OpenSAP Fiori1 Week 4 Unit 5 Exercise Instructor-Led Walkthrough of SAML2 Config

8/10/2019 OpenSAP Fiori1 Week 4 Unit 5 Exercise Instructor-Led Walkthrough of SAML2 Config

1/32

openSAPHow-to Guide for Exercise Instructor-LedWalkthrough of SAML2 Configuration (Week 4 Unit 5)

Table of Contents

Configuring SSL on the Frontend Server...................................................................................................... 3Execute SAML 2.0 related configuration ..................................................................................................... 15

Activating Security Sessions Management on AS ABAP ................................................................................ 16


2/32

2

This exercise document is designed to guide you through the steps required to set up SAML2 basedauthentication with Fiori apps. The focus of this exercise is limited to the SAP side of the equation and it isimportant to note that multiple systems are needed in order for this configuration to work correctly. We arenot going to look into each one of those specifically.The ABAP stack supports various authentication paradigms and SAML2 based authentication is one ofthem. In broad terms, enabling SAML2 based authentication requires the following steps to be executed.

- Setup & Enable SSL Communication

- Execute SAML 2.0 related configuration

Please note that the appliance is configured for SSL communication. We do not have an Identity provider inthe landscape provided but you are welcome to test against any suitable IdPs that may be available to you. My colleague, Chris Whealy, wrote an excellent document on this topic,published on SCN, here.I urge youto read this document as well.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d066cce7-b7b8-3010-428c-bcef3cf76cac?QuickLink=index&overridelayout=true&58475979904845http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d066cce7-b7b8-3010-428c-bcef3cf76cac?QuickLink=index&overridelayout=true&58475979904845http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d066cce7-b7b8-3010-428c-bcef3cf76cac?QuickLink=index&overridelayout=true&58475979904845http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d066cce7-b7b8-3010-428c-bcef3cf76cac?QuickLink=index&overridelayout=true&58475979904845


3/32

3

CONFIGURING SSL ON THE FRONTEND SERVER

Official SAP documentation and reference can be found at thehelp pages, here.The following steps are required to enable the AS ABAP to support SSL.

1) Install the SAP Cryptographic Library

a. Download the SP Crypto libraries from the service marketplace.

b. Extract the contents of the SAP Cryptographic Library installation package.

c. Copy the library file and the configuration tool sapgenpse.exeto the directory specified by the

application server's profile parameter DIR_EXECUTABLE. In the following, we represent this

directory with the notation $(DIR_EXECUTABLE) .

d. Check the file permissions for the SAP Cryptographic Library. If, for example, you copied the

library to its location using ftpon UNIX, then the file permissions may not be set correctly.

Make sure that adm(or SAPService under Windows NT) is able to execute the

library's functions.

e. Copy the ticketfile to the sub-directory secin the instance directory $(DIR_INSTANCE).

f. Set the environment variable SECUDIRto the secsubdirectory. The application server uses this

variable to locate the ticket and its credentials at runtime.

i. SAP recommends setting SECUDIRin the startup profile for the server's user or in the

registry (Windows).
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htm


4/32

4

2) Set the profile parameters.

Basic Information about Profile Parameters.

- The Profile Parameters of an Instance are accessed via the transaction RZ10

- This should give you a selection screen like the one below. You may have to import the profiles by

following the path; Menu Utilities Import Profiles Of Active Servers, also shown in the

screenshot below.


5/32

5

- Once you have imported your profiles a confirmation page will be displayed.

- When you navigate back to the landing page of the RZ10 transaction, when choosing the F4 help

icon on the Profiles field should give you two

options, a Default Profile and an Instance Profile. In our case, we will choose the instance profile.


6/32

6

- Choose Extended Maintenance and click Display.

- Now you should be able to see all the profile parameters.


