Page tree
Skip to end of metadata
Go to start of metadata

To enable single sign on using SAML, a web service configuration needs to be created. The following describes the configuration using single administration from transaction soamanager. Similar configuration can also be created using SAP NetWeaver PI Directory (see SAP How To guide "How To Configure SAML Authentication for SAP NetWeaver Process Integration 7.1")

Enable message based authentication

As a prerequisite, enable message based authentication by calling report WSS_SETUP. This will create a service user DELAY_L_<SID> (for 7.0X) or DELAY_LOGON (for 7.1X).
Transport level authentication like username/password, logon/assertion ticket is handled by the ICF. As the ICF can not access SOAP headers, all message based authentication is handled by a user switch. The initial authentication is done by DELAY_L_<SID> (7.0X)/DELAY_LOGON (7.1X), until the user is switched after processing the message security. Therefore you will i.e. see this user in some of the traces of the SOAP runtime).

Checking for the version of the SAP cryptographic library

Before configuring the provider, please ensure SAP Cryptolibrary 1.555.24 or higher is installed. You can check for the version in transaction STRUST, menu Environment -> Display SSF Version. The version must return SAPCRYPTOLIB 1.555.24 or later. In case it is not installed, follow the instructions contained in SAP Note 397175.

Configuring SAML using transaction soamanager

To configure an existing web service for SAML authentication create the configuration as described below. In case you first need to create a web service, follow the instructions from the SDN:

  1. Open transaction soamanger. This will open a browser. Select "Business Administration"->Web Services Administration
  2. Select your web service and create a new configuration
  3. In the new configuration, select SAML for authentication and save



  1. Unknown User (f9g6bvt)

    Hi Martijn de Boer,

    Nice compliation. 

    after the SAML for authentication option is set, how can I test it to ensure that it is working fine or not.

    Kind  regards,


  2. Hi Vijay,

    I see two simple test options:

    1) Use a web service proxy on the same system to test a ws call using SAML to itself. In case of a call to the same system no trust configuration or user mapping is needed.

    2) Use the wsnavigator from a AS Java 7.1X, copy the WSDL url including security policy and use that for testing. This will require setup of trust and user mapping.



  3. Unknown User (f9g6bvt)

    Hi Martijn,

    Thanks for your feedback.

    We have the following landscape;

    We have a Non-sap client application which required a WSDL URL for any web service.
    We have NW2004s(J2ee 7.0 + ABAP 7.0) dual stack installation.
    We have ECC5.0 system which has lot of webservice activated in it.

    Considering our above landscape we have a requirement as follows;

    The Non-sap client application calls the web services available in ECC5.0 system, but SSO is not configured between Non-sap client application & ECC5.0 system and that web service call from Non-sap client application to the ECC 5.0 system needs to be authenticated through NW2004s dual stack system as it has advanced web services authentication mechanism(SSO, SAML..etc.,)

    Simply put the Non-sap client application -> call web services in ECC 5.0 -> this call in turn needs to be authenticated through (NW2004s) which has SSO configured with ECC 5.0 system.

    How can I achieve this above mentioned scenario and or at least stimulate for testing???

    Please assist me.

    Many thanks....

    Kind regards,


  4. Hi Vijay,

     Let's move this discussion to email or phone.  Can you drop me some contact data?