This wiki page outlines important information when using web dispatcher or proxy and SAML 2.0 authentication.
Table of Contents
AS ABAP service Provider trusts a third-party identity provider which is usually outside your local network.
The web dispatcher/proxy is located between the identity provider and your AS ABAP system where service provider is hosted.
Please read carefully the links below so that you are aware of general rules and common mistakes when using proxy/web dispatcher
Wiki page regarding proxies
SAP Web Dispatcher documentation
Download of Service Provider Metadata
When you would like to download service provider metadata, access SAML 2.0 configuration UI using the same host and port as end users will use for SAML 2.0 authentication
For web dispatcher/proxy scenarios, it is recommended that SAML 2.0 configuration UI is accessed directly via URL using the web dispatcher/proxy host e.g. http(s)://<web dispatcher/proxy host>:<web dispatcher/proxy port>/sap/bc/webdynpro/sap/saml2?sap-client=<SAP client>
Accessing the SAML 2.0 configuration UI using web dispatcher/proxy host will ensure that service provider metadata will contain the correct endpoint URLs (URLs which are accessible by idenity provider).
To download service provider metadata:
1. Access the SAML 2.0 configuration application as follows:
http(s)://<web dispatcher/proxy host>:<web dispatcher/proxy port>/sap/bc/webdynpro/sap/saml2?sap-client=<SAP client>
2. Click “Metadata”.
Send the service provider metadata to identity provider in order to setup trust.
Testing SAML 2.0 Authentication
When testing SAML 2.0 authentication, access the configured resource using the same host and port as end users will use for SAML 2.0 authentication
When testing SAML 2.0 authentication, you need to access the service provider always with the web dispatcher/proxy host e.g. http(s)://<web dispatcher/proxy host>:<web dispatcher/proxy port>/sap/bc/… .
In case you have AS ABAP 7.02 SP6, SP7 or SP8, you need to implement the following SAP Note so that SAML 2.0 authentication works with web dispatcher or proxy:
SAML2: support for proxy/web dispatcher