Skip to Content
Author's profile photo Bartosz Jarkowski

Your S/4HANA environment – Part 7 – Fiori Launchpad SAML Single Sign-On with Azure AD

Our journey with technical configuration of S/4HANA system continues and in today’s episode we will take a closer look at the Single Sign-On using SAML and Microsoft Azure Active Directory.

If you are interested in different approach to Fiori and Single Sign-On I highly encourage you to check out Frank Schuler detailed walk through on how to implement SSO with X.509 certificates.

I bet you already heard about Active Directory before. It’s a directory service, that is shipped together with Windows Server, that automates user management, security and network management

Is Azure Active Directory the same? Yes and no. It is still a directory service, but the biggest difference is that currently Azure AD does not support Group Policy Objects. Therefore, you can’t decide what will be users wallpaper and you can’t manage their Internet Explorer bookmarks. Instead, you are getting identity management capabilities including multi-factor authentication, device registration and self-service password management. Azure Active Directory provides solution to easily deploy Single Sing-On across your cloud and on-premise application with the use of SAML. Of course there is much more benefits – but if you are interested in details, you can easily find additional information in the internet.

Our goal for today is to enable Single Sign-On between Microsoft Azure Active Directory and S/4HANA Fiori Launchpad!

This time we will use the new Azure Portal. To enable Single Sign-on we require Active Directory tenant. We can use the one that is delivered by default, when you create your Azure account or you can create a new one.

There are four levels of Azure AD available within your subscription. The important fact is, that SSO functionality can be enabled even for the free edition (you can read about limitations here)

And just before we start I’d like to explain two terms which are important when using SAML:

Identity Provider – is a trusty provider that stores your user credentials and let you use Single Sign-On to access other services. In our case it’s the Azure Active Directory

Service Provider – is an external service / web page which requests and obtains an identity assertion from the identity provider. In our landscape it is SAP Netweaver

AZURE ACTIVE DIRECTORY SET UP

Please log in to your Azure portal and go to Azure Active Directory maintenance. You can use either default directory or you can switch to any other which is available within your account.

What we need to do is to add SAP Netweaver as Enterprise Application:

Now, go to Single Sign-On tab and maintain three parameters:

Sing-on URL – it’s the address, which is used to log in to Fiori Launchpad

Identifier – custom identifier of service provider

Reply URL – address, to which we should be forwarded after successful sign in.

Next, click on Create new certificate in SAML Signing Certificate section and maintain expiry date.

You can see new certificate was created and we can download Metadata XML, which we use to configure SAP Netweaver.

In User Attributes section you need to decide what should be the user identifier – what data should identify particular user. I chose e-mail address, but you can check out different parameters as well.

Last step is about choosing the user who should has access to our Fiori Launchpad.

ENABLE SAML IN SAP NETWEAVER

Now it’s the time to configure SAML settings inside SAP Netweaver. The set up can be done in t-code SAML2 and first step in to Create SAML 2.0 Local Provider:

The provider name should be the same as we chose in Azure portal.

In step three ensure the Selection Mode is set to Automatic. You can save your settings afterwards.

The configuration of service provider is displayed. The only thing to change here is to turn on Legacy System Support. This means, that if you ever open a SAP GUI from Fiori Launchpad you won’t be asked for credentials. You can read more about this in Koen Van Loocke blog post.

Go to Trusted Providers tab and add new Identity Provider by uploading Metadata File.

Upload the file previously downloaded from Azure AD and you can confirm all steps until step 9.

In last step of Identity Provider configuration please change Authentication Response:

Identity Federation tab in Details of Identity Provider allow us to configure what data should identify the particular user. Do you remember similar step in SSO configuration in Azure? At that time I chose e-mail address and it’s the same what I need to put here – but please remember to maintain this value in user master data!

Now go to Authentication Requirements tab and verify Authentication Response fields. It should be set up as following:

TESTING

To test the configuration, I opened new browser window in Private Mode and therefore I’m ensured no cached logins are going to be used. After typing the Fiori address I was immediately redirected to Microsoft log in page.

After my credentials were verified by Azure Active Directory I was redirected again – this time to my Fiori Launchpad. I was not asked for any additional logins / passwords!

