former Member
0 Kudos

Unfortunately not much progress.  SAP support has actually been very helpful, almost borderline consulting in their advice (I hope they don't see this post ), so I definitely encourage you to open a ticket. 

Our challenge is primarily on the ADFS side:

  1. Bandwidth - the ADFS resource is quite busy with other projects and to-date it seems that every SAML setup he does has its own nuances based on the various Service Providers.  However, they usually only a few "tweaks" to get working.
  2. We did SAML integration with SAP Travel On Demand and on our ADFS side it took about 5 minutes have have been able to use different attributes (email at first and later changed to an extenstionAttribute that we populate with the SAP PERNR).
  3. Somewhat due to #2, there is a perception that the ABAP SAML setup is troublesome from the ADFS side.  There are even complaints that the lack of support SHA-256 on the Netweaver side is a gap.

Needless to say, it is frustrating.  I hope somebody has the bandwdith to figure this out and post an updated wiki.  I'll certainly try if I can get this to work!!

Former Member
0 Kudos

Hi Eric,

We did open a ticket also, and I agree that support in this area phenomenal, however, we are still not fully operational with SAML2.

As to your point 2, we are integrating ESS (WebDynpro for ABAP version) and to this purpose we are trying to get the ADFS ObjectID for an account and pass this to SAP.  Subsequently, in SAP we use table "vusrextid" to map this ObjectID to a SAP username.  From that point on we have the standard conversion from username to PERNR in PA0105.

Would you mind sharing any docs you may have created for point 2?

Perhaps we can collaborate on a wiki, soon.

Regards,

Frank

Former Member
0 Kudos

Hi Frank

We are also trying to do this SAML setup for the new ESS via NWBC!!! 

Point 2 was related to SAML with ADFS and SAP's Cloud For Travel system (i.e. not our on-premise ERP).  The ADFS sytem changed the attribute they were sending and it just worked. 

So, we are actually further behind than you. 

We have started the SAML with ERP by going with e-mail as the federatoin ID, thinking well, hoping)

that we did not need to do any user mapping....we probably would change to go with the HR central person ID (which would require some code).  Anyway, the error we are getting (that SAP support says is on the ADFS side) is below. 

The SAML authentication request had a NameID Policy that could not be satisfied.

Requestor: VP_ADFS

Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SPNameQualifier: 

Exception details:

MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: Format: , NameQualifier:  SPNameQualifier: , SPProvidedId: .

This request failed.

User Action

Use the AD FS 2.0 Management snap-in to configure the configuration that emits the required name identifier.

0 Kudos

Hi Luis,

Please check the following wiki page http://wiki.sdn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0.

Regards,

Desislava