7/32

7

Procedure

a. This link on the help pagesdescribes the necessary entries. I have included the tables here in

this document too.

b. If you used the recommended directory DIR_EXECUTABLE, then use the following values for

the location of the SAP Cryptographic Library. If you chose a different location, please specify

that location.

i. Unix: $(DIR_EXECUTABLE)/libsapcrypto.ii. Windows: $(DIR_EXECUTABLE)\sapcrypto.dll
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23691cbf5a1902e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23691cbf5a1902e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23691cbf5a1902e10000000a42189c/content.htm


8/32

8

3) Create and maintain the SSL Server PSEs

a. PSEs are maintained using the transaction STRUST

b. The Pre-Requisite for this step is to have installed and parameters maintained for the SAP

Cryptographic Library.

c. Enter the transaction STRUST

d. Mark the top node, System PSEi. In our case, we already have the PSE generated for us in this appliance. In these cases,

one could choose the Replace option.

ii. Else, the option to Create is displayed.


9/32

9

e. Now, when choosing the

i. Create option, we are directly presented with the Create PSE dialog box. In this case, it is

pre-populated with values.

ii. Pressing the green tick mark results in the PSE being created.

iii. When choosing the replace option, we are presented with the dialog box

1. First asking us to confirm our intensions, (choose yes here)

2. Then requesting various details. Press the green Tick mark.


10/32

10

f. Now, generate certificate request(s) for the Server PSEs.

i. Click on the Server PSE, so that you see the application servers certificate in the Owner

field as shown in the screenshot below

ii. Now either copy the certificate to your clipboard or save it to a file, by first pressing the

Create Certificate Request icon (with the yellow arrow).


11/32

11

g. Send the Certificate request generated to the CA server of your choice.

i. If you use the SAP CA, more information on the SAP Trust Center can be foundhere.

1. There are some prerequisites dictated by the trust manager. Refer to theSending

the Certificate Requests to a CAsection of the help documentation for details.

h. Once the CA server responds with the Certificate Request Response, this must be imported intothe corresponding PSE

i. Choose the application server PSE

ii. Import the response using the Import Certificate Response icon (with the green arrow)

iii. Load the file you have received from the CA (one could also copy the contents and paste

them into the dialog box.)

iv. Save
https://support.sap.com/support-programs-services/services/trust-center.htmlhttps://support.sap.com/support-programs-services/services/trust-center.htmlhttps://support.sap.com/support-programs-services/services/trust-center.htmlhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/3d9c9619341067e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/3d9c9619341067e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/3d9c9619341067e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/3d9c9619341067e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/3d9c9619341067e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/3d9c9619341067e10000000a42189c/content.htmhttps://support.sap.com/support-programs-services/services/trust-center.html


12/32


13/32

13

ii. Once the configuration steps have been executed, you will see the result as in the

screenshot below. Again, please use this screenshot only for reference purposes not for

literal interpretation.

iii. This documenton the help pages describes in detail the process of creating Standard

Client SSL PSEs.

1. Additional scenarios like Anonymous or specific Identity based communication are

also addressed here.

5) Define which SSL client PSE to use for each connection

a. Each relevant HTTP connection should be explicitly configured to use SSL communication and

specify which Standard Client PSE to use.b. Call the transaction SM59
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/26ada239242583e10000000a421937/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/26ada239242583e10000000a421937/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/26ada239242583e10000000a421937/content.htm


14/32

14

c. Navigate to the connection

d. Double click on the connection and choose the Logon & Security tab

e. In the Logon & Security tab, activate SSL. Leave the SSL Certificate field on Default SSL Client

(Standard).


15/32

15

f. In the event of Mutual Authentication needs, additional configuration should be maintained.See

this documenton the help pages for additional information on Mutual Authentication

configuration.

g. Restart the ICM from transaction SMICM

Now, your ABAP instance should be able to communicate using SSL and respond to HTTPS requests.There are additional configurations steps outlined inthis documenton the help pages andthis note.

EXECUTE SAML 2.0 RELATED CONFIGURATION

That was the end of the SSL configuration; now let us follow up with the SAML2 configuration.In order to configure the AS ABAP as a SAML2 service provider, there are a few prerequisites that must befulfilled. These are listed below;

- SAP Cryptographic Library must be installed (with exceptions. Please seethis documenton the help

pages for a detailed breakdown).

o This prerequisite was fulfilled in the previous section.

- Necessary roles (and or Authorization objects) have been assigned to the user.

o S_ICF_ADM, SAP_SAML2_CFG_ADM, SAP_SAML2_CFG_DISPLAY

o Please seethis documenton the help pages for details on each of these roles.

