Skip to end of metadata
Go to start of metadata

The AS ABAP namely the OAuth 2.0 authorization server in it uses a SAML 2.0 bearer assertion to authenticate the resource user. Every SAML bearer assertion must be digitally signed by the issuer (the security token service/identity provider) and the signature must be validated by the authorization server. This requires a trust relationship between the SAML bearer assertion issuer and the authorization server. The AS ABAP extracts the user name from the SAML assertion’s NameID element. Therefore, the supported NameID format should be configured correctly.

Table of Contents:

Establish A trust relationship to the Identity Provider

The trust relationship can be configured manually or by uploading the SAML2 metadata file of the identity provider. The metadata file contains information like issuer name, the signature certificate and the endpoints of the identity provider. Usually this file is published on the identity provider’s web server. Please refer to the manual of your SAML 2.0 product to locate the SAML2 metadata XML.

Alternatively you can also configure the trust relationship manually. In this case you need to specify the SAML2 issuer name of your IDP as the name of the new trusted provider and manually upload the signature certificate which is used to sign the SAML assertion. Please refer to the manual of your SAML 2.0 product on how to get this information.

In the following example, we will use the metadata file to configure a trust relationship between an AS ABAP and an identity provider called DemoAppIDP.

1. Start ABAP transaction SAML2. A browser window should now open. 

Log on to the AS ABAP with an administrator account.

2. Switch to the Trusted Providers tab and choose OAuth 2.0 Identity Providers in the dropdown list.

3. Press the Add multi-button and select Upload Metadata File. A wizard appears in which you will configure a new trusted provider.

4. In the wizard’s first step, press Browse…

Select the metadata.xml file you downloaded from the trusted provider.

Press Next.

5. In step Provider Name the Name will be set automatically with the values derived of the metadata file you uploaded.

In the example this is provider DemoAppIDP.
 
Press Next.

6. The Primary Signing Certificate value will be set automatically as well. The Identity Provider has now been created with an initial configuration based on the SAML metadata file.

Press Finish to close the wizard.  

Now the AS ABAP is able to validate the signature of the SAML bearer assertion, which is issued by the identity provider DemoAppIDP.The newly added entry will get a grey colored icon indicating that the new provider is not yet fully configured.

Configure The NameID Format

The AS ABAP uses the NameID element in the SAML bearer assertion to identify the correct SAP user. The user name will be extracted from the SAML assertion’s NameID element. This element can have several formats as described in the SAML standard. For example, NameID could contain the E-Mail address of the user.

<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">Bob@sap.com</NameID>

NameID format Unspecified means that the SAML Issuer does not use a specific format to express the identity of the user. In the AS ABAP context this format is used to express a SAP user name.

<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Bob</NameID>

In the following example, we configure Unspecified as supported NameID format for identity provider DemoAppIDP and enable the identity provider. Refer to the SAP documentation for a complete list of all the NameIDs supported.

7. Press Edit to adapt the newly created trusted provider.

8. In the details section in tab Identity Federation under Supported NameID Formats press Add.

A popup appears.
Select Unspecified and press OK to confirm.

9. In the button row above the upper table of trusted providers press Save.

10. Finally click on Enable.

Press the OK button in the popup that appears.

Now the trusted OAuth 2.0 Identity Provider DemoAppIDP should have a green symbol which indicates that the trust relationship to the demo application is active.

  • No labels