Professional Documents
Culture Documents
Table of Contents
Configuring SSL on the Frontend Server...................................................................................................... 3
Execute SAML 2.0 related configuration ..................................................................................................... 15
Activating Security Sessions Management on AS ABAP ................................................................................ 16
This exercise document is designed to guide you through the steps required to set up SAML2 based
authentication with Fiori apps. The focus of this exercise is limited to the SAP side of the equation and it is
important to note that multiple systems are needed in order for this configuration to work correctly. We are
not going to look into each one of those specifically.
The ABAP stack supports various authentication paradigms and SAML2 based authentication is one of
them. In broad terms, enabling SAML2 based authentication requires the following steps to be executed.
Setup & Enable SSL Communication
Execute SAML 2.0 related configuration
Please note that the appliance is configured for SSL communication. We do not have an Identity provider in
the landscape provided but you are welcome to test against any suitable IdPs that may be available to you.
My colleague, Chris Whealy, wrote an excellent document on this topic, published on SCN, here. I urge you
to read this document as well.
2)
The Profile Parameters of an Instance are accessed via the transaction RZ10
This should give you a selection screen like the one below. You may have to import the profiles by
following the path; Menu Utilities Import Profiles Of Active Servers, also shown in the
screenshot below.
Once you have imported your profiles a confirmation page will be displayed.
When you navigate back to the landing page of the RZ10 transaction, when choosing the F4 help
icon
on the Profiles field
should give you two
options, a Default Profile and an Instance Profile. In our case, we will choose the instance profile.
Procedure
a. This link on the help pages describes the necessary entries. I have included the tables here in
this document too.
b. If you used the recommended directory DIR_EXECUTABLE, then use the following values for
the location of the SAP Cryptographic Library. If you chose a different location, please specify
that location.
i. Unix: $(DIR_EXECUTABLE)/libsapcrypto.<ext>
ii. Windows: $(DIR_EXECUTABLE)\sapcrypto.dll
ii. Pressing the green tick mark results in the PSE being created.
iii. When choosing the replace option, we are presented with the dialog box
1. First asking us to confirm our intensions, (choose yes here)
f.
ii. Now either copy the certificate to your clipboard or save it to a file, by first pressing the
Create Certificate Request icon (with the yellow arrow).
10
h. Once the CA server responds with the Certificate Request Response, this must be imported into
the corresponding PSE
i. Choose the application server PSE
ii. Import the response using the Import Certificate Response icon (with the green arrow)
iii. Load the file you have received from the CA (one could also copy the contents and paste
them into the dialog box.)
iv. Save
11
v. Which should result in a screen like this. Please note that the screenshots are from
different systems so only use these as reference, not for literal interpretation.
vi. Finally, if using certificates for authenticating clients, the corresponding CAs root
certificates must be maintained. One could either do so by maintaining the Certificate
Database or the servers Certificate List (contained in the SSL Server PSE of the server).
This document on the help pages describes the steps in detail.
4) Creating the Standard SSL Client PSEs
a. In the case of outbound connections, the server uses Client PSEs (plural because there are
different types of Client PSEs.)
b. The standard client PSE is used as a default.
c. The process and steps for generating & maintaining the client PSE are similar to those we
followed in the previous section for server PSEs.
i. In the Transaction STRUST, the node to configure is shown in the screenshot below.
12
ii. Once the configuration steps have been executed, you will see the result as in the
screenshot below. Again, please use this screenshot only for reference purposes not for
literal interpretation.
iii. This document on the help pages describes in detail the process of creating Standard
Client SSL PSEs.
1. Additional scenarios like Anonymous or specific Identity based communication are
also addressed here.
5) Define which SSL client PSE to use for each connection
a. Each relevant HTTP connection should be explicitly configured to use SSL communication and
specify which Standard Client PSE to use.
b. Call the transaction SM59
13
c.
d. Double click on the connection and choose the Logon & Security tab
e. In the Logon & Security tab, activate SSL. Leave the SSL Certificate field on Default SSL Client
(Standard).
14
f.
In the event of Mutual Authentication needs, additional configuration should be maintained. See
this document on the help pages for additional information on Mutual Authentication
configuration.
g. Restart the ICM from transaction SMICM
Now, your ABAP instance should be able to communicate using SSL and respond to HTTPS requests.
