SAP Basis Tech Supports

Symptom
SAP NetWeaver Application Server supports the OASIS Web Services Security SAML Token Profile 1.0 for authentication. This note describes requirements for the scenario SAP as a provider. To successfully authenticate at the provider, different requirements like cryptographic configuration, user mapping between the subject in the SAML assertion, and the identity in the SAP system must be fulfilled.
The OASIS Web Services Security SAML Token Profile 1.0 specifies two variants how a SAML assertion can be added to a SOAP message. SAML Sender Vouches can be used in an application-server-to-application-server scenario.
SAML Holder of Key can be used either in an application-server-to-application-server scenario or in a consumer-to-provider-scenario with a large number of consumers. The latter usually involves a central authentication system instance called a Security Token Service (STS), which is used to issue SAML tokens.
The system sending the SOAP message is the consumer system, the system receiving the SOAP message is the provider system.

Solution
SAML Sender Vouches
When sending the message, the application server of the consumer signs the SAML assertion with the system certificate and confirms the identity of the authenticated user. The provider system validates the message by checking time stamp validity, XML signature over SOAP body, and SAML assertion. The scenario is supported with AS ABAP 7.00 >=SP14, 7.01, 7.10, and 7.11. To accept a SOAP message, the following prerequisites must be met:
1) SAP Cryptographic Library 1.555.24 or higher must be installed. You can check this in transaction STRUST, menu Environment->Display SSF Version. For example:
SSFLIB Version 1.555.24 ; SECUDE(tm) SAPCRYPTOLIB-
SNC for SAP Server components and SSL -
Version5.5.5C (c) SECUDE GmbH 1990-2004
2) Report WSS_SETUP has been called once on the ABAP provider to enable message authentication (that is SAML authentication, X.509 authentication with an XML signature, UsernameToken).
3) The provider must be configured for SAML authentication. Use transaction SOAMANAGER. Choose, for example, Transport Guarantee Type HTTPS, authentication SAML.
4) The system certificate used for the message signature at the consumer side is included in the System PSE and WSSecurity WS Security Keys PSE.
5) The user mapping entry has been maintained in table USREXTID (see below).
SAML Holder of Key
The issuer of the SAML assertion signs the assertion. When the assertion is sent to the provider system, the consumer uses the key inside the SAML assertion to sign and encrypt the SOAP message. With release 7.01 SP1 and 7.11, ABAP providers accept SAML-Holder-of-Key assertions for authentication.
To accept a SOAP message with SAML-Holder-of-Key authentication, the following prerequisites must be met:
1) SAP Cryptographic Library 1.555.24 or higher must be installed. You can check this in transaction STRUST, menu Environment->Display SSF Version. For example:
SSFLIB Version 1.555.24 ; SECUDE(tm) SAPCRYPTOLIB-
SNC for SAP Server components and SSL -
Version5.5.5C (c) SECUDE GmbH 1990-2004
2) Report WSS_SETUP has been called once on the ABAP client to enable message authentication (that is SAML authentication, X.509 authentication with an XML signature, UsernameToken).
3) The provider must be configured for SAML authentication. Use transaction SOAMANAGER. Choose, for example, Communication Security: Symmetric Message Signature/Encryption; Authentication Method: Single Sign-On using SAML.
4) The X.509 certificate used for the SAML signature at the issuing system (STS) is included in the system PSE and WS-Security WS Security Keys PSE on the provider system.
5) The private key to decrypt the encrypted symmetric key at the provider system must be a WS Security Identity in transaction STRUST.
6) The user mapping entry is maintained in table USREXTID (see below).
Maintaining mappings in USREXTID
The SAML assertion contains an subject statement about the identity on the consumer system. As these identities may be different, a mapping between the identity on the consumer system and the ABAP identity must be used. Mappings between the subject in the SAML assertion and user in the SAP system must be maintained in table USREXTID.
