SAML 2.0 Configuration with SAP Gateway as SP and Keycloak as IdP

This is the introduction blog on how to activate SAML 2.0 based logon on SAP NetWeaver ABAP systems. The example configuration shown here is using SAP Gateway. It is the same procedure for any SAP NetWeaver ABAP system that allows SAML 2.0 logons. The system used while writing the blog content was the Gateway Developer Edition that can be downloaded for free from SAP. It is also known as NPL. You can reproduce the configuration by using the Gateway System and Keycloak.

On a high level architecture, Keycloak is the SAML 2.0 Identity Provier (IdP), and SAP Gateway is the SAML 2.0 Service Provider (SP). Gateway provides the service a user wants to access, like WebGui, and Keycloak provides the user information. The user needs to authenticate against Keycloak to be able to log on to Gateway.

The configuration steps needed are:

SAP Gateway

1. Activate SAML 2.0 Service Provider (SP)

Keycloak

1. Installation of Keycloak via Docker
2. Create a SAML 2.0 Client in Keycloak
3. Download SAML 2.0 IdP Metadata from Keycloak

SAP Gateway

1. Create Trust between IdP and SP
2. Configure IdP NameID and activate IdP
3. Activate SAML Logon for SAP WebGui

In Keycloak you can configure realms. Each realm is independent and has its own configuration. I recommend creating a realm named SAML for the above tasks. Later you can add a new realm and add there a new configuration for SAP Gateway and Keycloak like OAuth 2.0 or a different SAML 2.0 configuration, without having to reconfigure your existing realm.

Additional Links

• SCN Wiki: SSO with SAML 2.0
• SCN Wiki: Problems SAML AS ABAP
• SCN Wiki: Troubleshooting SAML 2.0 Scenarios
• Overview SSL and SAML configuration