openSAP

How-to Guide for Exercise Instructor-Led

Walkthrough of SAML2 Configuration (Week 4 Unit 5)

Table of Contents
Configuring SSL on the Frontend Server...................................................................................................... 3
Execute SAML 2.0 related configuration ..................................................................................................... 15
Activating Security Sessions Management on AS ABAP ................................................................................ 16

This exercise document is designed to guide you through the steps required to set up SAML2 based
authentication with Fiori apps. The focus of this exercise is limited to the SAP side of the equation and it is
important to note that multiple systems are needed in order for this configuration to work correctly. We are
not going to look into each one of those specifically.
The ABAP stack supports various authentication paradigms and SAML2 based authentication is one of
them. In broad terms, enabling SAML2 based authentication requires the following steps to be executed.
Setup & Enable SSL Communication
Execute SAML 2.0 related configuration

Please note that the appliance is configured for SSL communication. We do not have an Identity provider in
the landscape provided but you are welcome to test against any suitable IdPs that may be available to you.
My colleague, Chris Whealy, wrote an excellent document on this topic, published on SCN, here. I urge you
to read this document as well.

CONFIGURING SSL ON THE FRONTEND SERVER

Official SAP documentation and reference can be found at the help pages, here.
The following steps are required to enable the AS ABAP to support SSL.
1) Install the SAP Cryptographic Library
a. Download the SP Crypto libraries from the service marketplace.
b. Extract the contents of the SAP Cryptographic Library installation package.
c. Copy the library file and the configuration tool sapgenpse.exe to the directory specified by the
application server's profile parameter DIR_EXECUTABLE. In the following, we represent this
directory with the notation $(DIR_EXECUTABLE).
d. Check the file permissions for the SAP Cryptographic Library. If, for example, you copied the
library to its location using ftp on UNIX, then the file permissions may not be set correctly.
Make sure that <sid>adm (or SAPService<SID> under Windows NT) is able to execute the
library's functions.
e. Copy the ticket file to the sub-directory sec in the instance directory $(DIR_INSTANCE).
f. Set the environment variable SECUDIR to the sec subdirectory. The application server uses this
variable to locate the ticket and its credentials at runtime.
i. SAP recommends setting SECUDIR in the startup profile for the server's user or in the
registry (Windows).

2)

Set the profile parameters.

Basic Information about Profile Parameters.

-

The Profile Parameters of an Instance are accessed via the transaction RZ10

This should give you a selection screen like the one below. You may have to import the profiles by
following the path; Menu Utilities Import Profiles Of Active Servers, also shown in the
screenshot below.

Once you have imported your profiles a confirmation page will be displayed.

When you navigate back to the landing page of the RZ10 transaction, when choosing the F4 help

icon
on the Profiles field
should give you two
options, a Default Profile and an Instance Profile. In our case, we will choose the instance profile.

Choose Extended Maintenance and click Display.

Now you should be able to see all the profile parameters.

Procedure
a. This link on the help pages describes the necessary entries. I have included the tables here in
this document too.
b. If you used the recommended directory DIR_EXECUTABLE, then use the following values for
the location of the SAP Cryptographic Library. If you chose a different location, please specify
that location.
i. Unix: $(DIR_EXECUTABLE)/libsapcrypto.<ext>
ii. Windows: $(DIR_EXECUTABLE)\sapcrypto.dll

3) Create and maintain the SSL Server PSEs

a. PSEs are maintained using the transaction STRUST
b. The Pre-Requisite for this step is to have installed and parameters maintained for the SAP
Cryptographic Library.
c. Enter the transaction STRUST

d. Mark the top node, System PSE

i. In our case, we already have the PSE generated for us in this appliance. In these cases,
one could choose the Replace option.
ii. Else, the option to Create is displayed.

e. Now, when choosing the

i. Create option, we are directly presented with the Create PSE dialog box. In this case, it is
pre-populated with values.

ii. Pressing the green tick mark results in the PSE being created.

iii. When choosing the replace option, we are presented with the dialog box
1. First asking us to confirm our intensions, (choose yes here)

2. Then requesting various details. Press the green Tick mark.

f.

Now, generate certificate request(s) for the Server PSEs.

i. Click on the Server PSE, so that you see the application servers certificate in the Owner
field as shown in the screenshot below

ii. Now either copy the certificate to your clipboard or save it to a file, by first pressing the
Create Certificate Request icon (with the yellow arrow).

