openSAP How-to Guide for Exercise – Instructor-Led Walkthrough of SAML2 Configuration (Week 4 Unit 5)

Table of Contents

Configuring SSL on the Frontend Server...................................................................................................... 3 Execute SAML 2.0 related configuration ..................................................................................................... 15 Activating Security Sessions Management on AS ABAP ................................................................................ 16

2

This exercise document is designed to guide you through the steps required to set up SAML2 based authentication with Fiori apps. The focus of this exercise is limited to the SAP side of the equation and it is important to note that multiple systems are needed in order for this configuration to work correctly. We are not going to look into each one of those specifically. The ABAP stack supports various authentication paradigms and SAML2 based authentication is one of them. In broad terms, enabling SAML2 based authentication requires the following steps to be executed.

- Setup & Enable SSL Communication

- Execute SAML 2.0 related configuration

Please note that the appliance is configured for SSL communication. We do not have an Identity provider in the landscape provided but you are welcome to test against any suitable IdP’s that may be available to you. My colleague, Chris Whealy, wrote an excellent document on this topic, published on SCN, here. I urge you to read this document as well.

3

CONFIGURING SSL ON THE FRONTEND SERVER

Official SAP documentation and reference can be found at the help pages, here. The following steps are required to enable the AS ABAP to support SSL.

1) Install the SAP Cryptographic Library

a. Download the SP Crypto libraries from the service marketplace.

b. Extract the contents of the SAP Cryptographic Library installation package.

c. Copy the library file and the configuration tool sapgenpse.exe to the directory specified by the

application server's profile parameter DIR_EXECUTABLE. In the following, we represent this

directory with the notation $(DIR_EXECUTABLE).

d. Check the file permissions for the SAP Cryptographic Library. If, for example, you copied the

library to its location using ftp on UNIX, then the file permissions may not be set correctly.

Make sure that <sid>adm (or SAPService<SID> under Windows NT) is able to execute the

library's functions.

e. Copy the ticket file to the sub-directory sec in the instance directory $(DIR_INSTANCE).

f. Set the environment variable SECUDIR to the sec subdirectory. The application server uses this

variable to locate the ticket and its credentials at runtime.

i. SAP recommends setting SECUDIR in the startup profile for the server's user or in the

registry (Windows).

4

2) Set the profile parameters.

Basic Information about Profile Parameters.

- The Profile Parameters of an Instance are accessed via the transaction RZ10

- This should give you a selection screen like the one below. You may have to import the profiles by

following the path; Menu Utilities Import Profiles Of Active Servers, also shown in the

screenshot below.

5

- Once you have imported your profiles a confirmation page will be displayed.

- When you navigate back to the landing page of the RZ10 transaction, when choosing the F4 help

icon on the Profiles field should give you two

options, a Default Profile and an Instance Profile. In our case, we will choose the instance profile.

6

- Choose Extended Maintenance and click Display.

- Now you should be able to see all the profile parameters.

7

Procedure

a. This link on the help pages describes the necessary entries. I have included the tables here in

this document too.

b. If you used the recommended directory DIR_EXECUTABLE, then use the following values for

the location of the SAP Cryptographic Library. If you chose a different location, please specify

that location.

i. Unix: $(DIR_EXECUTABLE)/libsapcrypto.<ext>

ii. Windows: $(DIR_EXECUTABLE)\sapcrypto.dll

8

3) Create and maintain the SSL Server PSEs

a. PSEs are maintained using the transaction STRUST

b. The Pre-Requisite for this step is to have installed and parameters maintained for the SAP

Cryptographic Library.

c. Enter the transaction STRUST

d. Mark the top node, ‘System PSE’

i. In our case, we already have the PSE generated for us in this appliance. In these cases,

one could choose the Replace option.

ii. Else, the option to ‘Create’ is displayed.

