Your S/4HANA environment – Part 7 – Fiori Launchpad SAML Single Sign-On with Azure AD
Our journey with technical configuration of S/4HANA system continues and in today’s episode we will take a closer look at the Single Sign-On using SAML and Microsoft Azure Active Directory.
If you are interested in different approach to Fiori and Single Sign-On I highly encourage you to check out Frank Schuler detailed walk through on how to implement SSO with X.509 certificates.
I bet you already heard about Active Directory before. It’s a directory service, that is shipped together with Windows Server, that automates user management, security and network management
Is Azure Active Directory the same? Yes and no. It is still a directory service, but the biggest difference is that currently Azure AD does not support Group Policy Objects. Therefore, you can’t decide what will be users wallpaper and you can’t manage their Internet Explorer bookmarks. Instead, you are getting identity management capabilities including multi-factor authentication, device registration and self-service password management. Azure Active Directory provides solution to easily deploy Single Sing-On across your cloud and on-premise application with the use of SAML. Of course there is much more benefits – but if you are interested in details, you can easily find additional information in the internet.
Our goal for today is to enable Single Sign-On between Microsoft Azure Active Directory and S/4HANA Fiori Launchpad!
This time we will use the new Azure Portal. To enable Single Sign-on we require Active Directory tenant. We can use the one that is delivered by default, when you create your Azure account or you can create a new one.
There are four levels of Azure AD available within your subscription. The important fact is, that SSO functionality can be enabled even for the free edition (you can read about limitations here)
And just before we start I’d like to explain two terms which are important when using SAML:
Identity Provider – is a trusty provider that stores your user credentials and let you use Single Sign-On to access other services. In our case it’s the Azure Active Directory
Service Provider – is an external service / web page which requests and obtains an identity assertion from the identity provider. In our landscape it is SAP Netweaver
AZURE ACTIVE DIRECTORY SET UP
Please log in to your Azure portal and go to Azure Active Directory maintenance. You can use either default directory or you can switch to any other which is available within your account.
What we need to do is to add SAP Netweaver as Enterprise Application:
Now, go to Single Sign-On tab and maintain three parameters:
Sing-on URL – it’s the address, which is used to log in to Fiori Launchpad
Identifier – custom identifier of service provider
Reply URL – address, to which we should be forwarded after successful sign in.
Next, click on Create new certificate in SAML Signing Certificate section and maintain expiry date.
You can see new certificate was created and we can download Metadata XML, which we use to configure SAP Netweaver.
In User Attributes section you need to decide what should be the user identifier – what data should identify particular user. I chose e-mail address, but you can check out different parameters as well.
Last step is about choosing the user who should has access to our Fiori Launchpad.
ENABLE SAML IN SAP NETWEAVER
Now it’s the time to configure SAML settings inside SAP Netweaver. The set up can be done in t-code SAML2 and first step in to Create SAML 2.0 Local Provider:
The provider name should be the same as we chose in Azure portal.
In step three ensure the Selection Mode is set to Automatic. You can save your settings afterwards.
The configuration of service provider is displayed. The only thing to change here is to turn on Legacy System Support. This means, that if you ever open a SAP GUI from Fiori Launchpad you won’t be asked for credentials. You can read more about this in Koen Van Loocke blog post.
Go to Trusted Providers tab and add new Identity Provider by uploading Metadata File.
Upload the file previously downloaded from Azure AD and you can confirm all steps until step 9.
In last step of Identity Provider configuration please change Authentication Response:
Identity Federation tab in Details of Identity Provider allow us to configure what data should identify the particular user. Do you remember similar step in SSO configuration in Azure? At that time I chose e-mail address and it’s the same what I need to put here – but please remember to maintain this value in user master data!
Now go to Authentication Requirements tab and verify Authentication Response fields. It should be set up as following:
To test the configuration, I opened new browser window in Private Mode and therefore I’m ensured no cached logins are going to be used. After typing the Fiori address I was immediately redirected to Microsoft log in page.
After my credentials were verified by Azure Active Directory I was redirected again – this time to my Fiori Launchpad. I was not asked for any additional logins / passwords!
I would like to show you also the simple troubleshooting of SAML SSO. Therefore, we need to break something firstly 🙂
Go to Identity Federation and change Supported NameID format to Persistent. Restart the browser and try again to log in to Fiori Launchpad. This time, instead of Microsoft Login page, the Fiori Welcome screen is displayed and waiting for our input.
What went wrong? To answer that question we are going to open Security Diagnostic tool and start a trace:
When the trace is on, try to log in again. Afterwards you can display the trace and easily solve the issue:
This is the seventh part of my blog series about S/4HANA installation and maintenance. You can access previous parts by using following links:
Part 1 – Maintenance Planner, System Installation and Update
Very nice blog, I have a question, what happens if a SAP Web Dispatcher is in front of Fiori Server.
Thanks in advance,
Could you tell me what value to set in sign-on URL and reply URL (Azure setting)?