There are additional configurations steps outlined in this document on the help pages and this note.
EXECUTE SAML 2.0 RELATED CONFIGURATION
That was the end of the SSL configuration; now let us follow up with the SAML2 configuration.
In order to configure the AS ABAP as a SAML2 service provider, there are a few prerequisites that must be
fulfilled. These are listed below;
SAP Cryptographic Library must be installed (with exceptions. Please see this document on the help
pages for a detailed breakdown).
o This prerequisite was fulfilled in the previous section.
Necessary roles (and or Authorization objects) have been assigned to the user.
o S_ICF_ADM, SAP_SAML2_CFG_ADM, SAP_SAML2_CFG_DISPLAY
o Please see this document on the help pages for details on each of these roles.
A SAML 2.0 Identity Provider (IdP) is setup, configured and available.
o This prerequisite is a bit complicated as the IdP is a hard prerequisite, but it is not in the
scope of this exercise or document to described how to set up an IdP.
o However, the SAP Netweaver AS JAVA can be set up as an Identity Provider.
This document on the help pages is a starting point on how to get started
implementing IdP on SAP Netweaver AS JAVA.
o We will assume that the IdP is completely and correctly setup for the purposes of SAML 2.0
activities.
The application server (AS ABAP) has been configured to use Security Sessions.
o This is the first point we will address.
15
Clients where Sessions Security is enabled (depicted by the green icon in the State column).
16
From here on in, we will assume that the IdP is setup, configured, accessible and in fully functioning form.
We will also assume that the SSL configuration was successfully executed. If SSL is not configured, please
ensure the step is complete before continuing.
1) On the gateway / frontend server, run the transaction code SAML2
a. Note that this will cause a browser window to open (in the default browser). The resulting
application is a Web Dynpro application and must be opened in a compatible browser to avoid
unexpected behavior.
17
2) In the resulting logon screen, provide the Client number, username and password.
3) Pressing the logon button will take you to the SAML 2.0 Configuration dialog.
a. Note, In systems where SAML configuration has not been run previously, you will be asked if
SAML 2.0 support should be enabled.
b. Press the Enable button.
18
19
20
7) Next we need to identify our IdP by setting up a Trusted Provider. This is done on the Trusted
Providers tab and is most easily executed by importing the metadata (usually an XML file) from the
IdP.
21
b. In my case the signing certificate is requested. This file should be provided by the IdP admins.
Choose the file and press Next.
c.
Fill in the Alias field with a suitable text and press Next
22
e. Accept the default values for the SSO endpoints by pressing Next.
i. NOTE Ensure that the HTTP Redirect radio button is selected.
23
f.
g. Accept the default values for the Artifacts endpoints too, press Next
24
i.
25
A few changes are required in our case. NOTE - Screenshots for reference only, not to be interpreted
literally. Please check your systems settings based on the version.
1) Set the NameID format to Unspecified and the source to Logon ID.
2) Set the Require Signature parameter to Never in the Signature & Encryption tab.
26
NOTE A similar import of metadata (service Provider) is required on the IdP side. The screenshot below is
only a representation of how it looks like in the SAP Netweaver AS JAVA IdP implementation when the
metadata for the service provider is imported.
27
Now that we are done with the SAML setup, we can begin to configure the services to use
1) In the SICF transaction, navigate to an example service, In this case I am choosing Approve
Purchase Orders.
28
Scroll down in the list until the UI5_UI5 node and then navigate to sap
Scroll further down to the service mm_po_apv and double click on it.
2) In the detail screen called Change / Create Service, enter change mode by clicking on the
pencil/glasses icon
29
3) On the Logon tab, choose the dropdown next to the Procedure field and choose the Alternative
Logon Procedure option from the list.
5) Scroll down until the list of logon procedures is visible. In this list, bring the SAML Logon option to
the top (the second spot. Leave the first option unchanged) by changing the numbering.
icon.
30
Congratulations, now, the Idp should be called when calling this service.
Points to note
As mentioned numerous times, security and authentication is a large and complex topic. Please be aware
that these steps are the rudimentary activities required in this particular example. Always refer to the
documentation at help.sap.com for in-depth insight and the most up to date information on this topic.
The entry point to SAML documentation in the context of AS ABAP can be found here.
31
www.sap.com