10

g. Send the Certificate request generated to the CA server of your choice.

i. If you use the SAP CA, more information on the SAP Trust Center can be found here.
1. There are some prerequisites dictated by the trust manager. Refer to the Sending
the Certificate Requests to a CA section of the help documentation for details.

h. Once the CA server responds with the Certificate Request Response, this must be imported into
the corresponding PSE
i. Choose the application server PSE

ii. Import the response using the Import Certificate Response icon (with the green arrow)

iii. Load the file you have received from the CA (one could also copy the contents and paste
them into the dialog box.)

iv. Save

11

v. Which should result in a screen like this. Please note that the screenshots are from
different systems so only use these as reference, not for literal interpretation.

vi. Finally, if using certificates for authenticating clients, the corresponding CAs root
certificates must be maintained. One could either do so by maintaining the Certificate
Database or the servers Certificate List (contained in the SSL Server PSE of the server).
This document on the help pages describes the steps in detail.
4) Creating the Standard SSL Client PSEs
a. In the case of outbound connections, the server uses Client PSEs (plural because there are
different types of Client PSEs.)
b. The standard client PSE is used as a default.
c. The process and steps for generating & maintaining the client PSE are similar to those we
followed in the previous section for server PSEs.
i. In the Transaction STRUST, the node to configure is shown in the screenshot below.

12

ii. Once the configuration steps have been executed, you will see the result as in the
screenshot below. Again, please use this screenshot only for reference purposes not for
literal interpretation.

iii. This document on the help pages describes in detail the process of creating Standard
Client SSL PSEs.
1. Additional scenarios like Anonymous or specific Identity based communication are
also addressed here.
5) Define which SSL client PSE to use for each connection
a. Each relevant HTTP connection should be explicitly configured to use SSL communication and
specify which Standard Client PSE to use.
b. Call the transaction SM59

13

c.

Navigate to the connection

d. Double click on the connection and choose the Logon & Security tab

e. In the Logon & Security tab, activate SSL. Leave the SSL Certificate field on Default SSL Client
(Standard).

14

f.

In the event of Mutual Authentication needs, additional configuration should be maintained. See
this document on the help pages for additional information on Mutual Authentication
configuration.
g. Restart the ICM from transaction SMICM

Now, your ABAP instance should be able to communicate using SSL and respond to HTTPS requests.
There are additional configurations steps outlined in this document on the help pages and this note.
EXECUTE SAML 2.0 RELATED CONFIGURATION
That was the end of the SSL configuration; now let us follow up with the SAML2 configuration.
In order to configure the AS ABAP as a SAML2 service provider, there are a few prerequisites that must be
fulfilled. These are listed below;
SAP Cryptographic Library must be installed (with exceptions. Please see this document on the help
pages for a detailed breakdown).
o This prerequisite was fulfilled in the previous section.
Necessary roles (and or Authorization objects) have been assigned to the user.
o S_ICF_ADM, SAP_SAML2_CFG_ADM, SAP_SAML2_CFG_DISPLAY
o Please see this document on the help pages for details on each of these roles.
A SAML 2.0 Identity Provider (IdP) is setup, configured and available.
o This prerequisite is a bit complicated as the IdP is a hard prerequisite, but it is not in the
scope of this exercise or document to described how to set up an IdP.
o However, the SAP Netweaver AS JAVA can be set up as an Identity Provider.
This document on the help pages is a starting point on how to get started
implementing IdP on SAP Netweaver AS JAVA.
o We will assume that the IdP is completely and correctly setup for the purposes of SAML 2.0
activities.
The application server (AS ABAP) has been configured to use Security Sessions.
o This is the first point we will address.

15

Activating Security Sessions Management on AS ABAP

-

Security Sessions can be activated by calling the transaction SICF_SESSIONS.

The resulting screen shows you the

o Current values for those Profile Parameters that are relevant to this topic

Clients where Sessions Security is enabled (depicted by the green icon in the State column).

16

From here on in, we will assume that the IdP is setup, configured, accessible and in fully functioning form.
We will also assume that the SSL configuration was successfully executed. If SSL is not configured, please
ensure the step is complete before continuing.
1) On the gateway / frontend server, run the transaction code SAML2
a. Note that this will cause a browser window to open (in the default browser). The resulting
application is a Web Dynpro application and must be opened in a compatible browser to avoid
unexpected behavior.

