Security and Identity Management
Page tree
Skip to end of metadata
Go to start of metadata

This WiKi describes how to configure the SAML 2.0 logon procedure for applications/ICF services in transaction SICF. It describes also how to disable the use of SAML2.0 when logging on to application/IF service

Overview

Table of contents:

How the ICF authentication works

When an ICF service is called through an external client in SAP ABAP Application Server, a series of checks is performed to authenticate the caller. Bellow picture shows the procedure:

Select the correct ICF service in SICF

To select the correct ICF service, go to transaction SICF and search for the ICF service as shown here:

Or select the service manually by clicking on execute on the “Maintain Services” screen without inserting any search string and then select the correct node

Note: The correct path of the ICF service can be seen in the URL of the service in the browser. Example:

In SICF (default configuration) the “default_host” is the root node.

Change the logon procedure for the selected service

When the web service has been found one must double click on it to get to the configuration screen. In the configuration switch to the “Logon Data” tab and select the logon procedure as needed.

The logon procedures are described as following:

Disable the use of SAML2.0 authentication temporary

When in some cases the SAML 2.0 authentication is not required the ICF service can be called with URL parameter “saml2=disabled”. (“?saml2=disabled” in case this is first or only one parameter and “&saml2=disabled” in case you have more parameters)

Example: https://<hostname>:<port>/sap/bc/gui/sap/its/webgui?saml2=disabled OR https://<hostname>:<port>/sap/bc/gui/sap/its/webgui?sapclient=xxx&sap-language=EN&saml2=disabled

Further details can be found here: Overriding the Service Provider Configuration with URL Parameters or Headers

Disable the use of SAML2.0 authentication permanently

When in some cases the SAML 2.0 authentication is only required for a few ICF services, the best way to achieve this is to create a virtual host in SICF and to maintain those services in the virtual host for which SAML 2.0 authentication will be used. Further details can be found here: Creating Virtual Hosts

Related Documents

Maintaining Logon Procedures

Logon Checks: Overview

Creating Virtual Hosts

Overriding the Service Provider Configuration with URL Parameters or Headers

 

 

  • No labels