cancel
Showing results for 
Search instead for 
Did you mean: 

SAP JAM & SAML

Former Member
0 Kudos

Hello experts,

I am currently using a trial version of SAP JAM hosted on my trial Hana Cloud Platform (HCP) account.

I managed to authenticate an external application to JAM using the oauth SAML bearer assertion flow.

For SAML I used the local IDP (IDentity Provider) provided by Hana Cloud Platform.

I have a couple of questions:

     1. Is it possible to configure an external IDP to log into SAP JAM? I don't want to pass through the standard SAP SAML login page

     2. Is it possible to store an issued SAML assertion and use it in a second time to authenticate my application against JAM?

Thank you very much,

-

Raffaele

Accepted Solutions (0)

Answers (1)

Answers (1)

Adam_Stone
Active Contributor
0 Kudos

I am not sure what you are getting at with question 1, you already have code working using the SAML bearer assertion, are you trying to avoid this type of authentication?  Or are you talking about when users manually log into Jam, you want them to see a different login page?

For number 2, the SAML assertion gets you an OAuth Token which is then used in every other OData request.  This token as the header field is your authorization, and does not need to be regenerated for every call.

Former Member
0 Kudos

We managed to authenticate using the local HCP Identity Provider (IDP), but our scenario is a bit more complex.

We have 2 systems:

  • One SAP JAM instance
  • One SAP Netweaver Gateway instance that exposes OData

We’d like to provide SSO capabilities using the SAML protocol and an external IDP hosted in our customer’s Intranet. In order to put it in place we need to make both systems and the IDP trust each other. From the IDP side this is achieved by importing Service Provider descriptors (metadata.xml). In this case we need 2 metadata.xml files, one for the Gateway and one for JAM. The problem is that we are not able to get metadata from JAM. I think this is because our trial JAM instance is only reachable via our Hana Cloud Platform (HCP) trial account. Indeed we are able to export the Service Provider metadata from the HCP Cockpit (however we are not able to be redirected to JAM after SAML assertion is generated by our IDP).

Is there a way to directly expose JAM as a SAML service provider and configure trust relationship with our customer IDP? Is it a limitation of the trial edition (we plan to buy a JAM enterprise license)?

Former Member
0 Kudos

Hello,

Have you found a solution?

We are facing the same issue.

It would be helpful if you're be found any.

Adam_Stone
Active Contributor
0 Kudos

Hi Hajime,

Can you provide more details about exactly what your issue is so that we can assist.

Thanks,
Adam