This wiki page outlines important information when using web dispatcher or proxy and SAML 2.0 authentication.

Table of Contents

Scenario

AS ABAP service Provider trusts a third-party identity provider which is usually outside your local network.
The web dispatcher/proxy is located between the identity provider and your AS ABAP system where service provider is hosted.

Related Documentation

Wiki page regarding proxies
SAP Web Dispatcher documentation

Download of Service Provider Metadata

For web dispatcher/proxy scenarios, it is recommended that SAML 2.0 configuration UI is accessed directly via URL using the web dispatcher/proxy host e.g. http(s)://<web dispatcher/proxy host>:<web dispatcher/proxy port>/sap/bc/webdynpro/sap/saml2?sap-client=<SAP client>

Accessing the SAML 2.0 configuration UI using web dispatcher/proxy host will ensure that service provider metadata will contain the correct endpoint URLs (URLs which are accessible by idenity provider).

To download service provider metadata:

1. Access the SAML 2.0 configuration application as follows:
http(s)://<web dispatcher/proxy host>:<web dispatcher/proxy port>/sap/bc/webdynpro/sap/saml2?sap-client=<SAP client>
2. Click “Metadata”.
Send the service provider metadata to identity provider in order to setup trust.

Testing SAML 2.0 Authentication

When testing SAML 2.0 authentication, you need to access the service provider always with the web dispatcher/proxy host e.g. http(s)://<web dispatcher/proxy host>:<web dispatcher/proxy port>/sap/bc/… .

Known problems

In case you have AS ABAP 7.02 SP6, SP7 or SP8, you need to implement the following SAP Note so that SAML 2.0 authentication works with web dispatcher or proxy:
SAML2: support for proxy/web dispatcher