single-sign-onsamladfsnetweaverws-trust

SAP SAML authentication doesn't accept WS-TRUST URI token


We have a SSO setup between SAP NetWeaver and ADFS (acting as the STS). So, some user will login on a custom ASP.Net application and this application will request a SAML assertion from ADFS to access the SAP system.

The thing is that according to SAP documentation the relying party identifier of the SAP system is not an URL (its just a name), and that way is specified en ADFS (eg: SAPSYSTEMRPID).

How on earth I can get a token issued using WS-TRUST (which is what ADFS provides) when the AppliesTo field requires an Uri? Is there a default scheme, some convention?

I've been beating my head against the table for days now, I am obviously missing something


Solution

  • Well, to close my own question after so much.

    In the end the problem was ADFS naming of Relying Parties, once we switched the name to an URL (which took some convincing) it started working.

    ADFS should be string in the name format for the RP identifier.