OAuth configuration 4 – Add trusted OAuth Identity Provider

Published by Tobias Hofmann on

1 min read

After creating an OAuth client user assigning the permissions to call the OAuth protected OData service, it is time to start the actual OAuth client configuration. First, add an OAuth Identity Provider (IdP).

The OAuth IdP NetWeaver ABAP accepts is a normal SAML 2.0 IdP. This is because NW ABAP uses the OAuth flow SAML2-Bearer. In that flow, the user authenticates at an SAML 2.0 IdP and sends the SAML 2 response to NW ABAP which validates it to see if the user authenticated successfully at the SAML 2.0 IdP.

Start adding a trusted OAuth IdP to NW ABAP by calling the web app saml2.


This will open your web browser and call the Web Dynpro app saml2. In NPL, the url is: https://vhcalnplci:44300/sap/bc/webdynpro/sap/saml2?TRUSTED_PROVIDER_TYPE=OA2#

Add a new Trusted IdP for OAuth by uploading the metadata of the IdP. I blogged about how to get the metadata from Keycloak.

Go through the setup wizard.

Keycloak includes one signing certificate. You can take a look at its details.

Click on finish and the OAuth 2.0 IdP gets imported.

The OAuth 2.0 IdP is not enabled yet. This will be done in my next blog.

Let the world know
Categories: BasisSAP

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.


Rafael Chagas · June 4, 2020 at 19:43

Great job!

Gregor · August 16, 2023 at 17:23

Hi Tobias,

you mention tx: SOAUTH2. But I think in this step the transaction code is SAML2 or?


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.