TROUBLESHOOTING

I would like to show you also the simple troubleshooting of SAML SSO. Therefore, we need to break something firstly 🙂

Go to Identity Federation and change Supported NameID format to Persistent. Restart the browser and try again to log in to Fiori Launchpad. This time, instead of Microsoft Login page, the Fiori Welcome screen is displayed and waiting for our input.

What went wrong? To answer that question we are going to open Security Diagnostic tool and start a trace:

http://<hostname>/sap/bc/webdynpro/sap/sec_diag_tool

When the trace is on, try to log in again. Afterwards you can display the trace and easily solve the issue:

This is the seventh part of my blog series about S/4HANA installation and maintenance. You can access previous parts by using following links:

Part 1 – Maintenance Planner, System Installation and Update
Part 2 – SAP NW Gateway and Fiori Launchpad
Part 3 – Best Practices Content Activation
Part 4 – Fact Sheet apps, Fiori Search and Web Dispatcher
Part 5 – Upgrade to 1610
Part 6 – Fully Activated Appliance on Microsoft Azure
Part 7 – Fiori Launchpad SAML Single Sign-On with Azure AD

 

Assigned Tags

      53 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Jonny Gil
      Jonny Gil

      Hi Bartosz,

      Very nice blog, I have a question, what happens if a SAP Web Dispatcher is in front of Fiori Server.

      Thanks in advance,

      Jonny

      Author's profile photo Former Member
      Former Member

      Could you tell me what value to set in sign-on URL and reply URL (Azure setting)?

      Do we need URL parameter? For example, sap-client, sap-language ...

       

      Best Regards,

      Masahide Yano

       

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hello Masahide,

      it depends what is the URL that your users use to log in.

      In my scenario I used: https://host:port/sap/bc/ui2/flp

      Best regards

      Bartosz

      Author's profile photo Former Member
      Former Member

      Hi Bartosz,

      We have similar requirement but we need to only access Odata services from our On-premise SAP NW Gateway system.

      Can we still have SSO and SAML authentication using Azure AD.

       

      We will have a Web Dispatcher in DMZ and Gateway in firewall and request would come in from Internet.

      Please advise,

       

      Thank You,

      Akash

      Author's profile photo Former Member
      Former Member

      Hi Bartosz,

      Any recommendation ? sorry i dont find any other resource online.

       

      Regards,

       

      Akash

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hello Akesh,

      sorry for late reply.

      I'm not sure what exactly do you want to achieve. In case you want to connect your front-end system and back-end system, then you should use the trusted RFC instead of SAML.

      SAML can be configured then to access the front-end system.

      Best regards

      Bartosz

      Author's profile photo Sree Arumugam
      Sree Arumugam

      Just wanted to ask you this question.

      Do we need SAP SSO to do single Sign on to Fiori Appilication Server or can we do this with Azure AD  SSO.

      Please help me understand this.

       

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      This blog post describes the steps required to enable SAP to use Single Sign-On with Azure AD through SAML. Not sure what do you mean by SAP SSO or Azure AD SSO.

       

      Author's profile photo Phil Cooley
      Phil Cooley

      Hi Bartosz, nice blog post. I've set up SSO with Azure AD for SAP Fiori applications delivered through the SAP Cloud Platform and one problem we have been having is with logout. We've logged tickets with SAP and they are stating that there is a problem with Azure AD in that it is not sending a specific logout request.

      Have you any experience with this? Also wondered in your scenario above what happens when you log out - i.e. does it log out properly and if so how is this working as we have not been able to logout effectively for months.

       

      Author's profile photo Tim Stein
      Tim Stein

      Hi Phil Cooley ,

      did you get an update on the lougout issue? We are using FLP on SCP Portal Service with Azure AD via SAP IAS and the logout is making trouble. The user is logged out but the SAPUI5 loading screen is shown forever.

       

      Regards

      Tim

      Author's profile photo Phil Cooley
      Phil Cooley

      Hi Tim Stein 

      Unfortunately have not found out how to resolve this problem and there are no resources around I can find to do this.

      Bartosz, - any response for us please?

