Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS

patelyogesh
Active Contributor
‎01-26-2018 4:26 PM

Background :


I came across the situation where I need to implement SSO for Fiori launchpad. First thing came in my mind was to do through SAP NW portal since you can very easily achieve this by doing SSO between portal and Fiori. You need to configure SPNEGO on portal to make this entire thing work.

User open portal URL which redirected to Fiori launchpad. Issue with this you will have an additional portal page open which you don't want any other users to see if you have published Fiori launchpad through your company portal or some other web page.


What tools required?


ADFS system in your organization

Fiori Gateway system

Certificate Signing Authority

How to achieve SSO through SAML?




  • Activation of SICF




First thing you need to login to SAP ABAP system/Gateway system where your Fiori Launchpad is opening from.

 

Go to transaction SICF and Activate SAML2 web service



 



Once you have this Service activated you will able to run SAP TCode: SAML2


  • HTTPS configuration on ABAP system




Before we run in to configuration make sure you have HTTPs enabled for your gateway systemand certificates are signed as below.



Create profile parameter for HTTPS as below

icm/server_port_X PROT=HTTPS,PORT=1443,TIMEOUT=600,PROCTIMEOUT=3600

Restart ICM and check you see HTTPS is enable for your system in SMICM Tcode




  • SAML configuration on ABAP/Gateway system




 

Local Provider



Simply run TCode : SAML2 and you will see screen below on your browser, what you need to do is --> Enable SAML 2.0 Support -->Create SAML 2.0 Local Provider.



Add Provider name and click next



Note: I prefer to put FQHN as provider name

 

Continue with default option on General settings screen



 

Press Finish on Service Provider Setting



 

Final Configuration of your service provider will be looking like this






















Under:Identity Provider Discovery: Common Domain Cookie (CDC)

Selection Mode can be change to Automatic		 This will be auto generated in TCODE: STRUST


 

      Trusted Provider


First download Metadata file from your ADFS

Link is : https://fqdn of ADFS/FederationMetadata/2007-06/FederationMetadata.xml



Note: ADFS server always access through HTTPS:// and NOT HTTP://

 

Go to Trusted Providers TAB and upload Metadata File



Click Next on screen



Provide signing certificate and click next

Note getting certificate.






















Create new blank file with file type .cer

Edit file with Notepad.

 

 


Open your FederationMetadata.xml

and Copy certificate content in TXT file.

 

You can find this at the beginning of the file


Open ADFS website and export certificate and opening with notepad and copy content to text file you created

 
Final file is ready


 

Click Next and provide Alias name



Click Next on this screen



Click Next



Click Next



Click Next



Select Comparison Method: Better and click Finish



You have trusted provider setup almost ready as below



 

Click edit and add Supported NameID Formats



I have selected option as below



 

Final Screens of Trusted Providers are as below


 

Now Save changes and enable configuration



Click OK



Configuration is enabled now



 

     Configure ADFS


Go to TAB Local Provider and download MetaData



Select All option and download



 

Save the file.



 

Login to your ADFS server through remote desktop session and copy metadata.xml to desktop of server

 

Open AD FS Management tool from - Control Panel\System and Security\Administrative Tools

 

Navigate to Trusted Relationship >> Relying Party Trusts

and

Add Relying Party Trust



 

Click Start



Provide metadata file



 

Click OK



 

Provide name



Note: I prefer SAP SID name

For now I am going with defaults on next screen and you can select accordingly



 

Permit all users



 

Click Next



Check TABs inside you have information below
























Identifiers
Encryption
 Signature
 Endpoints
 Advanced


 

Click Close



Note: Make sure you have checkbox selected

Add Rule



 

Click Next



 

Provide information what you previously selected under "Supported NameID formats"

 

Click Apply and OK



 

Edit newly created Relying Party Trust prperties



 

Go to Advanced TAB and change Secure hash algorithm to SHA-1



Note: Match this with what you selected on your ABAP system

 

Testing


 

Open URL of your SAP WEBGUI

https://HOST:PORT/sap/bc/gui/sap/its/webgui/

 

Note: If you want to disable SAML2 on your URL please append URL with saml2=disabled

 

Error as below



 

Apply SAP Note : 2447142 - Error in ST program DECOMPRESS_TEXT

 

Test URL again and you will able to login without password.

 

Thank you for reading.

Yogesh
55 Comments
Labels in this area
Popular Blog Posts