- A SAML 2.0 Identity Provider (IdP) is setup, configured and available.

o This prerequisite is a bit complicated as the IdP is a hard prerequisite, but it is not in the

scope of this exercise or document to described how to set up an IdP.o However, the SAP Netweaver AS JAVA can be set up as an Identity Provider.

This documenton the help pages is a starting point on how to get started

implementing IdP on SAP Netweaver AS JAVA.

o We will assume that the IdP is completely and correctly setup for the purposes of SAML 2.0

activities.

- The application server (AS ABAP) has been configured to use Security Sessions.

o This is the first point we will address.
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/17/1514e9b7eb4f74b0b49327b8f2a662/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/17/1514e9b7eb4f74b0b49327b8f2a662/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/17/1514e9b7eb4f74b0b49327b8f2a662/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/17/1514e9b7eb4f74b0b49327b8f2a662/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htmhttp://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1527879&_NLANG=en&_NVERS=0http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1527879&_NLANG=en&_NVERS=0http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1527879&_NLANG=en&_NVERS=0http://help.sap.com/saphelp_nw70ehp2/Helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/Helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/Helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/Helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/Helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/Helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nwidmic_72/helpdata/en/6c/560670c0984bbf878fb253fcacfa72/content.htm?current_toc=/en/64/38385003ce4f2d88602fbf0de78f2f/plain.htm&show_children=truehttp://help.sap.com/saphelp_nwidmic_72/helpdata/en/6c/560670c0984bbf878fb253fcacfa72/content.htm?current_toc=/en/64/38385003ce4f2d88602fbf0de78f2f/plain.htm&show_children=truehttp://help.sap.com/saphelp_nwidmic_72/helpdata/en/6c/560670c0984bbf878fb253fcacfa72/content.htm?current_toc=/en/64/38385003ce4f2d88602fbf0de78f2f/plain.htm&show_children=truehttp://help.sap.com/saphelp_nw70ehp2/Helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htmhttp://help.sap.com/saphelp_nw70ehp2/Helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htmhttp://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1527879&_NLANG=en&_NVERS=0http://help.sap.com/saphelp_nw70ehp2/helpdata/en/49/23501ebf5a1902e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/17/1514e9b7eb4f74b0b49327b8f2a662/content.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/17/1514e9b7eb4f74b0b49327b8f2a662/content.htm


16/32

16

Activating Security Sessions Management on AS ABAP

- Security Sessions can be activated by calling the transaction SICF_SESSIONS.

- The resulting screen shows you the

o Current values for those Profile Parameters that are relevant to this topic

o Clients where Sessions Security is enabled (depicted by the green icon in the State column).


17/32

17

From here on in, we will assume that the IdP is setup, configured, accessible and in fully functioning form.We will also assume that the SSL configuration was successfully executed. If SSL is not configured, pleaseensure the step is complete before continuing.

1) On the gateway / frontend server, run the transaction code SAML2

a. Note that this will cause a browser window to open (in the default browser). The resulting

application is a Web Dynpro application and must be opened in a compatible browser to avoid

unexpected behavior.

If the following warning is thrown, click on the Continueto .Option.


18/32

18

2) In the resulting logon screen, provide the Client number, username and password.

3) Pressing the logon button will take you to the SAML 2.0 Configuration dialog.

a. Note, In systems where SAML configuration has not been run previously, you will be asked if

SAML 2.0 support should be enabled.

b. Press the Enable button.


19/32

19

4) This will result in a new choice being presented.

a. To either create a Local Provider OR

b. To import a Configuration file

c. In this example, we will choose to create a local provider.

5) Follow the wizard

a. In the first screen choose a name for the provider (no spaces allowed), press Next.

b. Accept the default values in the Skew tolerance screen, press Next.

c. Finally, accept the default values in the last screen and press Finish.


20/32

20

6) The Gateway is now enabled as a SAML 2.0 service provider.


21/32

21

7) Next we need to identify our IdP by setting up a Trusted Provider. This is done on the Trusted

Providers tab and is most easily executed by importing the metadata (usually an XML file) from the

IdP.

a. Choose the metadata file and press Next.


22/32

22

b. In my case the signing certificate is requested. This file should be provided by the IdP admins.