9

e. Now, when choosing the

i. Create option, we are directly presented with the Create PSE dialog box. In this case, it is

pre-populated with values.

ii. Pressing the green tick mark results in the PSE being created.

iii. When choosing the replace option, we are presented with the dialog box

1. First asking us to confirm our intensions, (choose yes here)

2. Then requesting various details. Press the green Tick mark.

10

f. Now, generate certificate request(s) for the Server PSEs.

i. Click on the Server PSE, so that you see the application server’s certificate in the Owner

field as shown in the screenshot below

ii. Now either copy the certificate to your clipboard or save it to a file, by first pressing the

‘Create Certificate Request’ icon (with the yellow arrow).

11

g. Send the Certificate request generated to the CA server of your choice.

i. If you use the SAP CA, more information on the SAP Trust Center can be found here.

1. There are some prerequisites dictated by the trust manager. Refer to the ‘Sending

the Certificate Requests to a CA’ section of the help documentation for details.

h. Once the CA server responds with the Certificate Request Response, this must be imported into

the corresponding PSE

i. Choose the application server PSE

ii. Import the response using the ‘Import Certificate Response’ icon (with the green arrow)

iii. Load the file you have received from the CA (one could also copy the contents and paste

them into the dialog box.)

iv. Save

12

v. Which should result in a screen like this. Please note that the screenshots are from

different systems so only use these as reference, not for literal interpretation.

vi. Finally, if using certificates for authenticating clients, the corresponding CA’s root

certificates must be maintained. One could either do so by maintaining the Certificate

Database or the server’s Certificate List (contained in the SSL Server PSE of the server).

This document on the help pages describes the steps in detail.

4) Creating the Standard SSL Client PSEs

a. In the case of outbound connections, the server uses Client PSEs (plural because there are

different types of Client PSEs.)

b. The standard client PSE is used as a default.

c. The process and steps for generating & maintaining the client PSE are similar to those we

followed in the previous section for server PSEs.

i. In the Transaction STRUST, the node to configure is shown in the screenshot below.

13

ii. Once the configuration steps have been executed, you will see the result as in the

screenshot below. Again, please use this screenshot only for reference purposes not for

literal interpretation.

iii. This document on the help pages describes in detail the process of creating Standard

Client SSL PSEs.

1. Additional scenarios like Anonymous or specific Identity based communication are

also addressed here.

5) Define which SSL client PSE to use for each connection

a. Each relevant HTTP connection should be explicitly configured to use SSL communication and

specify which Standard Client PSE to use.

b. Call the transaction SM59

14

c. Navigate to the connection

d. Double click on the connection and choose the Logon & Security tab

e. In the Logon & Security tab, activate SSL. Leave the SSL Certificate field on Default SSL Client

(Standard).

15

f. In the event of Mutual Authentication needs, additional configuration should be maintained. See

this document on the help pages for additional information on Mutual Authentication

configuration.

g. Restart the ICM from transaction SMICM

Now, your ABAP instance should be able to communicate using SSL and respond to HTTPS requests. There are additional configurations steps outlined in this document on the help pages and this note. EXECUTE SAML 2.0 RELATED CONFIGURATION

That was the end of the SSL configuration; now let us follow up with the SAML2 configuration. In order to configure the AS ABAP as a SAML2 service provider, there are a few prerequisites that must be fulfilled. These are listed below;

- SAP Cryptographic Library must be installed (with exceptions. Please see this document on the help

pages for a detailed breakdown).

o This prerequisite was fulfilled in the previous section.

- Necessary roles (and or Authorization objects) have been assigned to the user.

o S_ICF_ADM, SAP_SAML2_CFG_ADM, SAP_SAML2_CFG_DISPLAY

o Please see this document on the help pages for details on each of these roles.

- A SAML 2.0 Identity Provider (IdP) is setup, configured and available.

o This prerequisite is a bit complicated as the IdP is a hard prerequisite, but it is not in the

scope of this exercise or document to described how to set up an IdP.

o However, the SAP Netweaver AS JAVA can be set up as an Identity Provider.

This document on the help pages is a starting point on how to get started

implementing IdP on SAP Netweaver AS JAVA.

o We will assume that the IdP is completely and correctly setup for the purposes of SAML 2.0

activities.

- The application server (AS ABAP) has been configured to use Security Sessions.

o This is the first point we will address.

16

Activating Security Sessions Management on AS ABAP

- Security Sessions can be activated by calling the transaction SICF_SESSIONS.

