You shouldn't do this: you do not have the user's password (since authentication takes place at the IdP). If you want to store passwords, they need to be in a reversible format (so that you can send them to SAP) and this isn't recommended from a security perspective. There are scheme's to do this (you can e.g. Google 'SAML on behalf of'), but most of the ways result in passing tokens, instead of usernames + passwords. - @ Rom van Arendonk