SAML 2.0 – Automatic redirect to default IdP

SAP NetWeaver ABAP can be configured to use SAML 2.0 for Single Sign-on. You have to specify a default SAML 2.0 IdP to handle the user logons. After NW ABAP is configured, and the users are accessing a protected services like SAP WebGui, they are presented a screen asking you to select the SAML 2.0 IdP.

This is the standard NW ABAP logon screen when configured to use SAML 2.0. It asks the user to select the correct IdP to carry out the logon. The login process continues when the user clicks on continue, and with the default IdP already preselected, this is an additional step you might want to skip. With more than one IdP configured, the user is presented these too. Therefore, this step looks wrong and confusing to the average user. Their expectation is to see a logon screen, not a screen asking them to select an IdP – which in most cases the end user does not know what it means. The IdP can have a self-explanatory name, or (mostly) a technical name. Independently what the IdP name is, this screen is not what you should present to your users.

List active SAML 2.0 IdPs

The list of available IdP shown is defined in the SAML 2.0 configuration of NW ABAP. For each active SAML 2.0 IdP, an entry is shown. To see the list of active IdP, call transaction SAML2.

Transaction: SAML2

Select tab Trusted Providers.

The active IdPs are shown in the dropdown list of the logon screen.

Automatically forward users to default SAML 2.0 IdP

From the list of IdP you can see if they are active – NameId configured – and one IdP is selected as default. Why is now the user not redirected automatically to the default IdP? Why does the user still have to select the IdP and trigger the redirect manually?

Open the configuration of your “Local Provider” and click on “Service Provider Settings”.

In the section “Identity Provider Discovery: Common Domain Cookie (CDC)” the parameter “Selection Mode” defines if the user is automatically redirected to a IdP. By default, the value is set to “Manual”. This means that the user needs to select an IdP. To let the SP select an IdP automatically, change the value to “Automatic”.

Selection Mode: Automatic

Test

You can test the automatic redirect by accessing SAP WebGui.

http://vhcalnplci:8000/sap/bc/gui/sap/its/webgui

The user is now redirected automatically to the logon screen if the default SAML 2.0 IdP.

What happens underneath? The SP receives the request to webgui service and then sends back to the browser a response. The response contains a redirect to the default IdP.

The call to webgui is answered with a redirect (302) and the SAMLRequest information is added in the location header.

HTTP header location:

http://localhost:8080/auth/realms/NPL/protocol/saml?
SAMLRequest=fZHNasMwEIRfxejuSLJjkiyxITQUDGkITemhN9Ve
E4EsuVq5P29f2aGlPbTXYWfmG2lLqjcD7MZwsff4MiKFpN6X7Fxk
jRLtuk3zTbZKJbbP6aZTMsVOFFm7WeYSC5Y8oiftbMmyhWBJTTRi
bSkoG6IkMpmKPBXLB7mCXEJePLFkHxu0VWF2XUIYgHPjGmUujgKs
xVpwFWG4R2V64sfTgQ%2FeBdc4wydWltw63%2BAMXLJOGcKp%2BK
SI9Ct%2BK%2B%2B9sQTzuJKN3oJTpAms6pEgNHDe3R0gQsNXOKu2
0zXMG%2FwP%2F%2F%2F2WIt%2BGsOqiCqE3PIfMdfMAY7RV%2B9P
zujmY%2BLvVfg7Vi7krOg27eZTGC0N2OhOY8uSnTHu7SY%2BT4hr
gx%2BR8epa%2Bvsbq08%3D&RelayState=oucvscaqdydotzsxor
edbozfaroefqvsdzutrev

The above SAMLRequest decodes to:

<samlp:AuthnRequest 
ID="S52ca0d8d-3927-1edb-a0e2-ba43c8d5b232" 
Version="2.0" 
IssueInstant="2021-03-12T09:32:10Z"
Destination="http://localhost:8080/auth/realms/NPL/protocol/saml" 
ForceAuthn="false" 
IsPassive="false" 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">NPL001</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/
</samlp:AuthnRequest>