Page tree
Skip to end of metadata
Go to start of metadata

While the usage of OAuth2 is quite straight forward, it is sometime convenient to have a bit of coding to start with. If you don't want to use an sample implementation, please check the sample messages on the page Using OAuth 2.0 from a Web Application with SAML Bearer Assertion Flow.

The sample clients are based on the example scenario. Please follow Configuration Guide for this scenario for configuration.

Table of Contents:


Java Client with local SAML token generation

Source Code

Get a copy of the source from github at: This includes an Eclipse project OAuth2Client_Java.

The client uses the opensaml implementation for generating a SAML2 token. So you'll  additionally need a copy of the opensaml libraries from

Configuration & Testing

The Eclipse project contains a Junit test, which requests an OAuth access token. Once you are able to obtain an access token, this token can be used to access OData resource on the Gateway system.

Before testing, adopt the configuration to your system enviroment by adopting the file in your imported Eclipse project.

The unit tests use a properties file for configuration. In an application may also pass over a java.util.Properties object.

Java Keystore

The Eclipse project contains a sample keystore which is stored in the classpath. For your environment you need to create an own keystore, e.g. by running the command




keytool -genkey -alias saml2 -keyalg RSA -keystore localsts.jks -keysize 2048

The tool will ask you to protecte the keystore itself and the key entries with an password used for encryption. Adopt these entries in the saml,properties configuration file:

# Keystore Path
# Keystore Type
# Keystore Password. Same password is used to open the keystore and key entry
# Keystore key alias

SAML Configuration

The files contains several settings for the SAML configuration


SAML Issuer Name

SAML2 Identity Providers identify them with a name. This name is also used in the trust relationship of transaction SAML2. The default is DemoAppIDP, which can be changed if required.

# SAML issuer name
Audience Restriction

SAML Assertions are issued to the system. The value of this field must match the name of the SAML2 local entity in your system. Open transaction SAML2 to identify the correct value.

# SAML target audience (->name of local provider from transaction SAML2)

OAuth Client Configuration

The OAuth client needs to authenticate it against the Gateway system. The following settings need to be maintained:


OAuth2 Client Id

This field contains the username of the ABAP service user which is used to identify the OAuth2 client

# OAuth2 client id
OAuth2 Client Secret

This field contains the password used for authentication

# OAuth2 client password

URL of Token Endpoint

Maintain the URL to the token endpoint. The endpoint must be accessed using the HTTPS access point.

# OAuth2 Token endpoint

ABAP Configuration

Trust establishment in transaction SAML2 requires SAML2 metadata. The metadata file is generated by the unit test run and written to the working directory. 

SAML2 Metadata
Metadata written to C:\Users\d039113\git\OA2C\OAuth2Client_Java\metadata.xml

Once the metadata is generated, follow the steps outlined in Using OAuth 2.0 from a Web Application with SAML Bearer Assertion Flow#ConfigurationGuideforthisscenario.


For integration in your application, please refer to the unit test

  • No labels

1 Comment

  1. Dear Martin ,

    have followed all the steps but unfortunately getting CX-Saml2_assertion error . Could you suggest any solution for this pls ?