Hello All,
We have recently (successfully) configured SAML2.0 on AS ABAP (ERP 6.05/NW7.02) for authenticating Web Applications (Web Dynpros, Fiori Apps...etc) via a Web Browser internediary, and using ADFS as the Identity Provider.
We would now like to extend this configuration for Message Based Authentication for Webservices being consumed by other (non-web browser) intermediaries (such as SharePoint, Project Server, Software AG (ESB)...etc).
The configuration completed so far is detailed as follows:
- SAP SSL
- SAP Crypto Library (Version 8.4.25, SSF 1.840.40)
- SAP PSE's and Certificates (all certs are self signed and not verified by a CA)
- System PSE
- SSL Sever Standard
- SSL Client Standard (SSL Root Certificate of ADFS)
- SSF SAML2 Service Provider - Encryption
- SSF SAML2 Service Provider - Signing (ADFS Signing Certificate)
- WS Security
- Session Security Activation (Client Activated)
- SAP SAML2 Configuration
- Local Provider
- Local Provider Metadata exported and imported in to ADFS
- Trusted Provider (ADFS Metadata and Signing Cert imported into SAP)
- Endpoints default = HTTP Post, Binding = HTTP Artefact, Supported Name Format = Unspecified/Logon ID
- SAP SAML2 Message Based Authentication Configuration:
- Secure Token Service (ADFS Metadata and Signing Cert imported into SAP, Supported Name Format = Unspecified/Logon ID (no users mappings maintained))
- Web Service Policy - SAML 1.1 (Asymmetric consumer key, STS as attester. Authentication Contexts Alias = unspecified)
- Web Service Policy - SAML 2.0 (Asymmetric consumer key, STS as attester. Authentication Contexts Alias = unspecified)
- Service User DELAY_L_<SID> (WSS_SETUP), SAML 1.1 Trust
- Secure Token Service (ADFS Metadata and Signing Cert imported into SAP, Supported Name Format = Unspecified/Logon ID (no users mappings maintained))
- Web Service (SOA Manager) Configuration:
- Transport Guarantee/Communication Security = SSL (though we have also tried; No Authentication and both Symmetric/Asymmetric Message Signature/Encryption)
- Authentication = SSO using SAML
- Secure Token Service = Web Service Policy - SAML 1.1 (Asymmetric consumer key, STS as attester. Authentication Contexts Alias = unspecified)
Test Results/Errors:
We have used SOAP UI to make the webservice calls in our tests, with the following results:
- When using a username/password authentication at the message level the service call works
- When sending a signed message with SAML authentication with sender vouches subject confirmation, it fails:
- If we use a certificate added to the truststore we get an encryption-related error
- If we use an arbitrary, non-trusted certificate, we get a different error saying that the signature is not recognized.
Questions:
1. Is it mandatory to have the certificates in the SAP Trust Store (STRUST) signed by a verified Certificate Authority (CA) ?
2. If so, which Certificates need to be signed by the CA ?
3. Referring to the configuration detailed above, Is there any configuration or specific settings that have been missed ?
4. For the Web Service (SOA Manager) config, what is the recommended Transport Guarantee/Communication Security method ?
Your time and guidance on this discussion is greatly appreciated.
Thank you and regards,
James Curran
SAP Technical Consultant