locked
SAP as an IDP for ADFS SP with RelayState RRS feed

  • Question

  • Hi,

    I have tried to search for this on most of SAP articles, but I haven't found any conclusive proof on this, I would like to know if SAP Netweaver can act as SAML 2.0 IDP with ADFS 2.0 SP with a Ws-fed Application using RelayState for IDP initiated authentication. 

    There is nothing on SAP as an IDP with ADFS SP, but there multiple information with ADFS as IDP and SAP as an SP.


    Thursday, June 16, 2016 12:17 PM

All replies

  • IDP initiated sign-in is a SAML feature. What do you mean by that you are using it for a WS-Fed trust?

    Are you sure you want to use SAP as an IDP? I mean, the IDP is your identity provider. Don't you want to use AD users with SAP for SSO?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, June 20, 2016 2:19 PM
  • Yes, the scenario is with SAP as an IDP and with ADFS as SP, the project liberty whitepaper states that SAP supports IDP lite, the problem is that it is inserting SAML2SP parameter into the URL.

    Almost all of the SAP scenarios are with ADFS as an IDP and SAP as an SP, but none with SAP as an IDP.

    The backend app is a ws-fed app

    SAML2.0 (IDP) -> ADFS (SP) -> Ws-fed App is supported, by MS design


    Tuesday, June 21, 2016 8:59 PM
  • As @Pierre says "IDP initiated sign-in is a SAML feature".

    Yes - ADFS can bridge SAML and WS-Fed.

    Do you intend to do IDP initiated on the SAP IDP?

    The problem from the ADFS PoV is that the RP is WS-Fed so ADFS has no SAML RP to pass the relay state on to.

    And the WS-Fed protocol has no provision for relay state.

    Tuesday, June 21, 2016 10:21 PM
  • it doesn't need to be a SAML RP, I have got the IDP initiated Relaystate working for Shibboleth, Okta, Onelogin and Ping Server.

    With Rollup 2.0 for ADFS 2.0 you have this provision

    Identity provider STS -> relying party STS (configured as a SAML-P endpoint) -> WIF (WS-Fed) relying party App

    https://blogs.technet.microsoft.com/askds/2012/09/27/ad-fs-2-0-relaystate/

    https://technet.microsoft.com/en-us/library/jj127245(v=ws.10).aspx

    Wednesday, June 22, 2016 7:58 AM
  • I am not sure what do you mean by it doesn't need to be a SAML RP.

    The first link you gave mentioned the following: "RelayState is a parameter of the SAML protocol" and the second: "identity provider-initiated (IDP initiated) web-based single sign-on (SSO) as described by OASIS in the Security Assertion Markup Language (SAML) specification".


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, July 4, 2016 12:45 PM
  • I think we are diverging from the question I asked.

    I have integrated this solution with multiple Federation platforms with ADFS

    Identity provider STS -> relying party STS (configured as a SAML-P endpoint) -> WIF (WS-Fed) relying party App

    I needed to know if it was possible with SAP Net weaver stack at all

    Saturday, July 9, 2016 7:43 AM
  • Indeed, we tend to have a lot of confusion around WF-Fed and IDP initiated sign-on. This is why sometimes, we drifting a bit to make sure we're all on the same page.

    I have seen issues back in ADFS 2 with Netweaver (ADFS 2 RP trust to SAP Netweaver Cloud RP trust). But that's it (something around a missing query string in the URL). But that was a long time ago. Now, in your case what are the error messages?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, July 11, 2016 2:11 PM
  • This was for ADFS as an RP-STS and SAP as an IDP partner.

    This was the URL

    https://myDevice-xxx.xxx.com/saml2/idp/sso?saml2sp=APP&&RelayState=RPID%3Dhttp%253A%252F%252Fxyz.com%252Fadfs%252Fservices%252Ftrust%26RelayState%3DRPID%253Dhttps%25253A%25252F%25252Fapp.xyztes.com%25252Fxyzsignon%25252FLogin

    SAP uses this parameter before the relaystate value saml2sp=APP

    Which holds this URL value "253Dhttps%25253A%25252F%25252Fapp.xyztes.com%25252Fxyzsignon%25252FLogin", for some weird reason SAP makes this value mandatory

    ADFS doesn't like the parameter, and would ignore it, but it breaks further when SAP doesn't understand double percentage encoding, which ADFS loves. The outcome is no SSO. SAP doesn't understand Ws-fed hence no sp-initiated approach. 

    Tuesday, August 2, 2016 12:25 PM