Choose the file and press Next.

c. Fill in the Alias field with a suitable text and press Next


23/32

23

d. Accept the default values by pressing Next.

e. Accept the default values for the SSO endpoints by pressing Next.

i. NOTEEnsure that the HTTP Redirect radio button is selected.


24/32

24

f. Accept the detault values and press Next

g. Accept the default values for the Artifacts endpoints too, press Next


25/32

25

h. Finally, accept the default values and press Finish.

i. The IdP trusted Provider is now setup.


26/32

26

A few changes are required in our case. NOTE - Screenshots for reference only, not to be interpretedliterally. Please check your systems settings based on the version.

1) Set the NameID format to Unspecified and the source to Logon ID.

2) Set the Require Signature parameter to Never in the Signature & Encryption tab.

3) Change the binding to HTTP Artifact in the Authentication Requirements tab.


27/32

27

NOTEA similar import of metadata (service Provider) is required on the IdP side. The screenshot below isonly a representation of how it looks like in the SAP Netweaver AS JAVA IdP implementation when themetadata for the service provider is imported.

Identity Federation Details


28/32


29/32

29

Scroll down in the list until the UI5_UI5 node and then navigate to sap

Scroll further down to the service mm_po_apv and double click on it.

2) In the detail screen called Change / Create Service, enter change mode by clicking on the

pencil/glasses icon . That should enable editing.


30/32

30

3) On the Logon tab, choose the dropdown next to the Procedure field and choose the Alternative

Logon Procedure option from the list.

4) In the same tab, change the Sequrity Requirement to SSL

5) Scroll down until the list of logon procedures is visible. In this list, bring the SAML Logon option to

the top (the second spot. Leave the first option unchanged) by changing the numbering.

6) Now save these changes using the icon.


31/32

31

Congratulations, now, the Idp should be called when calling this service.

Points to note

As mentioned numerous times, security and authentication is a large and complex topic. Please be awarethat these steps are the rudimentary activities required in this particular example. Always refer to thedocumentation at help.sap.com for in-depth insight and the most up to date information on this topic.The entry point to SAML documentation in the context of AS ABAP can be foundhere.
http://help.sap.com/saphelp_nw70ehp2/Helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/content.htm?frameset=/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm&current_toc=/en/1c/ad1640033ae569e10000000a155106/plain.htm&node_id=22&show_children=falsehttp://help.sap.com/saphelp_nw70ehp2/Helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/content.htm?frameset=/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm&current_toc=/en/1c/ad1640033ae569e10000000a155106/plain.htm&node_id=22&show_children=falsehttp://help.sap.com/saphelp_nw70ehp2/Helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/content.htm?frameset=/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm&current_toc=/en/1c/ad1640033ae569e10000000a155106/plain.htm&node_id=22&show_children=falsehttp://help.sap.com/saphelp_nw70ehp2/Helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/content.htm?frameset=/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm&current_toc=/en/1c/ad1640033ae569e10000000a155106/plain.htm&node_id=22&show_children=false


32/32

www sap com

2014 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any formor for any purpose without the express permission of SAP SE or an SAPaffiliate company.SAP and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE (or anSAP affiliate company) in Germany and other countries. Please seehttp://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

foradditional trademark information and notices. Some software productsmarketed by SAP SE and its di stributors contain proprietary softwarecomponents of other software vendors.National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company forinformational purposes only, without representation or warranty of any kind,and SAP SE or its affiliated companies shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP SE orSAP affiliate company products and services are those that are set forth inthe express warranty statements accompanying such products and services,if any. Nothing herein should be construed as constituting an additionalwarranty.In particular, SAP SE or its affiliated companies have no obligation to pursueany course of business outlined in this document or any related presentation,or to develop or release any functionality mentioned therein. This document,or any related presentation, and SAP SEs or its affiliated companies

strategy and possible future developments, products, and/or platformdirections and functionality are all subject to change and may be changed bySAP SE or itsaffiliated companies at any time for any reason without notice.Th i f ti i thi d t i t it t i l l
http://www.sap.com/corporate-en/legal/copyright/index.epx#trademarkhttp://www.sap.com/corporate-en/legal/copyright/index.epx#trademarkhttp://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

Documents

OpenSAP Fiori1 Week 4 Unit 5 Exercise Instructor-Led Walkthrough of SAML2 Config