When using the SAML assertion authentication method, the client application sends a signed SAML bearer assertion containing information about the business user to authenticate against the ABAP environment.
You can provide your own certificate to sign the SAML assertion or use the standard subaccount-wide signing certificate. The ABAP environment needs to trust the issuer of the SAML bearer assertion.
-
Maintain the key store for the signing certificate.
If the SAML assertion shall not be signed by the standard subaccount-wide signing certificate, then either upload a key store including the signing certificate, the private key, and the certificate chain, or generate one, for instance
my-signing-keystore.p12. For more information, see Use Destination Certificates. -
Download the signing certificate.
If you use the standard subaccount-wide signing key, then download the signing certificate by choosing Download Trust in the SAP Destination editor.
-
Get data of the own communication system.
Open the own communication system in the Communication Systems app in your ABAP environment system. To open your own communication system, choose Own SAP Cloud System.
Denote the following values:
- Host Name, for example,
1a354373-d200-46f6-9d5c-daab9a65d9b6.abap.eu10.hana.ondemand.com - SAML2 Audience, for example,
https://1a354373-d200-46f6-9d5c-daab9a65d9b6.abap-web.eu10.hana.ondemand.com
- Host Name, for example,
-
Create a destination.
Create a destination using the Destinations editor in the SAP BTP cockpit. For more information, see Using the Destination Editor in the Cockpit. Provide the following data:
Field
Input
Name
Enter the name of the destination, for example,
my-SAML-assertion-destination.Type
HTTP
URL
Enter
https://<hostname of the own communication system>, for example,https://1a354373-d200-46f6-9d5c-daab9a65d9b6.abap.eu10.hana.ondemand.com>.Proxy Type
Internet
Authentication
SAMLAssertion
Key Store Location
If you don't use the standard signing certificate, then select the name of the corresponding key store, for instance
my-signing-keystore.p12.Key Store Password
If you don't use the standard signing certificate, provide the password for the keystore.
Audience
Enter the OAuth 2.0 SAML2 Audience from the own communication system, for example,
https://1a354373-d200-46f6-9d5c-daab9a65d9b6.abap-web.eu10.hana.ondemand.com.AuthnContextClassRef
urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSessionEnter the following additional properties:
Additional Properties
Property
Input
nameIdFormatEnter
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressif the e-mail is propagated orurn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedif the user name is propagated. For more information, see User Propagation via SAML 2.0 Bearer Assertion Flow. -
Create a communication user.
For this authentication method, a communication user isn't needed since it is solely based on the trust relationship to the issuer of the SAML assertion – which is configured in the communication system.
-
Create a communication system.
Create a communication system using the Communication Systems app in your ABAP environment system. Enter the following data:
General Data
Field
Input
System ID
Provide a system ID, for example,
MY_COMMUNICATION_PARTNER.System Name
Provide a system name.
Technical Data
Field
Input
General: Inbound Only
Activate
Identity Provider
Field
Input
SAML Bearer Assertion Provider
Activate
User ID Mapping Mode
Select User Name.
If the
NameIdFormatis unspecified, then the value of theNameIDelement in the SAML assertions' subject is mapped to the user name.SAML Bearer Issuer
Enter the SAML entity ID of the SAML bearer issuer, which corresponds to the common name (the string after
CN=) of the signing certificate subject.Upload Signing Certificate
Upload the signing certificate.
-
Create a communication arrangement.
For this authentication method, a communication arrangement isn't needed since it's solely based on the trust relationship to the issuer of the SAML assertion – which is configured in the communication system.
Related Information