We have implemented SAML 2.0 Web SSO between a NetWeaver system and Microsoft ADFS. ADFS acts as the identity provider. Web SSO is based on a redirect with a POST binding.
We thought everything was working great. All of our SAP-hosted web pages come up without requiring anyone to enter a user name and password. However, now that we are trying to work with SAPUI5, JavaScript, and OData-based web services, we are encountering a problem. Our calls to the OData-based web services do not appear to be authenticated - Basic Authentication prompts are appearing.
If we run the same function without Web SSO, everything works as expected. The initial web server 'hit' generates Basic Authentication prompts. And, once authenticated, the downstream web service call does not generate any authentication prompts.
Comparing the two scenarios using Fiddler, the difference appears to be the MYSAPSSO2 cookie. Basic Authentication to the web page creates the MYSAPSSO2 cookie which satisfies the authentication needs of the web service call. SAML 2.0 Web SSO to the web page does not create the MYSAPSSO2 cookie so the web service requests additional authentication.
Am I misunderstanding something about Web SSO? Is there something I can do to get the Web SSO to generate the MYSAPSSO2 cookie? Is this an authentication handler issue?