Skip to Content

Our journey with technical configuration of S/4HANA system continues and in today’s episode we will take a closer look at the Single Sign-On using SAML and Microsoft Azure Active Directory.

If you are interested in different approach to Fiori and Single Sign-On I highly encourage you to check out Frank Schuler detailed walk through on how to implement SSO with X.509 certificates.

I bet you already heard about Active Directory before. It’s a directory service, that is shipped together with Windows Server, that automates user management, security and network management

Is Azure Active Directory the same? Yes and no. It is still a directory service, but the biggest difference is that currently Azure AD does not support Group Policy Objects. Therefore, you can’t decide what will be users wallpaper and you can’t manage their Internet Explorer bookmarks. Instead, you are getting identity management capabilities including multi-factor authentication, device registration and self-service password management. Azure Active Directory provides solution to easily deploy Single Sing-On across your cloud and on-premise application with the use of SAML. Of course there is much more benefits – but if you are interested in details, you can easily find additional information in the internet.

Our goal for today is to enable Single Sign-On between Microsoft Azure Active Directory and S/4HANA Fiori Launchpad!

This time we will use the new Azure Portal. To enable Single Sign-on we require Active Directory tenant. We can use the one that is delivered by default, when you create your Azure account or you can create a new one.

There are four levels of Azure AD available within your subscription. The important fact is, that SSO functionality can be enabled even for the free edition (you can read about limitations here)

And just before we start I’d like to explain two terms which are important when using SAML:

Identity Provider – is a trusty provider that stores your user credentials and let you use Single Sign-On to access other services. In our case it’s the Azure Active Directory

Service Provider – is an external service / web page which requests and obtains an identity assertion from the identity provider. In our landscape it is SAP Netweaver


Please log in to your Azure portal and go to Azure Active Directory maintenance. You can use either default directory or you can switch to any other which is available within your account.

What we need to do is to add SAP Netweaver as Enterprise Application:

Now, go to Single Sign-On tab and maintain three parameters:

Sing-on URL – it’s the address, which is used to log in to Fiori Launchpad

Identifier – custom identifier of service provider

Reply URL – address, to which we should be forwarded after successful sign in.

Next, click on Create new certificate in SAML Signing Certificate section and maintain expiry date.

You can see new certificate was created and we can download Metadata XML, which we use to configure SAP Netweaver.

In User Attributes section you need to decide what should be the user identifier – what data should identify particular user. I chose e-mail address, but you can check out different parameters as well.

Last step is about choosing the user who should has access to our Fiori Launchpad.


Now it’s the time to configure SAML settings inside SAP Netweaver. The set up can be done in t-code SAML2 and first step in to Create SAML 2.0 Local Provider:

The provider name should be the same as we chose in Azure portal.

In step three ensure the Selection Mode is set to Automatic. You can save your settings afterwards.

The configuration of service provider is displayed. The only thing to change here is to turn on Legacy System Support. This means, that if you ever open a SAP GUI from Fiori Launchpad you won’t be asked for credentials. You can read more about this in Koen Van Loocke blog post.

Go to Trusted Providers tab and add new Identity Provider by uploading Metadata File.

Upload the file previously downloaded from Azure AD and you can confirm all steps until step 9.

In last step of Identity Provider configuration please change Authentication Response:

Identity Federation tab in Details of Identity Provider allow us to configure what data should identify the particular user. Do you remember similar step in SSO configuration in Azure? At that time I chose e-mail address and it’s the same what I need to put here – but please remember to maintain this value in user master data!

Now go to Authentication Requirements tab and verify Authentication Response fields. It should be set up as following:


To test the configuration, I opened new browser window in Private Mode and therefore I’m ensured no cached logins are going to be used. After typing the Fiori address I was immediately redirected to Microsoft log in page.

After my credentials were verified by Azure Active Directory I was redirected again – this time to my Fiori Launchpad. I was not asked for any additional logins / passwords!


I would like to show you also the simple troubleshooting of SAML SSO. Therefore, we need to break something firstly 🙂

Go to Identity Federation and change Supported NameID format to Persistent. Restart the browser and try again to log in to Fiori Launchpad. This time, instead of Microsoft Login page, the Fiori Welcome screen is displayed and waiting for our input.

What went wrong? To answer that question we are going to open Security Diagnostic tool and start a trace:


When the trace is on, try to log in again. Afterwards you can display the trace and easily solve the issue:

This is the seventh part of my blog series about S/4HANA installation and maintenance. You can access previous parts by using following links:

Part 1 – Maintenance Planner, System Installation and Update
Part 2 – SAP NW Gateway and Fiori Launchpad
Part 3 – Best Practices Content Activation
Part 4 – Fact Sheet apps, Fiori Search and Web Dispatcher
Part 5 – Upgrade to 1610
Part 6 – Fully Activated Appliance on Microsoft Azure
Part 7 – Fiori Launchpad SAML Single Sign-On with Azure AD


To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Masahide Yano

    Could you tell me what value to set in sign-on URL and reply URL (Azure setting)?

    Do we need URL parameter? For example, sap-client, sap-language …


    Best Regards,

    Masahide Yano


  2. Akash Rana

    Hi Bartosz,

    We have similar requirement but we need to only access Odata services from our On-premise SAP NW Gateway system.

    Can we still have SSO and SAML authentication using Azure AD.


    We will have a Web Dispatcher in DMZ and Gateway in firewall and request would come in from Internet.

    Please advise,


    Thank You,


      1. Bartosz Jarkowski Post author

        Hello Akesh,

        sorry for late reply.

        I’m not sure what exactly do you want to achieve. In case you want to connect your front-end system and back-end system, then you should use the trusted RFC instead of SAML.

        SAML can be configured then to access the front-end system.

        Best regards


  3. Sree Arumugam

    Just wanted to ask you this question.

    Do we need SAP SSO to do single Sign on to Fiori Appilication Server or can we do this with Azure AD  SSO.

    Please help me understand this.


    1. Bartosz Jarkowski Post author

      This blog post describes the steps required to enable SAP to use Single Sign-On with Azure AD through SAML. Not sure what do you mean by SAP SSO or Azure AD SSO.



Leave a Reply