Skip to Content

Our journey with technical configuration of S/4HANA system continues and in today’s episode we will take a closer look at the Single Sign-On using SAML and Microsoft Azure Active Directory.

If you are interested in different approach to Fiori and Single Sign-On I highly encourage you to check out Frank Schuler detailed walk through on how to implement SSO with X.509 certificates.

I bet you already heard about Active Directory before. It’s a directory service, that is shipped together with Windows Server, that automates user management, security and network management

Is Azure Active Directory the same? Yes and no. It is still a directory service, but the biggest difference is that currently Azure AD does not support Group Policy Objects. Therefore, you can’t decide what will be users wallpaper and you can’t manage their Internet Explorer bookmarks. Instead, you are getting identity management capabilities including multi-factor authentication, device registration and self-service password management. Azure Active Directory provides solution to easily deploy Single Sing-On across your cloud and on-premise application with the use of SAML. Of course there is much more benefits – but if you are interested in details, you can easily find additional information in the internet.

Our goal for today is to enable Single Sign-On between Microsoft Azure Active Directory and S/4HANA Fiori Launchpad!

This time we will use the new Azure Portal. To enable Single Sign-on we require Active Directory tenant. We can use the one that is delivered by default, when you create your Azure account or you can create a new one.

There are four levels of Azure AD available within your subscription. The important fact is, that SSO functionality can be enabled even for the free edition (you can read about limitations here)

And just before we start I’d like to explain two terms which are important when using SAML:

Identity Provider – is a trusty provider that stores your user credentials and let you use Single Sign-On to access other services. In our case it’s the Azure Active Directory

Service Provider – is an external service / web page which requests and obtains an identity assertion from the identity provider. In our landscape it is SAP Netweaver

AZURE ACTIVE DIRECTORY SET UP

Please log in to your Azure portal and go to Azure Active Directory maintenance. You can use either default directory or you can switch to any other which is available within your account.

What we need to do is to add SAP Netweaver as Enterprise Application:

Now, go to Single Sign-On tab and maintain three parameters:

Sing-on URL – it’s the address, which is used to log in to Fiori Launchpad

Identifier – custom identifier of service provider

Reply URL – address, to which we should be forwarded after successful sign in.

Next, click on Create new certificate in SAML Signing Certificate section and maintain expiry date.

You can see new certificate was created and we can download Metadata XML, which we use to configure SAP Netweaver.

In User Attributes section you need to decide what should be the user identifier – what data should identify particular user. I chose e-mail address, but you can check out different parameters as well.

Last step is about choosing the user who should has access to our Fiori Launchpad.

ENABLE SAML IN SAP NETWEAVER

Now it’s the time to configure SAML settings inside SAP Netweaver. The set up can be done in t-code SAML2 and first step in to Create SAML 2.0 Local Provider:

The provider name should be the same as we chose in Azure portal.

In step three ensure the Selection Mode is set to Automatic. You can save your settings afterwards.

The configuration of service provider is displayed. The only thing to change here is to turn on Legacy System Support. This means, that if you ever open a SAP GUI from Fiori Launchpad you won’t be asked for credentials. You can read more about this in Koen Van Loocke blog post.

Go to Trusted Providers tab and add new Identity Provider by uploading Metadata File.

Upload the file previously downloaded from Azure AD and you can confirm all steps until step 9.

In last step of Identity Provider configuration please change Authentication Response:

Identity Federation tab in Details of Identity Provider allow us to configure what data should identify the particular user. Do you remember similar step in SSO configuration in Azure? At that time I chose e-mail address and it’s the same what I need to put here – but please remember to maintain this value in user master data!

Now go to Authentication Requirements tab and verify Authentication Response fields. It should be set up as following:

TESTING

To test the configuration, I opened new browser window in Private Mode and therefore I’m ensured no cached logins are going to be used. After typing the Fiori address I was immediately redirected to Microsoft log in page.

After my credentials were verified by Azure Active Directory I was redirected again – this time to my Fiori Launchpad. I was not asked for any additional logins / passwords!

TROUBLESHOOTING

I would like to show you also the simple troubleshooting of SAML SSO. Therefore, we need to break something firstly 🙂

Go to Identity Federation and change Supported NameID format to Persistent. Restart the browser and try again to log in to Fiori Launchpad. This time, instead of Microsoft Login page, the Fiori Welcome screen is displayed and waiting for our input.

