Skip to end of metadata
Go to start of metadata

This wiki page outlines important information when using web dispatcher or proxy and SAML 2.0 authentication.

Table of Contents

Scenario

AS ABAP service Provider trusts a third-party identity provider which is usually outside your local network.
The web dispatcher/proxy is located between the identity provider and your AS ABAP system where service provider is hosted.

Related Documentation

Important

Please read carefully the links below so that you are aware of general rules and common mistakes when using proxy/web dispatcher

Wiki page regarding proxies
SAP Web Dispatcher documentation

Download of Service Provider Metadata

General Rule

When you would like to download service provider metadata, access SAML 2.0 configuration UI using the same host and port as end users will use for SAML 2.0 authentication

For web dispatcher/proxy scenarios, it is recommended that SAML 2.0 configuration UI is accessed directly via URL using the web dispatcher/proxy host e.g. http(s)://<web dispatcher/proxy host>:<web dispatcher/proxy port>/sap/bc/webdynpro/sap/saml2?sap-client=<SAP client>

Accessing the SAML 2.0 configuration UI using web dispatcher/proxy host will ensure that service provider metadata will contain the correct endpoint URLs (URLs which are accessible by idenity provider).

To download service provider metadata:

1. Access the SAML 2.0 configuration application as follows:
http(s)://<web dispatcher/proxy host>:<web dispatcher/proxy port>/sap/bc/webdynpro/sap/saml2?sap-client=<SAP client>
2. Click “Metadata”.
Send the service provider metadata to identity provider in order to setup trust.

Testing SAML 2.0 Authentication

Recommendation

When testing SAML 2.0 authentication, access the configured resource using the same host and port as end users will use for SAML 2.0 authentication

When testing SAML 2.0 authentication, you need to access the service provider always with the web dispatcher/proxy host e.g. http(s)://<web dispatcher/proxy host>:<web dispatcher/proxy port>/sap/bc/… .

Known problems

In case you have AS ABAP 7.02 SP6, SP7 or SP8, you need to implement the following SAP Note so that SAML 2.0 authentication works with web dispatcher or proxy:
SAML2: support for proxy/web dispatcher

  • No labels