Do we need URL parameter? For example, sap-client, sap-language ...
it depends what is the URL that your users use to log in.
In my scenario I used: https://host:port/sap/bc/ui2/flp
We have similar requirement but we need to only access Odata services from our On-premise SAP NW Gateway system.
Can we still have SSO and SAML authentication using Azure AD.
We will have a Web Dispatcher in DMZ and Gateway in firewall and request would come in from Internet.
Any recommendation ? sorry i dont find any other resource online.
sorry for late reply.
I'm not sure what exactly do you want to achieve. In case you want to connect your front-end system and back-end system, then you should use the trusted RFC instead of SAML.
SAML can be configured then to access the front-end system.
Just wanted to ask you this question.
Do we need SAP SSO to do single Sign on to Fiori Appilication Server or can we do this with Azure AD SSO.
Please help me understand this.
This blog post describes the steps required to enable SAP to use Single Sign-On with Azure AD through SAML. Not sure what do you mean by SAP SSO or Azure AD SSO.
Hi Bartosz, nice blog post. I've set up SSO with Azure AD for SAP Fiori applications delivered through the SAP Cloud Platform and one problem we have been having is with logout. We've logged tickets with SAP and they are stating that there is a problem with Azure AD in that it is not sending a specific logout request.
Have you any experience with this? Also wondered in your scenario above what happens when you log out - i.e. does it log out properly and if so how is this working as we have not been able to logout effectively for months.
Hi Phil Cooley ,
did you get an update on the lougout issue? We are using FLP on SCP Portal Service with Azure AD via SAP IAS and the logout is making trouble. The user is logged out but the SAPUI5 loading screen is shown forever.
Hi Tim Stein
Unfortunately have not found out how to resolve this problem and there are no resources around I can find to do this.
Bartosz, - any response for us please?
Thanks & Kind Regards
Hello Phil Cooley
sorry for missing response from me, probably I have overlooked it.
I think I configured the SSO between Azure and SCP once, long time ago, but unfortunately I can't remember if there was any issue with log out. I can only confirm I don't have any log out problems for the NetWeaver system.
I would suggest raising an Azure ticket as well.
Ok Bartosz, - thanks
Thanks for this post, I am trying do the same setup and I got success to some extent, SSO works fine when we use "Supported nameID = Email " but it doesn't work when I use "unspecified". below is the SAML trace I captured last. looks like there is mismatch in what being passed as Subject Name ID from Azure side vs. what we have in SAP. I don't know how I can change Name ID format to "unspecified" in Azure.
Why do you want to change it to unspecified?
Can you suggest how to get around the exception I am seeing in the Trace ?
I don't understand what are you trying to achive, so it's difficult for me to offer a solution.
You haven't answer to my question - why do you change the format to unspecified? I believe that's the root cause.
I have few question as I am working on doing the same and not getting the expected result.
Our Fiori Launchpad Path : https://<Web Dispatcher hostname>:44300/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
Let me know if I am not clear with my question
Thank You! There were services which were not active and few parameter's needs to be set and activated. It works fine now.
thanks for sharing! I’m very glad you were able to configure the SAML successfully!
Don’t forget to leave a like on this post! 🙂
Actually we have been using a S4 Hana cloud fiori launchpad system, can you please provide the steps for that between AZURE AD and SAP S4 HANA?
Actually we have been using a S4 Hana cloud fiori launchpad system, can you please provide the steps for that between AZURE AD and SAP S4 HANA?
that's a good idea for a blog, however I can't provide any exact date when I would write it.
But you can check this blog:
In Azure, do you have to define multiple SAP Netweaver application as Enterprise Applications to match your Fiori Dev/QA/Prod systems? (Since the sign-in url, identifier, reply url will be different for each backend system)
yes, that's correct. For each system in your landscape you have to create new Enterprise Application.
Thanks for this fantastic blog. however I have a question.
In your blog you mentioned the Request and response URL configured to be same. How do you handle the scenerio when the reply URL is different(E.g when you access the launchpaddesigner: In such a case the Request URL is same but the reply URL is different. SSO fails in such a case(SAML is always looking for the configured response URL on Azure AD))
Updated: We were able to configure multiple response URLs to make SAML based SSO work.
I have such a scenario - however, I need to include url parameters with different values everytime.
Can you guide how should such a response url be setup?
e.g. I want to redirect to VA02 tile in the Fiori launchpad with the Sales Order as a Url Parameter from another SaaS application. The SaaS application has a link to the Fiori Launchpad with the target mapping to VA02 along with the Sales Order number as the url parameter (the Sales Order number will be different every time).
How could the response url be setup in such a scenario.
Right now - everytime we wish to navigate to VA02 from SaaS application - it is redirected to the Fiori Launchpad home page and not to VA02 directly (because the response url is for the home page it seems)
I have completed the setup for SSO and my fiori lauchpad is getting redirect through Azure AD but after authentication it again asks for Fiori Lauchpad login. Error which i am getting is "Caused by: CX_SAML20_ASSERTION: Attribute 'NotBefore' of element 'Conditions' is invalid. Long text: Attribute 'NotBefore' of element 'Conditions' is invalid."