What went wrong? To answer that question we are going to open Security Diagnostic tool and start a trace:

http://<hostname>/sap/bc/webdynpro/sap/sec_diag_tool

When the trace is on, try to log in again. Afterwards you can display the trace and easily solve the issue:

This is the seventh part of my blog series about S/4HANA installation and maintenance. You can access previous parts by using following links:

Part 1 – Maintenance Planner, System Installation and Update
Part 2 – SAP NW Gateway and Fiori Launchpad
Part 3 – Best Practices Content Activation
Part 4 – Fact Sheet apps, Fiori Search and Web Dispatcher
Part 5 – Upgrade to 1610
Part 6 – Fully Activated Appliance on Microsoft Azure
Part 7 – Fiori Launchpad SAML Single Sign-On with Azure AD

 

To report this post you need to login first.

26 Comments

You must be Logged on to comment or reply to a post.

  1. Former Member

    Could you tell me what value to set in sign-on URL and reply URL (Azure setting)?

    Do we need URL parameter? For example, sap-client, sap-language …

     

    Best Regards,

    Masahide Yano

     

    (0) 
  2. Former Member

    Hi Bartosz,

    We have similar requirement but we need to only access Odata services from our On-premise SAP NW Gateway system.

    Can we still have SSO and SAML authentication using Azure AD.

     

    We will have a Web Dispatcher in DMZ and Gateway in firewall and request would come in from Internet.

    Please advise,

     

    Thank You,

    Akash

    (0) 
      1. Bartosz Jarkowski Post author

        Hello Akesh,

        sorry for late reply.

        I’m not sure what exactly do you want to achieve. In case you want to connect your front-end system and back-end system, then you should use the trusted RFC instead of SAML.

        SAML can be configured then to access the front-end system.

        Best regards

        Bartosz

        (0) 
  3. Former Member

    Just wanted to ask you this question.

    Do we need SAP SSO to do single Sign on to Fiori Appilication Server or can we do this with Azure AD  SSO.

    Please help me understand this.

     

    (0) 
    1. Bartosz Jarkowski Post author

      This blog post describes the steps required to enable SAP to use Single Sign-On with Azure AD through SAML. Not sure what do you mean by SAP SSO or Azure AD SSO.

       

      (0) 
  4. Phil Cooley

    Hi Bartosz, nice blog post. I’ve set up SSO with Azure AD for SAP Fiori applications delivered through the SAP Cloud Platform and one problem we have been having is with logout. We’ve logged tickets with SAP and they are stating that there is a problem with Azure AD in that it is not sending a specific logout request.

    Have you any experience with this? Also wondered in your scenario above what happens when you log out – i.e. does it log out properly and if so how is this working as we have not been able to logout effectively for months.

     

    (0) 
  5. Former Member

     

    Hello Bartosz,

    Thanks for this post, I am trying do the same setup and I got success to some extent, SSO works fine when we use “Supported nameID = Email ” but it doesn’t work when I use “unspecified”. below is the SAML trace I captured last. looks like there is mismatch in what being passed as Subject Name ID from Azure side vs. what we have in SAP. I don’t know how I can change Name ID format to “unspecified” in Azure.

    <no user>
    SAML20 SP (client 110 ):  Exception raised:
    SAML20  SAML20 CX_SAML20_FEDERATION: Format 'WindowsDomainQualifiedName' is not supported for user assignment. Long text: Format 'WindowsDomainQualifiedName' is not supported for user assignment. 
    SAML20     at CL_SAML20_ENTITY->IS_NAMEID_FORMAT_SUPPORTED(Line 61)
    SAML20     at CL_SAML20_FEDERATION->CREATE_INSTANCE(Line 56)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 82)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 64)
    SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 91)
    SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
    SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2275)
    <no user>
    SAML20 SP (client 110 ):  Exception raised:
    SAML20  SAML20 CX_SAML20_FEDERATION: Format 'WindowsDomainQualifiedName' is not supported for user assignment. Long text: Format 'WindowsDomainQualifiedName' is not supported for user assignment. 
    SAML20     at CL_SAML20_ENTITY->IS_NAMEID_FORMAT_SUPPORTED(Line 61)
    SAML20     at CL_SAML20_FEDERATION->CREATE_INSTANCE(Line 56)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 82)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 64)
    SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 91)
    SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
    SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2275)

    Thanks,

    Rajesh

    (0) 
  6. Former Member

     

    Can you suggest how to get around the exception I am seeing in the Trace ?

