Single Sign-On with SAML 2.0

This is the starting point of all SAML 2.0 related topics.

You can read about SAML standard at SAML V2.0 Standard wiki page

Availability of SAML 2.0:

SAML 2.0 Service Provider

• NetWeaver AS Java 7.20, 7.30, 7.31 and 7.4, 7.5 and higher
• NetWeaver AS ABAP 7.02, 7.30, 7.31 and 7.4, 7.5 and higher

SAML 2.0 Identity Provider 

• Part of SAP Single Sign-On
• Part of NetWeaver Identity Management
• Have to be installed on top of NetWeaver AS Java (SAP NW CE 7.2 Application Server Java, SAP NW 7.3 Application Server Java (or following EhPs), SAP NW 7.4 Application Server Java)

List of topics

SAML 2.0 in AS Java

• Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x
  This wiki page describes only the necessary configuration for single sign-on from Microsoft SharePoint 2010 to SAP Portal 7.0x. It does not cover the other direction when user logged into SAP Portal has to have SSO to SharePoint 2010. The example setup assumes that the user IDs in ADFS 2.0, AS Java 7.2 and SAP Portal 7.0x are the same.
• Single Sign-On with SAML 2.0 and ABAP Systems Supporting SAP Logon Tickets
  This wiki page describes implementing a single sign-on mechanism with SAML 2.0 in a network including an ABAP system which does not support SAML 2.0 authentication. Explanations are based on a sample real-life scenario.
• Single Sign-On between SAP Portal and SuccessFactors
  This document describes how to enable single sign-on from a customer's on-premise SAP Portal to SuccessFactors. Single sign-on is based on standard SAML 2.0 mechanisms and the Identity Provider of SAP Netweaver Single Sign-On is used.
• Implementation of Identity Federation for SAML 2.0
  This Wiki describes how to configure identity federation for Security Assertion Markup Language (SAML) 2.0 so that the users can attain federated identities for authentication. It also gives some example scenarios that would help the user federate identities.

• SAML 2.0 and SAP GUI Single Sign-On in one and the same scenario

  This blog offers a solution to the scenario in which the interoperable SAML assertion could be used for the issuance of a well-known X.509 client certificate and then the certificate to be used for authentication to applications such as SAP GUI that do not support SAML authentication mechanisms, but accept X.509 client certificates.

SAML 2.0 in AS ABAP

• SAML 2.0 Service Provider for AS ABAP and Web Dispatcher or Proxy
  This wiki page outlines important information when using web dispatcher or proxy and SAML 2.0 authentication.
• Automatic User Account Creation and Update using SAML 2.0 in AS ABAP
  This wiki page describes the procedure to enable automatic user account creation and update using SAML 2.0 in AS ABAP.
• Export and import of ABAP SAML 2.0 SP configuration
  This wiki page describes how to export and import SAML 2.0 SP configuration in AS ABAP
• Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet
  This presentation is in two parts.  The first is an explanation of how SAML 2.0 based authentication works from the public internet to an SAP NW Gateway server. The second is an overview of the configuration steps needed to implement this type of authentication so that a customer can grant their users access to SAP Fiori applications.   This presentation is not intended to act as a step-by-step cookbook or how-to guide.  Instead, it describes the steps that were performed during one particular customer implementation of SAP Fiori.  There are multiple places within the presentation where you can click on hypertext links that will take you to the relevant page of the SAP Help Portal.
• How to Setup SAP Web Dispatcher for Fiori Applications
  This guide covers How to Set up SAP Web Dispatcher for Fiori Applications. Communication scenarios, such as HTTP, SSL Termination, SSL re-Encryption, and X.509 client certificate authentication are covered.
• ICF logon procedures configuration for SAML 2.0 authentication
  This guide describes how to configure the SAML 2.0 logon procedure for applications/ICF services in transaction SICF. It describes also how to disable the use of SAML2.0 when logging on to application/IF service
  

Troubleshooting

• Troubleshooting SAML 2.0 Scenarios 
  This wiki page describes how to collect traces in case of problems with SAML 2.0 authentication in AS Java or AS ABAP.
• Common Problems When Configuring SAML 2.0 for AS ABAP
  This wiki page contains list of problems and their possible solution

• Decision tree

  This guided answers application will help you find possible solution for your problem.

Documentation

SAML 2.0 documentation for NetWeaver 7.5 (Service Provider in AS Java and AS ABAP) 

SAML 2.0 documentation for NetWeaver 7.4 (Service Provider in AS Java and AS ABAP)

SAML 2.0 documentation for NetWeaver 7.3 Ehp1 (Service Provider in AS Java and AS ABAP)

SAML 2.0 documentation for NetWeaver 7.3 (Service Provider in AS Java and AS ABAP)

SAML 2.0 documentation for NetWeaver 7.2 (Service Provider in AS Java)

SAML 2.0 documentation for NetWeaver 7.0 EHP2 (Service Provider in AS ABAP)

SAP Single Sign-On Identity Provider – Implementation Guide

Security Token Service for SAP NetWeaver Single Sign-On and SAP NetWeaver Identity Management

Setup of SAP Fiori System Landscape with SAML 2.0

SAML and SAP Gateway

Community

SAP NetWeaver Single Sign-On Community (Including Identity Provider and Security Token Service for AS Java)

Interoperability

SAP products certified in Kantara Initiative SAML 2.0 full-matrix interoperability testing conducted January - February 2011
SAP Products certified in Liberty Alliance Project in 2009

Other Useful Links

Wiki page on using proxies

SAP Web Dispatcher

Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)