       

      Thanks & Kind Regards

      Phil Cooley

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hello Phil Cooley

      sorry for missing response from me, probably I have overlooked it.

      I think I configured the SSO between Azure and SCP once, long time ago, but unfortunately I can't remember if there was any issue with log out. I can only confirm I don't have any log out problems for the NetWeaver system.

      I would suggest raising an Azure ticket as well.

      Author's profile photo Phil Cooley
      Phil Cooley

      Ok Bartosz, - thanks

       

      Author's profile photo Kumar Rajesh
      Kumar Rajesh

       

      Hello Bartosz,

      Thanks for this post, I am trying do the same setup and I got success to some extent, SSO works fine when we use "Supported nameID = Email " but it doesn't work when I use "unspecified". below is the SAML trace I captured last. looks like there is mismatch in what being passed as Subject Name ID from Azure side vs. what we have in SAP. I don't know how I can change Name ID format to "unspecified" in Azure.

      <no user>
      SAML20 SP (client 110 ):  Exception raised:
      SAML20  SAML20 CX_SAML20_FEDERATION: Format 'WindowsDomainQualifiedName' is not supported for user assignment. Long text: Format 'WindowsDomainQualifiedName' is not supported for user assignment. 
      SAML20     at CL_SAML20_ENTITY->IS_NAMEID_FORMAT_SUPPORTED(Line 61)
      SAML20     at CL_SAML20_FEDERATION->CREATE_INSTANCE(Line 56)
      SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 82)
      SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 64)
      SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 91)
      SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
      SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
      SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2275)
      <no user>
      SAML20 SP (client 110 ):  Exception raised:
      SAML20  SAML20 CX_SAML20_FEDERATION: Format 'WindowsDomainQualifiedName' is not supported for user assignment. Long text: Format 'WindowsDomainQualifiedName' is not supported for user assignment. 
      SAML20     at CL_SAML20_ENTITY->IS_NAMEID_FORMAT_SUPPORTED(Line 61)
      SAML20     at CL_SAML20_FEDERATION->CREATE_INSTANCE(Line 56)
      SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 82)
      SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 64)
      SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 91)
      SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
      SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
      SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2275)

      Thanks,

      Rajesh

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Why do you want to change it to unspecified?

       

      Author's profile photo Kumar Rajesh
      Kumar Rajesh

       

      Can you suggest how to get around the exception I am seeing in the Trace ?

       

      <no user>
      SAML20 SP (client 110 ):  Exception raised:
      SAML20  SAML20 CX_SAML20_FEDERATION: Format 'WindowsDomainQualifiedName' is not supported for user assignment. Long text: Format 'WindowsDomainQualifiedName' is not supported for user assignment. 
      SAML20     at CL_SAML20_ENTITY->IS_NAMEID_FORMAT_SUPPORTED(Line 61)
      SAML20     at CL_SAML20_FEDERATION->CREATE_INSTANCE(Line 56)
      SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 82)
      SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 64)
      SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 91)
      SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 340)
      SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
      SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2275)
      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hello,

      I don't understand what are you trying to achive, so it's difficult for me to offer a solution.

      You haven't answer to my question - why do you change the format to unspecified? I believe that's the root cause.

      Author's profile photo Pankaj Dadhich
      Pankaj Dadhich

       

      Hi Bartosz,

      I have few question as I am working on doing the same and not getting the expected result.

      1. As you mentioned "At that time I chose e-mail address and it’s the same what I need to put here – but please remember to maintain this value in user master data" Can you please tell me how you maintained the value in user master data
      2. Any parameter or settings to be modified at SAP level
      3. We have S/4 Application and the Gateway with Fiori SAP_UI and a Web dispatcher all on different servers. Does that make any difference.
      4. Where we have to maintain the SAML setting on which NWA server S/4 Application/ Gateway / Webdispatcher?

      Our Fiori Launchpad Path : https://<Web Dispatcher hostname>:44300/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

      Let me know if I am not clear with my question

       

      Thanks,

      Pankaj

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hello Pankaj!

