Hello Kong Community,
We are currently integrating Kong Gateway with an SAP system for token-based authentication.
As part of our analysis, we extracted the token request (curl command) from Other API Gateway logs, which shows that SAP expects a token request based on a signed SAML assertion.
While the request works successfully from Other API gateway, we are unable to generate the same request in Kong due to current product limitations, specifically around:
- Creating a SAML assertion
- Applying a digital signature to the assertion
- Sending the signed assertion as part of a token request to SAP
- We are looking for a Kong-native or supported approach to solve this
Looking for Guidance On:
- Has anyone successfully implemented Kong → SAP authentication using SAML assertion–based token generation?
- Are there any Kong plugins, extensions, or recommended patterns that support:
- SAML assertion generation
- Assertion signing
- Token exchange with SAP
- If direct SAML signing is not supported in Kong, are there any supported alternatives that work within the same architectural setup?
Any insights, references, or prior experience would be greatly appreciated.
Thanks in advance for your help.
Sample SAML assertion after signature ( Removed sensitive details):
<saml2:Assertion Version=“2.0” ID=“SamlAssertion-f0d586d6fe4ac36e292ce9a50e028e89” IssueInstant=“2026-05-05T11:37:19.120Z” xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>KongGateway</saml2:Issuer><ds:Reference URI=“#SamlAssertion-f0d586d6fe4ac36e292ce9a50e028e89”>ds:TransformsgWuo72kxOj5ZV0hLriHvY=</ds:SignedInfo>wWjuWQruCjiq+temkghghghgbp4LNtqWAlyDc3uzcEgQolKZ593Hu3+zGbghghghgyTGbj2ek/0jtRlsOSpugtgCIaYZ9wHrAiQAlyPhLu5Ud1HLA==CN=api-op.dev-c.abc.in,O=abcTrust Services, Incorporated,ST=Minnesota,C=UKMIIDsDCCA1agAwIBAgIRAK6f9xTgYP7DDiAhIegXnb8wCgYIKoZIzj0EAwIwOzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEMMAoGMzQ0MVowIzEhMB8GA1UEAxMYYXBpLW9wLmRldi1jLmNnbGNsb3VkLmluMFkwEwYHKoZIzj0CAQYXWZHc+aAAABnWeCUjQAAAQDAEcwRQIgbOFI8EuaZPEJ/ENOWa1gQw6cn1N7liEY2nUJx6MRqI8CIQC/ahr+rvXWa+Cq6kMuoW3CzL7IsyCah8G3a2MsHpdSkTAKBggqhkjOPQQDAgNIADBFAiAGMb8RYYfJ7PQIGh+swXzBIzZXyJDUuCaZieutQw+mrwIhAKi/M1/V8VHrEi/cBiClT1mnwOo2PZE5OGesXo5TPnv/T_KONG</saml2:NameID></saml2:SubjectConfirmation><saml2:Conditions NotBefore=“2026-05-05T11:35:19.120Z” NotOnOrAfter=“2026-05-05T12:27:19.120Z”>SAP_XYS_XSA_123</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:Attribute Name=“client_id” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified”>T_KONG</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement><saml2:AuthnStatement AuthnInstant=“2026-05-05T11:37:19.120Z”><saml2:SubjectLocality Address=“10.1.2.3”/>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion>
After SAML assertion and signature, using above SAML assertion, please find sample curl request which API Gateway needs to invoke SAP in the below.
curl --location ’ httpsss://sapsystem.com/sap/bc/sec/oauth2/token?sap-client=100’ \
--header ‘Content-Type: application/x-www-form-urlencoded’ \
--header ‘Authorization: Basic XYSTSTSTS=’ \
--data-urlencode ‘client_id=PS123456’ \
--data-urlencode ‘scope=ZREDFD_SOLUTION_SRV_0001’ \
--data-urlencode ‘grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer’ \
--data-urlencode ‘assertion=PHNhbWwyOkFzc2VydGlvbiBWZXJzaW9uPSIyLjAiIElEPSJTYW1sQXNzZXJ0aW9uLTZhNDJiZDMwNzg2YmJhZWQ3OTlkYjQ5NzZjZDY3YmU0IiBJc3N1ZUluc3RhbnQ9IjIwMjYtMDUtMDVUMTI6Mzc6MjAuOTAwWiIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpJc3N1ZXI%2BQ0FHYXRld2F5PC9zYW1sMjpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZmdD48L3NhbWwyOkF1dGhuU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPg%3D%3D’
Thanks
Venkat