Skip to Content

Background :

I came across the situation where I need to implement SSO for Fiori launchpad. First thing came in my mind was to do through SAP NW portal since you can very easily achieve this by doing SSO between portal and Fiori. You need to configure SPNEGO on portal to make this entire thing work.

User open portal URL which redirected to Fiori launchpad. Issue with this you will have an additional portal page open which you don’t want any other users to see if you have published Fiori launchpad through your company portal or some other web page.

What tools required?

ADFS system in your organization

Fiori Gateway system

Certificate Signing Authority

How to achieve SSO through SAML?

  • Activation of SICF

First thing you need to login to SAP ABAP system/Gateway system where your Fiori Launchpad is opening from.


Go to transaction SICF and Activate SAML2 web service


Once you have this Service activated you will able to run SAP TCode: SAML2

  • HTTPS configuration on ABAP system

Before we run in to configuration make sure you have HTTPs enabled for your gateway systemand certificates are signed as below.

Create profile parameter for HTTPS as below

icm/server_port_X PROT=HTTPS,PORT=1443,TIMEOUT=600,PROCTIMEOUT=3600

Restart ICM and check you see HTTPS is enable for your system in SMICM Tcode

  • SAML configuration on ABAP/Gateway system


Local Provider

Simply run TCode : SAML2 and you will see screen below on your browser, what you need to do is –> Enable SAML 2.0 Support –>Create SAML 2.0 Local Provider.

Add Provider name and click next

Note: I prefer to put FQHN as provider name


Continue with default option on General settings screen


Press Finish on Service Provider Setting


Final Configuration of your service provider will be looking like this

Under:Identity Provider Discovery: Common Domain Cookie (CDC)

Selection Mode can be change to Automatic

This will be auto generated in TCODE: STRUST


      Trusted Provider

First download Metadata file from your ADFS

Link is : https://fqdn of ADFS/FederationMetadata/2007-06/FederationMetadata.xml

Note: ADFS server always access through HTTPS:// and NOT HTTP://


Go to Trusted Providers TAB and upload Metadata File

Click Next on screen

Provide signing certificate and click next

Note getting certificate.

Create new blank file with file type .crt

Edit file with Notepad.



Open your FederationMetadata.xml

and Copy certificate content in TXT file.


You can find this at the beginning of the file

Open ADFS website and export certificate and opening with notepad and copy content to text file you created


Final file is ready


Click Next and provide Alias name

Click Next on this screen

Click Next

Click Next

Click Next

Select Comparison Method: Better and click Finish

You have trusted provider setup almost ready as below


Click edit and add Supported NameID Formats

I have selected option as below


Final Screens of Trusted Providers are as below


Now Save changes and enable configuration

Click OK

Configuration is enabled now


     Configure ADFS

Go to TAB Local Provider and download MetaData

Select All option and download


Save the file.


Login to your ADFS server through remote desktop session and copy metadata.xml to desktop of server


Open AD FS Management tool from – Control Panel\System and Security\Administrative Tools


Navigate to Trusted Relationship >> Relying Party Trusts


Add Relying Party Trust


Click Start

Provide metadata file


Click OK


Provide name

Note: I prefer SAP SID name

For now I am going with defaults on next screen and you can select accordingly


Permit all users


Click Next

Check TABs inside you have information below



Click Close

Note: Make sure you have checkbox selected

Add Rule


Click Next


Provide information what you previously selected under “Supported NameID formats”


Click Apply and OK


Edit newly created Relying Party Trust prperties


Go to Advanced TAB and change Secure hash algorithm to SHA-1

Note: Match this with what you selected on your ABAP system




Open URL of your SAP WEBGUI



Error as below


Apply SAP Note : 2447142 – Error in ST program DECOMPRESS_TEXT


Test URL again and you will able to login without password.


Thank you for reading.


To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Matt Fraser

    Hi Yogesh,

    Thanks for providing all these steps; this looks fairly complex! More so than SPNEGO configuration for the Portal, anyway.

    One question I have is with regard to licensing (yeah, yeah, I know, we’re not supposed to discuss licensing, blah blah blah, but I think that applies more to details of individual contracts, not generic questions). My understanding has been that to provide Single Sign-On for ABAP systems, a license for NWSSO is required, which is different from the case of using SPNEGO in Java systems (where it’s “built in”). If I understood your blog correctly, you aren’t using the NWSSO product at all here; you’re demonstrating a native capability for SSO within the ABAP system. Is that correct? If so, what does that imply for NWSSO licensing requirements?


    1. Yogesh Patel Post author

      Hello Matt,

      You are right. We looked in to buying SAP NW SSO 2.0 product but it was quite expensive. We do not wanted to buy that and achieve SSO on ABAP/JAVA systems.

      Since we are big shop of Microsoft we decided to go with FREE version of SSO and this is what it is. SSO with ADFS. Soon I am going to publish blog for JAVA.




  2. Roy Brasse

    The SAML option is great, but only supports the Fiori Launchpad or other browser based sessions.

    How are you addressing SAP GUI, Business Client, etc. SSO?

    I agree that SAP should include the SSO license in their existing licensing model (per user) as this is a basic feature that most other vendors provide at no cost.  That’s my $0.02.




  3. Shantanu Bansal

    Hi Yogesh,

    Our Fiori and S/4HANA systems are on Red Hat Linux platform. With respect to client wishes, we are researching our options for SSO.

    SAP support has informed us that due to Linux being our OS, we cannot use Kerberos based SSO for ABAP and Fiori (via SPNego or SAML2.0). In other words, out of box SSO options for SAP systems on Linux are unavailable.

    Do you think otherwise? Are you SAP application running on Windows?

    Thanks, Shantanu

  4. Kumar Subramaniam

    Hi Yogesh,

    I followed your document as well to configure the SSO with ADFS and it is a great article. Thanks for  it.

    Quick question, Whenever I launch the fiori URL, it is always prompting me to enter the Windows AD user and password? I thought it should be password free when you are in the network?  Any settings that you need to make that password free?


    1. Yogesh Patel Post author

      Its doing the way it should be. We have it published on our Share point web portal so its seamless for us but you are right it is taking windows username password to login because its going through AD authentication.



  5. S. van Gemert


    Hi Yogesh


    Nice job on detailing all the steps.


    We have setup S/4 with separate Fiori fontend server.

    For FLP I now setup saml2 and for sapgui we are using spnego.  During the setup of Enterprise Search the S/4 system is requesting spnego tokens, which are not in the request header. We are going to fix that.


    But what I am wondering is why not replace saml2 with spnego also for the web access? We do not have an SAP Portal that the customers access, so will probably not get that popup.


    Was that extra screen the only reason not to choose spnego/Kerberos?


    Thanks for your time and effort



    Sander van Gemert


Leave a Reply