      1. In transaction SU01, in the Address tab. Field: E-mail address.
      2. I'm not sure I understand correctly this question. All required steps are presented in this blog. there are also wiki pages about SAML:https://wiki.scn.sap.com/wiki/display/Security/Single+Sign-On+with+SAML+2.0
      3. No, that's not a problem at all. You configure each system separately providing hostnames.
      4. There is a lot of information available on the internet, for example: 2326063 - SAML2: How to configure when using proxy/web dispatcher. You basically need to configure the Web Dispatcher URL.

       

      Author's profile photo Pankaj Dadhich
      Pankaj Dadhich

      Hi Bartosz,,

       

      Thank You! There were services which were not active and few parameter's needs to be set and activated. It works fine now.

       

      Regards,

      Pankaj

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hello,

      thanks for sharing! I’m very glad you were able to configure the SAML successfully!

      Don’t forget to leave a like on this post! 🙂

      Cheers,

      Bartosz

       

      Author's profile photo Former Member
      Former Member

      Actually we have been using a S4 Hana cloud fiori launchpad system, can you please provide the steps for that between AZURE AD and SAP S4 HANA?

       

      Author's profile photo Former Member
      Former Member

      Actually we have been using a S4 Hana cloud fiori launchpad system, can you please provide the steps for that between AZURE AD and SAP S4 HANA?

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hello,

      that's a good idea for a blog, however I can't provide any exact date when I would write it.

      But you can check this blog:

      https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/

       

      Author's profile photo Former Member
      Former Member

      In Azure, do you have to define multiple SAP Netweaver application as Enterprise Applications to match your Fiori Dev/QA/Prod systems? (Since the sign-in url, identifier, reply url will be different for each backend system)

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hello,

      yes, that's correct. For each system in your landscape you have to create new Enterprise Application.

       

       

      Author's profile photo Mandeep Dhillon
      Mandeep Dhillon

       

      Hi Bartosz:

      Thanks for this fantastic blog. however I have a question.

      In your blog you mentioned the Request and response URL configured to be same. How do you handle the scenerio when the reply URL is different(E.g when you access the launchpaddesigner: In such a case the Request URL is same but the reply URL is different. SSO fails in such a case(SAML is always looking for the configured response URL on Azure AD))

      Thanks.

       

      Updated: We were able to configure multiple response URLs to make SAML based SSO work.

      Author's profile photo Abhijeet Dadarkar
      Abhijeet Dadarkar

      Hi Mandeep,

      I have such a scenario - however, I need to include url parameters with different values everytime.
      Can you guide how should such a response url be setup?

      e.g. I want to redirect to VA02 tile in the Fiori launchpad with the Sales Order as a Url Parameter from another SaaS application. The SaaS application has a link to the Fiori Launchpad with the target mapping to VA02 along with the Sales Order number as the url parameter (the Sales Order number will be different every time).

      How could the response url be setup in such a scenario.

      Right now - everytime we wish to navigate to VA02 from SaaS application - it is redirected to the Fiori Launchpad home page and not to VA02 directly (because the response url is for the home page it seems)

      Regards,
      Abhijeet

      Author's profile photo Ashwin Katkar
      Ashwin Katkar

      Hi Bartosz,

       

      I have completed the setup for SSO and my fiori lauchpad is getting redirect through Azure AD but after authentication it again asks for Fiori Lauchpad login. Error which i am getting is "Caused by: CX_SAML20_ASSERTION: Attribute 'NotBefore' of element 'Conditions' is invalid. Long text: Attribute 'NotBefore' of element 'Conditions' is invalid."

      I did some google and found that it is because of time zone mismatch but after setting AD and SAP TImezone same still getting same error.

      I have enabled the trace and here is the snapshot.

       

      Any help is appreciated!!

       

      Thanks..

       

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hello Ashwin,

      if the solution from the SAP Note doesn't work, then I'd suggest contacting SAP support.

      I don't think I can offer you a different solution.

      Beside of the time zone, check that the actual time is the same - there is 120 seconds tolerance, so if your AD time is 11:39 and your SAP time is 11:45 then you will get the error.

       

      Author's profile photo Ossama Azouagh
      Ossama Azouagh

      Hello,

      I have the same issue, did you find a solution ?

