We have a scenario where we would like a custom TomCat Java app to retrieve data from an SAP Web Service. We wish to do this using SAML WS-Security.
Our ERP system is on NW 7.02 SP7 and we wish to configure this solution:
To do this, we will go with the HolderOfKey for ABAP Web Service as defined here:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/0f/757c9c108d4472b47f1a7163396619/content.htm
Our token provider is MS ADFS, and we have configured NW ABAP to trust it via SAML2 config for trusting the token service as described here:
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/e0/efe61f938e4ab19471c64b1a2268e4/content.htm
To test the scenario absent any SAML authentication, we enabled the web service to use user/password basic authentication at the transport level (i.e. HTTP Header) just to insure we were calling the web service correctly to get back data. That proved successful.
Then we changed the web service settings to use symmetric message encryption with SSO using SAML. We also specified the trusted STS that we previously setup in SAML2.
In our java app test, we first make a request to the ADFS to retrieve a token by passing over a valid user on the MS AD. The ADFS responds with a token and we package that up in the SOAP message and send it over to SAP where we get 3 errors in the SRTUTIL transaction:
Unknown Signer or Recipient
An Exception Occurred: Unknown signer of recipient
Dereferencing the null reference
I've been through the above links numerous times, including note 1254821 and cannot seem to get past this point. I'm attaching a the 3 XML files that shows the 3 requests in case someone wants to help dig a little bit on this with us.
1.) WS-Consumer (Tomcaat Java) request to ADFS STS
2.) ADFS STS response back to WS-Consumer
3.) WS-Consumer SOAP call to ERP Web Service (WS-Provider)