„We take security seriously“ or „we take your privacy and security seriously” is what you hear from every company that offers some kind of service on the internet. It is what customers want to hear, what shareholders want to hear, and of course, what employees want to hear. After all, Read more…
There are many alternatives available to achieve single sign-on to a NetWeaver (ABAP) system. I’ve already demonstrated these at DSAG AK Development as well as documented almost all of them in my blog. For instance, take a look at SAML 2.0, X.509 based logon or OAuth 2.0. All of the Read more…
SAP NetWeaver ABAP can be configured to use SAML 2.0 for Single Sign-on. You have to specify a default SAML 2.0 IdP to handle the user logons. After NW ABAP is configured, and the users are accessing a protected services like SAP WebGui, they are presented a screen asking you Read more…
Szenario A trust between the SAML 2.0 IdP and SP is created. A user tries to log on for the first time to NetWeaver ABAP and after successfully logging in at the IdP, logging at the SP fails. The SAMLResponse is validated without errors, the NetWeaver ABAP system cannot create Read more…
Szenario Users are able to logon to NetWeaver ABAP via SAML 2.0 and get their user created automatically. A user information is now changed in the IdP and the corresponding information in NetWeaver must now be updated the next time the user logs on. Problem Updating the user information in Read more…
Szenario A trust between the SAML 2.0 IdP and SP is created. A user tries to log on to NetWeaver and after successfully logging in at the IdP, the SP is denying access. Problem An error in the BAdI create_user_to_federate is thrown. Exception type CX_SY_REF_IS_INITIAL. Trace Use the diag tool Read more…
Szenario A trust between the SAML 2.0 IdP and SP is created. A user tries to log on to NetWeaver and after successfully logging in at the IdP, the SP is denying access. Problem Using the diag tool to get a trace of the SAML 2.0 logon. The incoming request Read more…
SSO logon with an X.509 certificate offers some benefits. In this blog, I’ll cover the main benefits, problems and attention areas when using X.509 for SSO. As a practical example the X.509 logon with NetWeaver ABAP is shown. To access an ICM service on a NetWeaver ABAP system (NW ABAP), Read more…
Scenario A user authenticated against the SAML 2.0 IdP. The OAuth client is sending the SAML 2.0 Response containing the user assertions to the NetWeaver ABAP system. An error of type invalid grant is returned. Error message: { “error”: “invalid_grant”, “error_description”: “Provided authorization grant is invalid. Exception was Attribute ‘Recipient’ of element ‘SubjectConfirmationData’ is invalid. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545” } Root cause The OAuth client is sending the SAML Read more…
Scenario You send a SAML Bearer Assertion to the OAuth token service of SAP Gateway. The Return type is 400 Bad Request. Error message { “error”: “invalid_grant”, “error_description”: “Provided authorization grant is invalid. Exception was Message Assertion is not signed. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545” } Root cause The error message contains a description of the root cause for the HTTP 400: “Exception was Message Assertion is not Read more…