SAP NetWeaver ABAP can be configured to use SAML 2.0 for Single Sign-on. You have to specify a default SAML 2.0 IdP to handle the user logons. After NW ABAP is configured, and the users are accessing a protected services like SAP WebGui, they are presented a screen asking you Read more…
SAP provides a nice trace tool for troubleshooting login errors with SAML 2.0: Sec Diag Tool. It is a WebDynpro ABAP application. Make sure to activate the necessary ICF services first before running the tool. URL: /sap/bc/webdynpro/sap/sec_diag_tool/ In NPL: https://vhcalnplci:44300/sap/bc/webdynpro/sap/sec_diag_tool/ With the tool you can start a SAML2 trace. When Read more…
The ICF configuration is more complex than the standard SAML 2.0 configuration. Instead of just validating the SAML 2.0 response, the response must be validated, and a user created or update. To be able to create / update a user, the response received must be handled by a service user. Read more…
The BADI you have to extend to be able to create or update a user in the SAP NW system based on the SAML 2.0 information is BADI_SAML20_USER_CREATE_UPDATE. It offers two methods, one for creating a new user, one for updating an existing user. Keep in mind that the SAP Read more…
SSO logon with an X.509 certificate offers some benefits. In this blog, I’ll cover the main benefits, problems and attention areas when using X.509 for SSO. As a practical example the X.509 logon with NetWeaver ABAP is shown. To access an ICM service on a NetWeaver ABAP system (NW ABAP), Read more…
This is the introduction blog on how to activate SAML 2.0 based logon on SAP NetWeaver ABAP systems. The example configuration shown here is using SAP Gateway. It is the same procedure for any SAP NetWeaver ABAP system that allows SAML 2.0 logons. The system used while writing the blog Read more…
Yes, this item should be under BEP and not HUB, but I am following SAP Help here, so sorry for the confusion! The configuration steps to be executed on the HUB system (FND) are detailed at SAP Help. The steps are for the OData Channel Service for backend system. Basic Read more…
Yes, this item should be under BEP and not HUB, but I am following SAP Help here, so sorry for the confusion! The configuration steps to be executed on the HUB system (FND) are detailed at SAP Help. The steps are for the OData Channel Service for backend system. Basic Read more…