We're on Basis 702 SP13, and I'm trying to proof the setup of SAML2 for web services by using two SAP systems, one as the consumer (say "CCC") and one as the provider (say "PPP").
I've run SAML2 in both systems, and WSS_SETUP in just PPP, and I have used SOAMANAGER to setup a runtime definition for "srt_test_provider" service in PP, flagged as using Asymmetric Message Signature / Encryption (for Communication Security) and Single Sign On using SAML for the Message Authentication. The CCC system has also been defined as a Trusted Provider ( STS ) in the PPP system's SAML2 settings (so the consumer local provider entity now appears in tables SAML2_ENTITY and SAML2_ENTITY_E in the provider system).
The documentation available seems a bit thin, but I have progressed to the point where CCC is calling PPP, logging into PPP via the DELAY_LOGON account, and PPP is recognising the SAML assertion, and returned a response. However the response from PPP contains a a SecurityTokenReference / X509Data / X509IssuerSerial block something like this
X509IssuerName CN=PPP SNC,OU=I9999999999,OU=SAP Web AS,O=SAP Trust Community,C=DE
X509SerialNumber 1234567890123456
which appears to be the issuer on PPP's "SNC SAPCryptolib" PSE. Naturally the consumer system rejects this as it has no reason to trust that Issuer.
Any ideas why PPP is returning this value and not something more relevant - have I missed a setup step?
Supplementary Question #1: Do I need to run WSS_SETUP on the consumer system - and client 000?
Supplementary Question #2: What does the WSS_SETUP checkbox "Secure Conversation Bootstrap Endpoints / Provider Configuration" actually do - apart from creating a bunch of new SICF nodes? What are these for, and does every client need this set?
Thanks!
Jonathan