      My SAP is in CET time, Azure in UTC

      Error :

       

      SAML20  Caused by: CX_SAML20_ASSERTION: Attribute 'NotBefore' of element 'Conditions' is invalid. Long text: Attribute 'NotBefore' of element 'Conditions' is invalid.
       
      SAML20   <Conditions NotBefore="2023-10-23T14:06:01.071Z"
      SAML20               NotOnOrAfter="2023-10-23T15:11:01.071Z">

      Thank you in advance

      Regards,

      Author's profile photo n s
      n s

      Hi Bartosz,,

      Thank you for the amazing blog.We have similar requirement .We want configure SSO to access fiori apps from internet and we would be using Azure AD for authentication.Will the steps specified in the blog can be used as is to achieve this requirement or do we need to do anything in addition to these steps to access fiori apps through internet via SSO?

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      In general the above steps should be sufficient, however if you have a Gateway configured as Central Hub you may need to configure SAML on the backend as well.

      There is also additional configuration required when using WebDispatcher, so please check SAP Notes.

       

      Author's profile photo n s
      n s

      Hi Bartosz,,

      We do have Gateway configured as Central Hub.As of now,we are using F5 load balancer instead of SAP Web dispacther. Can you please let me know which notes should I check or some keywords that I should use to search the notes.

      I have raised a separate thread for this question-> https://answers.sap.com/questions/544654/sso-for-sap-fiori-apps-accessed-via-internet-using.html

      Regards,

      Navya.

      Author's profile photo Daniel Munoz
      Daniel Munoz

      Thanks Bartosz for this detailed and amazing post, we have successfully configured some test systems and they work flawless.

      The question is: What if I have a Netweaver user but not an Azure AD user, can I still login to the application? How can I bypass the redirection to Azure AD login if I just want to login to application, let say with a bult-in administrative user?

      Many thanks!

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hi Daniel,

      sure, you can bypass the SAML by adding saml2=disabled parametry in the url, for example:

      https://<hostname>:<port>/sap/bc/gui/sap/its/webgui?saml2=disabled

       

      More information:

      https://wiki.scn.sap.com/wiki/display/Security/ICF+logon+procedures+configuration+for+SAML+2.0+authentication

      Best regards

      Bartosz

      Author's profile photo Daniel Munoz
      Daniel Munoz

      Wow, thanks again!! It was exactly what we hoped to be!!

      Author's profile photo Daniel Munoz
      Daniel Munoz

      Hello Bartosz,

      It looks like, from Azure official doc on this regards (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-netweaver-tutorial) that a Single Sign-On Netweaver subscription is also required for using SAML2 SSO?

      I'd appreciate some light here.

      Regards,

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      In my opinion an additional SAP license is not required when using SAML2. But I'm not a licensing expert, so I'd recommend to talk to SAP directly.

      Author's profile photo Javier Iribarne
      Javier Iribarne
      Hello Bartosz
      Good publication
      I have a question.
      We have already configured the single sign-on for Fiori Launchpad using SAML2 in Azure Ad.
      Now, a user can log in to Fiori Launchpad using a URL with a virtual name from outside our LAN (https://external.domain.com/blablablabla ...)
      But we want to differentiate the accesses of the internal users (from within the LAN) using another hostname (another URL, https: //internal.domain.com/blablablabla ...)
      In this case the 2 accesses should be authenticated in Azure AD, but the transaction SAML2 does not allow 2 IdPs that are the same.
      How should we configure it?
      Thank you
      regards
      Javier

       

       

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hello Javier,

      that's a good question. I was thinking about it for a moment, but then I thought why would you like to do that? Do you really want your users to use two different addresses?

      Could you please give me more details?

      Author's profile photo Javier Iribarne
      Javier Iribarne

      Hi Bartosz

      The main reason is because of the company's security requirement.

      I mean, the tiles visibles should be limited depending on the request come from internal or external network. 

      In such a way that the same user, if you access from inside you will see all the tiles fiori, but if you access from the outside you will only see some of them.

      There is a small development already done that detects if access is made through the internal url allows you to see all the tiles, if only some tiles are made using the external url.
      Now when enabling SAML  I do not know how this distinction should be made. From the transaction SAML2? From the IdP Azure AD?
      Thank you
      regards
      Javier
      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Thanks for clarification.

