Scenario

After you have enabled your NetWeaver ABAP system to be an SAML 2.0 Service Provider you want to download its metadata and get an error message: 403 Forbidden.

Tx: SAML2

Call the SAML 2.0 configuration Web Dynpro app via transaction SAML2 and click on Metadata.

Select what to include in the metadata file (all is fine).

The download of the metadata file is triggered, and an error message is displayed

Service cannot be reached: 403 Forbidden

Cause

The download cannot start as some ICF services are not activated.

Solution

Activate the necessary Internet Communication Framework (ICF) services. To be to download the metadata from the service provider, you must manually activate the following two ICF services:

• /default_host/sap/public/bc/sec/saml2
• /default_host/sap/public/bc/sec/cdc_ext_service

Activate service /sap/public/bc/sec/saml2

Tx: SICF
Service: /sap/public/bc/sec/saml2

Select the service and activate it.

Activate service /sap/public/bc/sec/cdc_ext_service

Tx: SICF
Service: /sap/public/bc/sec/cdc_ext_service

Select the service and activate it.

Result

Now the download of the SAML 2.0 SP Metadata will work.

Links

• https://apps.support.sap.com/sap/support/knowledge/preview/en/2443156 🔗
• https://wiki.scn.sap.com/wiki/display/Security/Common+Problems+When+Configuring+SAML+2.0+for+AS+ABAP 🔗

Additional notes

I include a sample SAML 2.0 IdP Metadata file from NetWeaver ABAP.

<m:EntityDescriptor entityID="NPL001" validUntil="2038-01-01T00:00:01Z" cacheDuration="P18Y1M19DT1H30M" ID="S08002777-0476-1eea-81a3-21f6e7769f84" xmlns:m="urn:oasis:names:tc:SAML:2.0:metadata"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#S08002777-0476-1eea-81a3-21f6e7769f84"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>riuwEzJ1TDuoz0ksjfjeEgWq7W4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>FmH1iXsWkimeQOmBkAYWfmTY8rcyHkNJxxl5ghA9U27DRM7unTVavGZ2o9HRwG2CAHdKM/q5IjUZ/nw/47p0sDKgJlY8cwcraEE71EY/z2opZoJB7g==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><m:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true"><m:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMRF2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><m:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkkIhU4ft5lFeL9cGE+5y22haUvv/k=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><m:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vhcalnplci:44300/sap/saml2/sp/artifact/001" index="0" isDefault="true"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001" ResponseLocation="https://vhcalnplci:44300/sap/saml2/sp/slo/response/001"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001"/><m:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://vhcalnplci:44300/sap/saml2/sp/slo/001"/><m:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://vhcalnplci:44300/sap/saml2/sp/acs/001" index="0" isDefault="true"/><m:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://vhcalnplci:44300/sap/saml2/sp/acs/001" index="1"/><m:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://vhcalnplci:44300/sap/saml2/sp/acs/001" index="2"/></m:SPSSODescriptor><m:RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><m:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><m:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQKy22haUvv/k=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><fed:ClaimTypesRequested><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"/></fed:ClaimTypesRequested><fed:ApplicationServiceEndpoint><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>http://vhcalnplci:8000/</wsa:Address></wsa:EndpointReference></fed:ApplicationServiceEndpoint><fed:ApplicationServiceEndpoint><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://vhcalnplci:44300/</wsa:Address></wsa:EndpointReference></fed:ApplicationServiceEndpoint><fed:TargetScopes><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>http://vhcalnplci:8000/</wsa:Address></wsa:EndpointReference><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://vhcalnplci:44300/</wsa:Address></wsa:EndpointReference></fed:TargetScopes></m:RoleDescriptor><m:RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><m:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDWzCCAkMCCAogGREFFSUBMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAkRFMRwwGgYDVQQK2atJSYxSwlU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></m:KeyDescriptor><fed:ClaimTypesOffered><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"/></fed:ClaimTypesOffered><fed:TokenTypesOffered><fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/></fed:TokenTypesOffered></m:RoleDescriptor></m:EntityDescriptor>