SAML 2.0 Configuration with SAP Gateway as SP and Keycloak as IdP

Published by Tobias Hofmann on

1 min read

This is the introduction blog on how to activate SAML 2.0 based logon on SAP NetWeaver ABAP systems. The example configuration shown here is using SAP Gateway. It is the same procedure for any SAP NetWeaver ABAP system that allows SAML 2.0 logons. The system used while writing the blog content was the Gateway Developer Edition that can be downloaded for free from SAP. It is also known as NPL. You can reproduce the configuration by using the Gateway System and Keycloak.

On a high level architecture, Keycloak is the SAML 2.0 Identity Provier (IdP), and SAP Gateway is the SAML 2.0 Service Provider (SP). Gateway provides the service a user wants to access, like WebGui, and Keycloak provides the user information. The user needs to authenticate against Keycloak to be able to log on to Gateway.

The configuration steps needed are:

SAP Gateway

  1. Activate SAML 2.0 Service Provider (SP)

Keycloak

  1. Installation of Keycloak via Docker
  2. Create a SAML 2.0 Client in Keycloak
  3. Download SAML 2.0 IdP Metadata from Keycloak

SAP Gateway

  1. Create Trust between IdP and SP
  2. Configure IdP NameID and activate IdP
  3. Activate SAML Logon for SAP WebGui

In Keycloak you can configure realms. Each realm is independent and has its own configuration. I recommend creating a realm named SAML for the above tasks. Later you can add a new realm and add there a new configuration for SAP Gateway and Keycloak like OAuth 2.0 or a different SAML 2.0 configuration, without having to reconfigure your existing realm.

Additional Links

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.