If the following warning is thrown, click on the Continue to . Option.

17

2) In the resulting logon screen, provide the Client number, username and password.

3) Pressing the logon button will take you to the SAML 2.0 Configuration dialog.
a. Note, In systems where SAML configuration has not been run previously, you will be asked if
SAML 2.0 support should be enabled.
b. Press the Enable button.

18

4) This will result in a new choice being presented.

a. To either create a Local Provider OR
b. To import a Configuration file
c. In this example, we will choose to create a local provider.

5) Follow the wizard

a. In the first screen choose a name for the provider (no spaces allowed), press Next.
b. Accept the default values in the Skew tolerance screen, press Next.
c. Finally, accept the default values in the last screen and press Finish.

19

6) The Gateway is now enabled as a SAML 2.0 service provider.

20

7) Next we need to identify our IdP by setting up a Trusted Provider. This is done on the Trusted
Providers tab and is most easily executed by importing the metadata (usually an XML file) from the
IdP.

a. Choose the metadata file and press Next.

21

b. In my case the signing certificate is requested. This file should be provided by the IdP admins.
Choose the file and press Next.

c.

Fill in the Alias field with a suitable text and press Next

22

d. Accept the default values by pressing Next.

e. Accept the default values for the SSO endpoints by pressing Next.
i. NOTE Ensure that the HTTP Redirect radio button is selected.

23

f.

Accept the detault values and press Next

g. Accept the default values for the Artifacts endpoints too, press Next

24

h. Finally, accept the default values and press Finish.

i.

The IdP trusted Provider is now setup.

25

A few changes are required in our case. NOTE - Screenshots for reference only, not to be interpreted
literally. Please check your systems settings based on the version.
1) Set the NameID format to Unspecified and the source to Logon ID.

2) Set the Require Signature parameter to Never in the Signature & Encryption tab.

3) Change the binding to HTTP Artifact in the Authentication Requirements tab.

26

NOTE A similar import of metadata (service Provider) is required on the IdP side. The screenshot below is
only a representation of how it looks like in the SAP Netweaver AS JAVA IdP implementation when the
metadata for the service provider is imported.

Identity Federation Details

27

Signature & Encryption Details

Now that we are done with the SAML setup, we can begin to configure the services to use
1) In the SICF transaction, navigate to an example service, In this case I am choosing Approve
Purchase Orders.

28

Scroll down in the list until the UI5_UI5 node and then navigate to sap

Scroll further down to the service mm_po_apv and double click on it.

2) In the detail screen called Change / Create Service, enter change mode by clicking on the
pencil/glasses icon

. That should enable editing.

29

3) On the Logon tab, choose the dropdown next to the Procedure field and choose the Alternative
Logon Procedure option from the list.

4) In the same tab, change the Sequrity Requirement to SSL

5) Scroll down until the list of logon procedures is visible. In this list, bring the SAML Logon option to
the top (the second spot. Leave the first option unchanged) by changing the numbering.

6) Now save these changes using the

icon.

30

Congratulations, now, the Idp should be called when calling this service.
Points to note
As mentioned numerous times, security and authentication is a large and complex topic. Please be aware
that these steps are the rudimentary activities required in this particular example. Always refer to the
documentation at help.sap.com for in-depth insight and the most up to date information on this topic.
The entry point to SAML documentation in the context of AS ABAP can be found here.

31

www.sap.com

2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP SE or an SAP
affiliate company.
SAP and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP SE (or an
SAP affiliate company) in Germany and other countries. Please see
http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for
additional trademark information and notices. Some software products
marketed by SAP SE and its distributors contain proprietary software
components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for
informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in
the express warranty statements accompanying such products and services,
if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue
any course of business outlined in this document or any related presentation,
or to develop or release any functionality mentioned therein. This document,
or any related presentation, and SAP SEs or its affiliated companies
strategy and possible future developments, products, and/or platform
directions and functionality are all subject to change and may be changed by
SAP SE or its affiliated companies at any time for any reason without notice.
The information in this document is not a commitment, promise, or legal
obligation to deliver any material, code, or functionality. All forward-looking
statements are subject to various risks and uncertainties that could cause
actual results to differ materially from expectations. Readers are cautioned
not to place undue reliance on these forward-looking statements, which
speak only as of their dates, and they should not be relied upon in making
purchasing decisions.