SAML2 Adapter

Overview

SAML2 Adapter is an essential YaaS service that allows you to register a custom SAML 2.0 identity provider for your organization.

You can register multiple identity providers for a single organization. The SAML 2.0 identity provider is bound to the organization for which you register it. Using a custom identity provider, you can get tokens only for the organization you registered the custom identity provider for, as well as for all projects in that organization.

You can register only SAML 2.0 identity providers using this service. If you want to register an OpenID Connect identity provider, use the Identity service.


API Reference

/metadata

Get the YaaS SAML 2.0 Adapter metadata.

/metadata

get

Get the YaaS SAML 2.0 Adapter metadata. Register this metadata as a Service Provider in the SAML 2.0 Identity Provider to establish successful communication between the SAML 2.0 Identity Provider and the YaaS SAML2 Adapter service.

/authorize

THIS IS AN INTERNAL ENDPOINT

The OAuth2 Authorization Endpoint is used to authenticate user in SAP Cloud Platform Identity Authentication and obtain an authorization code.
For more information, see the OAuth 2.0 specification (rfc6749#section-3.1) and Getting Started tutorial.

/authorize

get

Starts the authorization procedure with the parameters specified in the URL query.

/token

THIS IS AN INTERNAL ENDPOINT

The OAuth2 Token Endpoint is used to obtain an ID token.
For more information, see the OAuth 2.0 specification (rfc6749#section-3.2) and Getting Started tutorial.

/token

post

Can be used to exchange authorization code for an ID token.

/identity-providers

Use this endpoint to register and manage SAML 2.0 Identity Providers for your organization.

/identity-providers

get

Use this endpoint to get a list of the SAML 2.0 Identity Providers registered for your organization in YaaS.
Security/Access Control: To access this method, an access token must be issued for the requested organization, and have the hybris.org_manage scope.

post

Use this endpoint to register a new SAML 2.0 Identity Provider for your organization in YaaS.
Security/Access Control: To access this method, an access token must be issued for the requested organization, and have the hybris.org_manage scope.

/identity-providers/{id}

get

Use this endpoint to fetch information about the SAML 2.0 Identity Provider with the specified ID.
Security/Access Control: To access this method, an access token must be issued for the requested organization and have the hybris.org_manage scope.

put

Use this endpoint to update the SAML 2.0 Identity Provider information.
Security/Access Control: To access this method, an access token must be issued for the requested organization, and have the hybris.org_manage scope.

delete

Use this endpoint to delete the SAML 2.0 Identity Provider with the specified ID.
Security/Access Control: To access this method, an access token must be issued for the requested organization, and have the hybris.org_manage scope.


Register a custom SAML 2.0 identity provider

The process of registering a custom SAML 2.0 identity provider in YaaS consists of two basic steps:

  • Get the YaaS OAuth2 service meta-data and register it in your SAML 2.0 identity provider.
  • Register your SAML 2.0 identity provider in the SAML2 Adapter service.

Get the registration meta-data from the OAuth2 service


To get the meta-data required to register a custom SAML 2.0 identity provider in YaaS, you must call the `/metadata` endpoint of the SAML2 Adapter service.

This is a sample request to the `/metadata` endpoint. It is a public resource, which means that you don't have to include an access token when you call this endpoint.

curl -X GET "http://api.eu.yaas.io/hybris/saml2-adapter/v1/metadata"

The response contains the X.509 certificate of the OAuth2 service, as well as the Assertion Consumer Service location URL and the single logout endpoint URL. To ensure that you use up-to-date information, call the `/metadata` endpoint every time you register a new custom SAML 2.0 identity provider for your organization.

Register your custom SAML 2.0 identity provider


To register your custom SAML 2.0 identity provider, you must call the /identity-providers endpoint of the SAML2 Adapter service. The request must include an access token issued for the organization for which you want to register the custom SAML 2.0 identity provider. The token must also include the hybris.org_manage scope.

Define the display name of the custom SAML 2.0 identity provider, specify the URL of the endpoint which the OAuth2 serivce must contact to get a SAML authentication assertion (**SingleSignOnService**), logout endpoint URL (**singleLogoutService**), as well as the X.509 certificate of your identity provider.

This is a sample SAML 2.0 identity provider registration request to the /identity-providers endpoint. Line breaks are added for better readability.

curl -X POST "http://api.eu.yaas.io/hybris/saml2-adapter/v1/identity-providers" \
-H 'Authorization: Bearer ACCESS_TOKEN_HERE \
-H 'Content-Type: application/json' \
-d '{"displayName":"My IDprovider","singleSignOnService":{"location":"https://accounts.sap.com/saml2/idp/sso/accounts.sap.com","binding":"HTTP-Post"}, \
"singleLogoutService":{"location":"https://accounts.sap.com/saml2/idp/slo/accounts.sap.com","binding":"HTTP-Redirect"}, \
"x509Certificate":"98127498137randomcertificatestring238402480"}'


Use the custom SAML 2.0 identity provider

After you successfully register your custom SAML 2.0 identity provider, you can use it with the Implicit Grant and the Authorization Code Grant authorization flows available in YaaS.

For more information about the authorization flows available in YaaS, see the Grants section of the OAuth2 service documentation.

To use your custom SAML 2.0 identity provider, use the ID you received in the successful registration response from the SAML2 Adapter service as the value of the hybris_id_provider parameter in the request to the OAuth2 service.

This example shows an Authorization Code Grant flow access token request that uses a custom SAML 2.0 identity provider:

curl -i -X GET '<a href="https://api.eu.yaas.io/hybris/oauth2/v1/authorize?response_type=code&client_id=CLIENT_ID&scope=SCOPE_NAME&state=STATE&hybris_id_provider=81_customsaml2idp0&577$45564'">https://api.eu.yaas.io/hybris/oauth2/v1/authorize?response_type=code&client_id=CLIENT_ID&scope=SCOPE_NAME&state=STATE&hybris_id_provider=81_customsaml2idp0&577$45564'</a>


  • Send feedback

    If you find any information that is unclear or incorrect, please let us know so that we can improve the Dev Portal content.

  • Get Help

    Use our private help channel. Receive updates over email and contact our specialists directly.

  • hybris Experts

    If you need more information about this topic, visit hybris Experts to post your own question and interact with our community and experts.