SAP Gateway – Configure NameID and activate trusted SAML 2.0 IdP
Current state is that a trust between Gateway as SP and Keycloak as IdP is established. While the previous step established the trust, the IdP is not enabled in SAP Gateway. Meaning that SAML2.0 logons are not possible. For this to work, the IdP must be enabled. Currently, enabling is not possible and will fail, as the NameID configuration is missing. NameID is needed to enable the mapping of the SAML 2.0 user ID to the SAP user ID (simplified).
Open the tab Trusted Providers. Click on Edit, then on tab Identity Federation. The list of configured supported nameID formats is empty.
Select unspecified. This maps the NameID property transmitted by SAML 2.0 IdP to the Logon ID of the SAP System. So, if the user has an account with ID tobias in Keycloak, this will be set as NameID. The user needs to have the user ID tobias in Gateway to be able to log on.
Now you can activate the trusted IdP. Select the IdP entry in the list.
Click on Enable
IdP is active.
Now users can use the IdP as their identity provider and log on in SAP Gateway.