      Unfortunately I don't know the solution to your problem 🙁
      I tried to add a second provider, but Azure doesn't even let me create additional system with the same ID.

      Please share the solution if you solve it.

      Author's profile photo Javier Iribarne
      Javier Iribarne

      Yes, I tried the same… 😉

      OK, thanks anyway for your attention.

      Regards

       

      Author's profile photo Prachi Patil
      Prachi Patil

      Hello Javier,

      I tried using Azure AD Proxy Connector to publish Webdispatcher URL to internet, however SAML response failed with below error.

      SAML20 SP (client 001 ): Destination from Response https://XXXXXX/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html/ must match the actual URL where message was sent - ACS endpoint https://XXXXXXXX/sap/saml2/sp/acs/001 or application URL(depending on configuration)

      How did you publish URL to internet?

      Regards,

      Naik

       

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Have you used the WebDispatcher URL to register the application in Azure?

      Author's profile photo Prachi Patil
      Prachi Patil

      Yes.. SAML2 SSO is based on IdP (Azure AD) and SP (FIORI system).

      Webdispatcher URL is used for configuration of SAML.

      https://WdURL:Port/sap/bc/webdynpro/sap/saml2?sap-client=001&sap-language=EN#

      SSO is working fine with Sign in URL, but same URL can not used from mobile devices/internet.

      It is suggested to Azure AD proxy connector to publish URL to internet. We tried using custom domain as well, but no luck.

       

      Author's profile photo Abdul Arshad
      Abdul Arshad

      Hi,

      We are using a below scenario.

      We have already configured SNC/SPNEGO SSO for SAP GUI using Local AD(Windows Authentication) which is perfectly working fine.

      Adding to that we would like to configure SSO for Fiori Launchpad using Azure AD for users to access it from office.com or My Apps.

      We had followed the above steps but when try to access the Fiori launchpad it is not redirecting to Microsoft Azure login page instead its opening applicaiton login page.

      Is it not possible to use both SNC/SPNEGO for SAP GUI and SAML SSO using Azure AD for Fiori together?

      Is it possible to make this scenario working?

      Thanks,

      Abdul

      Author's profile photo B Gupta
      B Gupta

      Dear Bartosz

       

      we are facing error after sso login

      attachment screen

      Author's profile photo Bartosz Jarkowski
      Bartosz Jarkowski
      Blog Post Author

      Hi,

      It looks the screen is not attached. Anyway I suggest posting your question to the Q&A. Have you tried to enable trace?

      Best regards

      Bartosz

      Author's profile photo Boris Romero
      Boris Romero

      Hi Bartosz,

       

      Would it be possible to set up the same scenario but with Google as IdP? is it supported by SAP?

       

      Appreciate your help

       

      Regards

      Author's profile photo Siddharth Jain
      Siddharth Jain

      Hello SAP

       

      Please suggest is SAP webgui / fiori saml sso is achievable fro SAP IAS

       

      Thanks

      Author's profile photo Kashyap Shah
      Kashyap Shah

      Hi Bartosz & All,

      I have got SSO working via SAP Web Dispatcher authenticating against Azure AD.

      I have got a separate Azure Application-Proxy URL to access SAP via above Web Dispatcher on which SSO doesn't work.
      So, I tried adding Application-Proxy URL as an additional Reply URL for Azure Enterprise Application (for SSO) and SAML trace shows error:

      SAML20 SP (client <number> ): Destination from Response https://<Azure Application-Proxy URL>/sap/saml2/sp/acs/<SAP-Client-Number> must match the actual URL where message was sent - ACS endpoint https://<SAP Web Dispatcher FQDN>:<port>/sap/saml2/sp/acs/<SAP-Client-Number> or application URL(depending on configuration)
      SAML20 CX_SAML20_CORE: Message 'Response' did not arrive at the correct destination. Long text: Message 'Response' did not arrive at the correct destination.

      I think I am missing something on configuration side.

      Is anybody able to help.

      Thanks.

      Best Regards,
      Kashyap Shah