To enable single sign on using SAML, a web service configuration needs to be created. The following describes the configuration using single administration from transaction soamanager. Similar configuration can also be created using SAP NetWeaver PI Directory (see SAP How To guide "How To Configure SAML Authentication for SAP NetWeaver Process Integration 7.1")
Enable message based authentication
As a prerequisite, enable message based authentication by calling report WSS_SETUP. This will create a service user DELAY_L_<SID> (for 7.0X) or DELAY_LOGON (for 7.1X).
Transport level authentication like username/password, logon/assertion ticket is handled by the ICF. As the ICF can not access SOAP headers, all message based authentication is handled by a user switch. The initial authentication is done by DELAY_L_<SID> (7.0X)/DELAY_LOGON (7.1X), until the user is switched after processing the message security. Therefore you will i.e. see this user in some of the traces of the SOAP runtime).
Checking for the version of the SAP cryptographic library
Before configuring the provider, please ensure SAP Cryptolibrary 1.555.24 or higher is installed. You can check for the version in transaction STRUST, menu Environment -> Display SSF Version. The version must return SAPCRYPTOLIB 1.555.24 or later. In case it is not installed, follow the instructions contained in SAP Note 397175.
Configuring SAML using transaction soamanager
To configure an existing web service for SAML authentication create the configuration as described below. In case you first need to create a web service, follow the instructions from the SDN: https://www.sdn.sap.com/irj/sdn/webservices?rid=/webcontent/uuid/83b7ec4d-0a01-0010-03a9-e5a3b42522b8
- Open transaction soamanger. This will open a browser. Select "Business Administration"->Web Services Administration
- Select your web service and create a new configuration
- In the new configuration, select SAML for authentication and save