     

    <no user>
    SAML20 SP (client 110 ):  Exception raised:
    SAML20  SAML20 CX_SAML20_FEDERATION: Format 'WindowsDomainQualifiedName' is not supported for user assignment. Long text: Format 'WindowsDomainQualifiedName' is not supported for user assignment. 
    SAML20     at CL_SAML20_ENTITY->IS_NAMEID_FORMAT_SUPPORTED(Line 61)
    SAML20     at CL_SAML20_FEDERATION->CREATE_INSTANCE(Line 56)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 82)
    SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 64)
    SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 91)
    SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
    SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
    SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2275)
    (0) 
    1. Bartosz Jarkowski Post author

      Hello,

      I don’t understand what are you trying to achive, so it’s difficult for me to offer a solution.

      You haven’t answer to my question – why do you change the format to unspecified? I believe that’s the root cause.

      (0) 
  7. Pankaj Dadhich

     

    Hi Bartosz,

    I have few question as I am working on doing the same and not getting the expected result.

    1. As you mentioned “At that time I chose e-mail address and it’s the same what I need to put here – but please remember to maintain this value in user master data” Can you please tell me how you maintained the value in user master data
    2. Any parameter or settings to be modified at SAP level
    3. We have S/4 Application and the Gateway with Fiori SAP_UI and a Web dispatcher all on different servers. Does that make any difference.
    4. Where we have to maintain the SAML setting on which NWA server S/4 Application/ Gateway / Webdispatcher?

    Our Fiori Launchpad Path : https://<Web Dispatcher hostname>:44300/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

    Let me know if I am not clear with my question

     

    Thanks,

    Pankaj

    (0) 
    1. Bartosz Jarkowski Post author

      Hello Pankaj!

      1. In transaction SU01, in the Address tab. Field: E-mail address.
      2. I’m not sure I understand correctly this question. All required steps are presented in this blog. there are also wiki pages about SAML:https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0
      3. No, that’s not a problem at all. You configure each system separately providing hostnames.
      4. There is a lot of information available on the internet, for example: 2326063 – SAML2: How to configure when using proxy/web dispatcher. You basically need to configure the Web Dispatcher URL.

       

      (0) 
    1. Bartosz Jarkowski Post author

      Hello,

      thanks for sharing! I’m very glad you were able to configure the SAML successfully!

      Don’t forget to leave a like on this post! 🙂

      Cheers,

      Bartosz

       

      (0) 
      1. Former Member

        Actually we have been using a S4 Hana cloud fiori launchpad system, can you please provide the steps for that between AZURE AD and SAP S4 HANA?

         

        (0) 
  8. Former Member

    Actually we have been using a S4 Hana cloud fiori launchpad system, can you please provide the steps for that between AZURE AD and SAP S4 HANA?

    (0) 
  9. Former Member

    In Azure, do you have to define multiple SAP Netweaver application as Enterprise Applications to match your Fiori Dev/QA/Prod systems? (Since the sign-in url, identifier, reply url will be different for each backend system)

    (0) 
  10. Mandeep Dhillon

     

    Hi Bartosz:

    Thanks for this fantastic blog. however I have a question.

    In your blog you mentioned the Request and response URL configured to be same. How do you handle the scenerio when the reply URL is different(E.g when you access the launchpaddesigner: In such a case the Request URL is same but the reply URL is different. SSO fails in such a case(SAML is always looking for the configured response URL on Azure AD))

    Thanks.

    (0) 
  11. Ashwin Katkar

    Hi Bartosz,

     

    I have completed the setup for SSO and my fiori lauchpad is getting redirect through Azure AD but after authentication it again asks for Fiori Lauchpad login. Error which i am getting is “Caused by: CX_SAML20_ASSERTION: Attribute ‘NotBefore’ of element ‘Conditions’ is invalid. Long text: Attribute ‘NotBefore’ of element ‘Conditions’ is invalid.”

    I did some google and found that it is because of time zone mismatch but after setting AD and SAP TImezone same still getting same error.

    I have enabled the trace and here is the snapshot.

     

    Any help is appreciated!!

     

    Thanks..

     

    (0) 
    1. Bartosz Jarkowski Post author

      Hello Ashwin,

      if the solution from the SAP Note doesn’t work, then I’d suggest contacting SAP support.

      I don’t think I can offer you a different solution.

      Beside of the time zone, check that the actual time is the same – there is 120 seconds tolerance, so if your AD time is 11:39 and your SAP time is 11:45 then you will get the error.

       

      (0) 
  12. navya shetty

    Hi Bartosz,,

    Thank you for the amazing blog.We have similar requirement .We want configure SSO to access fiori apps from internet and we would be using Azure AD for authentication.Will the steps specified in the blog can be used as is to achieve this requirement or do we need to do anything in addition to these steps to access fiori apps through internet via SSO?

    (0) 

Leave a Reply