- The resulting screen shows you the

o Current values for those Profile Parameters that are relevant to this topic

o Clients where Sessions Security is enabled (depicted by the green icon in the State column).

17

From here on in, we will assume that the IdP is setup, configured, accessible and in fully functioning form. We will also assume that the SSL configuration was successfully executed. If SSL is not configured, please ensure the step is complete before continuing.

1) On the gateway / frontend server, run the transaction code SAML2

a. Note that this will cause a browser window to open (in the default browser). The resulting

application is a Web Dynpro application and must be opened in a compatible browser to avoid

unexpected behavior.

If the following warning is thrown, click on the ‘Continue to ….’ Option.

18

2) In the resulting logon screen, provide the Client number, username and password.

3) Pressing the logon button will take you to the SAML 2.0 Configuration dialog.

a. Note, In systems where SAML configuration has not been run previously, you will be asked if

SAML 2.0 support should be enabled.

b. Press the ‘Enable’ button.

19

4) This will result in a new choice being presented.

a. To either create a Local Provider OR

b. To import a Configuration file

c. In this example, we will choose to create a local provider.

5) Follow the wizard

a. In the first screen choose a name for the provider (no spaces allowed), press Next.

b. Accept the default values in the Skew tolerance screen, press Next.

c. Finally, accept the default values in the last screen and press Finish.

20

6) The Gateway is now enabled as a SAML 2.0 service provider.

21

7) Next we need to identify our IdP by setting up a Trusted Provider. This is done on the ‘Trusted

Providers’ tab and is most easily executed by importing the metadata (usually an XML file) from the

IdP.

a. Choose the metadata file and press Next.

22

b. In my case the signing certificate is requested. This file should be provided by the IdP admins.

Choose the file and press Next.

c. Fill in the Alias field with a suitable text and press Next

23

d. Accept the default values by pressing Next.

e. Accept the default values for the SSO endpoints by pressing Next.

i. NOTE – Ensure that the HTTP Redirect radio button is selected.

24

f. Accept the detault values and press Next

g. Accept the default values for the Artifacts endpoints too, press Next

25

h. Finally, accept the default values and press Finish.

i. The IdP trusted Provider is now setup.

26

A few changes are required in our case. NOTE - Screenshots for reference only, not to be interpreted literally. Please check your systems settings based on the version.

1) Set the NameID format to Unspecified and the source to Logon ID.

2) Set the ‘Require Signature’ parameter to ‘Never’ in the Signature & Encryption tab.

3) Change the binding to HTTP Artifact in the ‘Authentication Requirements’ tab.

27

NOTE – A similar import of metadata (service Provider) is required on the IdP side. The screenshot below is only a representation of how it looks like in the SAP Netweaver AS JAVA IdP implementation when the metadata for the service provider is imported.

Identity Federation Details

28

Signature & Encryption Details

Now that we are done with the SAML setup, we can begin to configure the services to use

1) In the SICF transaction, navigate to an example service, In this case I am choosing Approve

Purchase Orders.

29

Scroll down in the list until the UI5_UI5 node and then navigate to sap

Scroll further down to the service ‘mm_po_apv’ and double click on it.

2) In the detail screen called ‘Change / Create Service’, enter change mode by clicking on the

pencil/glasses icon . That should enable editing.

30

3) On the Logon tab, choose the dropdown next to the Procedure field and choose the ‘Alternative

Logon Procedure’ option from the list.

4) In the same tab, change the Sequrity Requirement to ‘SSL’

5) Scroll down until the list of logon procedures is visible. In this list, bring the ‘SAML Logon’ option to

the top (the second spot. Leave the first option unchanged) by changing the numbering.

6) Now save these changes using the icon.

31

Congratulations, now, the Idp should be called when calling this service. Points to note As mentioned numerous times, security and authentication is a large and complex topic. Please be aware that these steps are the rudimentary activities required in this particular example. Always refer to the documentation at help.sap.com for in-depth insight and the most up to date information on this topic. The entry point to SAML documentation in the context of AS ABAP can be found here.

www.sap.com

© 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.