The ICF configuration is more complex than the standard SAML 2.0 configuration. Instead of just validating the SAML 2.0 response, the response must be validated, and a user created or update. To be able to create / update a user, the response received must be handled by a service user. That user has the permission to create / update the user in the NW user base. Therefore, the SAML 2.0 endpoint is not the standard ACS endpoint. An external alias is used to receive the SAML response from the IdP, here the BADI is called, and then the user is redirected to the original service URL.
As this is a little bit more complex, I’ll try to explain this using picture.
There are two ICF services:
- External service: /sap/saml2/sp/register
- Internal service: /sap/bc/saml2/register_user
The external ICF node is called by the browser with the SAMLResponse payload. The external service is calling the internal. It will use the service data (pre-configured user & password) to log on to the internal ICF service and trigger the BADI for user creation / update. The internal ICF service will also validate the SAMLResponse from the IdP.
Create internal ICF service
Tx: SICF
Select the host, service path /sap/bc/saml2/ and click on “Create Host/Service”.
Name of service: register_user
Type: Independent service
Description: SAML create user
Logon Data: Alternative Logon Procedure
Remove SAML Logon from List
Logon handler: CL_HTTP_EXT_SAML20
Save and activate service
Create external ICF alias
Tx: SICF
Click on “External Aliases”.
Select default_host.
Click on Create.
External Alias: /sap/saml2/sp/register
Logon:
Client: 001
User / Password: user that can create users
Procedure: Alternative Logon Procedure
Delete SAML Logon
Change order of Logon Through Service Data to 1
Target element: /default_host/sap/bc/saml2/register_user
Save.
Result
New external alias /sap/saml2/sp/register is created.