The SAML assertion contains the name of the SAML issuer, the name identifier and a name qualifier. This data is used by the mapping.
Example:
<saml:Assertion MajorVersion=”1″ MinorVersion=”1″ AssertionID=”saml-0018FE864EEE1DEDA2C35DF6C212F1D5″Issuer=”BXI/000″IssueInstant=”2008-09-24T09:27:00Z” xmlns:saml=”urn:oasis:names:tc:SAML:1.0:assertion”>
< saml:Conditions NotBefore=”2008-09-24T09:27:00Z” NotOnOrAfter=”2008-09-24T09:32:00Z”/>
< saml:AuthenticationStatement AuthenticationMethod=”urn:oasis:names:tc:SAML:1.0:am:unspecified” AuthenticationInstant=”2008-09-24T09:27:00Z”>
< saml:Subject>
< saml:NameIdentifierNameQualifier=”"Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>USER_123</saml:NameIdentifier>
< saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
< /saml:SubjectConfirmation>
< /saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
The fields below are concatenated with a colon (:) as seperator.
saml:Assertion/@Issuersaml:Assertion/saml:Subject/saml:NameIdentifier/@NameQualifiersaml:Assertion/saml:Subject/saml:NameIdentifier
So the key for the example above is BXI/000::USER123. In addition to the mapping key, the certificate used to sign the SAML assertion or the message must be included in the mapping. The subject name of the certificate must be formatted in the same way as it is stored in transaction STRUST.
Mapping using report RSUSREXTID
If the saml:Assertion/saml:Subject/saml:NameIdentifier element contains the SAP username, we recommend to use report RSUSREXTID to create the mapping for all users or a subset of users. If the SAP username is not contained in the saml:NameIdentifier, this report can not be used.
1) Obtain the signature certificate and import it into System PSE in transaction STRUST.
For an SAP consumer system, you can retrieve the information about the certificate used and SAML directly from the system:
AS Java (SAP NetWeaver CE): Quick Link /nwa/ws-security-saml, tab “Local SAML Attesters”. The information contains the base64-encoded certificate and the SAML issuer name.AS ABAP: Call report WSS_INFO. The information contains the base64-encoded certificate and the SAML issuer name.
Based64 encoded certificates can be imported into transaction STRUST by saving them to a file and importing the file.
2) Call report RSUSREXTID
Use the following settings:
External ID type: SA
Prefix of external name: <name of SAML issuer as in saml:Assertion/@Issuer, e.g. BXI/000>:<name identifier as in saml:Assertion/saml:Subject/saml:NameIdentifier/@NameQualifier>
Suffix of External Name:
Optional: Issuer’s Name: For SAML, this field is mandatory and must be the subject name of the signature certificate as contained in the System PSE in transaction STRUST.
Custom report
If you cannot use report RSUSREXTID, you must develop your own report for custom mapping. See the z_saml_trust example report attached to this note. The report is not capable for mass maintenance of SAML mappings.

Error analysis:
If you encounter errors, look in the SOAP runtime log. To access the log messages, open transaction SOAMANAGER and navigate to Logs and Traces.
Error messages:
No trusted certificate for SAML authentication found <certificate DN>:The certificate for signing the message has not been imported into the System PSE.No trusted certificate for SAML authentication found in USREXTID for <certificate DN>: No mapping entry with that certificate was found in table USREXTID. If this is unexpected, check if exactly the certificate DN as used in the error message is included in your USREXTID mappings.No SAML mapping data in USREXTID for <mapping key> Certificate <certificate DN>: No correct mapping entry with the mapping key and the certificateDN was found in USREXTID. If this is unexpected, check if exactly the certificate DN as used in the error message and the mapping key as in the error message is included in your USREXTID mappings.

Additional Information
For an example on how to use SAML Holder Of Key for Single Sign-On from .Net to an AS ABAP 7.01 or AS ABAP 7.11, see
https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/10764