I did some google and found that it is because of time zone mismatch but after setting AD and SAP TImezone same still getting same error.
I have enabled the trace and here is the snapshot.
Any help is appreciated!!
if the solution from the SAP Note doesn't work, then I'd suggest contacting SAP support.
I don't think I can offer you a different solution.
Beside of the time zone, check that the actual time is the same - there is 120 seconds tolerance, so if your AD time is 11:39 and your SAP time is 11:45 then you will get the error.
Thank you for the amazing blog.We have similar requirement .We want configure SSO to access fiori apps from internet and we would be using Azure AD for authentication.Will the steps specified in the blog can be used as is to achieve this requirement or do we need to do anything in addition to these steps to access fiori apps through internet via SSO?
In general the above steps should be sufficient, however if you have a Gateway configured as Central Hub you may need to configure SAML on the backend as well.
There is also additional configuration required when using WebDispatcher, so please check SAP Notes.
We do have Gateway configured as Central Hub.As of now,we are using F5 load balancer instead of SAP Web dispacther. Can you please let me know which notes should I check or some keywords that I should use to search the notes.
I have raised a separate thread for this question-> https://answers.sap.com/questions/544654/sso-for-sap-fiori-apps-accessed-via-internet-using.html
Thanks Bartosz for this detailed and amazing post, we have successfully configured some test systems and they work flawless.
The question is: What if I have a Netweaver user but not an Azure AD user, can I still login to the application? How can I bypass the redirection to Azure AD login if I just want to login to application, let say with a bult-in administrative user?
sure, you can bypass the SAML by adding saml2=disabled parametry in the url, for example:
Wow, thanks again!! It was exactly what we hoped to be!!
It looks like, from Azure official doc on this regards (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-netweaver-tutorial) that a Single Sign-On Netweaver subscription is also required for using SAML2 SSO?
I'd appreciate some light here.
In my opinion an additional SAP license is not required when using SAML2. But I'm not a licensing expert, so I'd recommend to talk to SAP directly.
that's a good question. I was thinking about it for a moment, but then I thought why would you like to do that? Do you really want your users to use two different addresses?
Could you please give me more details?
I mean, the tiles visibles should be limited depending on the request come from internal or external network.
In such a way that the same user, if you access from inside you will see all the tiles fiori, but if you access from the outside you will only see some of them.
There is a small development already done that detects if access is made through the internal url allows you to see all the tiles, if only some tiles are made using the external url.
Thanks for clarification.
Unfortunately I don't know the solution to your problem 🙁
I tried to add a second provider, but Azure doesn't even let me create additional system with the same ID.
Please share the solution if you solve it.
Yes, I tried the same… 😉
OK, thanks anyway for your attention.
I tried using Azure AD Proxy Connector to publish Webdispatcher URL to internet, however SAML response failed with below error.
SAML20 SP (client 001 ): Destination from Response https://XXXXXX/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html/ must match the actual URL where message was sent - ACS endpoint https://XXXXXXXX/sap/saml2/sp/acs/001 or application URL(depending on configuration)
How did you publish URL to internet?
Have you used the WebDispatcher URL to register the application in Azure?
Yes.. SAML2 SSO is based on IdP (Azure AD) and SP (FIORI system).
Webdispatcher URL is used for configuration of SAML.
SSO is working fine with Sign in URL, but same URL can not used from mobile devices/internet.
It is suggested to Azure AD proxy connector to publish URL to internet. We tried using custom domain as well, but no luck.
We are using a below scenario.
We have already configured SNC/SPNEGO SSO for SAP GUI using Local AD(Windows Authentication) which is perfectly working fine.
Adding to that we would like to configure SSO for Fiori Launchpad using Azure AD for users to access it from office.com or My Apps.
We had followed the above steps but when try to access the Fiori launchpad it is not redirecting to Microsoft Azure login page instead its opening applicaiton login page.
Is it not possible to use both SNC/SPNEGO for SAP GUI and SAML SSO using Azure AD for Fiori together?
Is it possible to make this scenario working?
we are facing error after sso login
It looks the screen is not attached. Anyway I suggest posting your question to the Q&A. Have you tried to enable trace?
Would it be possible to set up the same scenario but with Google as IdP? is it supported by SAP?
Appreciate your help
Please suggest is SAP webgui / fiori saml sso is achievable fro SAP IAS
Hi Bartosz & All,
I have got SSO working via SAP Web Dispatcher authenticating against Azure AD.
I have got a separate Azure Application-Proxy URL to access SAP via above Web Dispatcher on which SSO doesn't work.
So, I tried adding Application-Proxy URL as an additional Reply URL for Azure Enterprise Application (for SSO) and SAML trace shows error:
I think I am missing something on configuration side.
Is anybody able to help.