SSO with IE to NW ABAP 7.31 with SAML 2.0 and ADFS

Hello SCN,

we are trying to establish SSO for our IE (NWBC) connections to our Netweaver ABAP systems.

CLIENT (IE) in OURDOMAIN ---> NETWEAVER ABAP --(SAML)--> ADFS 2.0 --> WINDOWS DOMAINCONTROLLER (iDP) of OURDOMAIN

Our Windows Account Name (SAMAccountname) is the same as the SAP Name, 1to1 mapping is possible.

I didn't find a correct step by step guide for this. Only special cases with portal, webservices and so on, but none for (in my opinion)

standard case.

Steps we done on ABAP Side:

1. set SSO2 settings in RZ10

2. check client is enabled for HTTPS with SICF_SESSIONS

3. Setup local SAML provider (SAML2)

    Add Authentication context alias "IntegratedWindowsAuthentication" with name: "urn:federation:authentication:windows"

4. Export metadata from NW ABAP (with zertificates)

5. Import metadata in ADFS

6. Mapping from SAMAccount-Name to NameID
   Check SecureHash is SHA-1

7.Download metadata.xml from https://<ourADFS>/FederationMetadata/2007-06/FederationMetadata.xml

8. Import federationmetadata.xml in ABAP SAML2 as Identification Provider

9. Added Alias "IntegratedWindowsAuthentication" as in Authentication Requirements

10. Added SUpported NAmeID format "Unspecified"  with "Logon ID"

11. Set SICF service NWBC to use SAML

Here are the screenshots of our configuration:

Local Provider configuration in AS ABAP:

Trusted Provider Configuration in AS ABAP:

The authentication is not working at the moment, and i do not get any error in our tracefiles... (SM50 switch online sec to level 3)

Can anyone tell me if this scenario we are trying is completly wrong?

Or can someone tell me the correct settings?

I have the "Single Sign-on with SAP" Galileo Press Book, but the guides there doesnt help us, because there are only different scenarios with portal, excel and webservices.

PS: My company is using the ADFS for external authentication processes (not SAP), and i thought i can use the ADFS to do internal SAML authentication of our HTTPS Services in SAP (MSS / SRM..) against our active directory.

SSO for SAP GUI (kerberos dll) is working perfectly. And no, i don't want to buy SPNEGO .

Kind regards

Manuel Herr