Skip to Content
Technical Articles
Author's profile photo Yogesh Patel

Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS

Background :

I came across the situation where I need to implement SSO for Fiori launchpad. First thing came in my mind was to do through SAP NW portal since you can very easily achieve this by doing SSO between portal and Fiori. You need to configure SPNEGO on portal to make this entire thing work.

User open portal URL which redirected to Fiori launchpad. Issue with this you will have an additional portal page open which you don’t want any other users to see if you have published Fiori launchpad through your company portal or some other web page.

What tools required?

ADFS system in your organization

Fiori Gateway system

Certificate Signing Authority

How to achieve SSO through SAML?

  • Activation of SICF

First thing you need to login to SAP ABAP system/Gateway system where your Fiori Launchpad is opening from.

 

Go to transaction SICF and Activate SAML2 web service

 

Once you have this Service activated you will able to run SAP TCode: SAML2

  • HTTPS configuration on ABAP system

Before we run in to configuration make sure you have HTTPs enabled for your gateway systemand certificates are signed as below.

Create profile parameter for HTTPS as below

icm/server_port_X PROT=HTTPS,PORT=1443,TIMEOUT=600,PROCTIMEOUT=3600

Restart ICM and check you see HTTPS is enable for your system in SMICM Tcode

  • SAML configuration on ABAP/Gateway system

 

Local Provider

Simply run TCode : SAML2 and you will see screen below on your browser, what you need to do is –> Enable SAML 2.0 Support –>Create SAML 2.0 Local Provider.

Add Provider name and click next

Note: I prefer to put FQHN as provider name

 

Continue with default option on General settings screen

 

Press Finish on Service Provider Setting

 

Final Configuration of your service provider will be looking like this

Under:Identity Provider Discovery: Common Domain Cookie (CDC)

Selection Mode can be change to Automatic

This will be auto generated in TCODE: STRUST

 

      Trusted Provider

First download Metadata file from your ADFS

Link is : https://fqdn of ADFS/FederationMetadata/2007-06/FederationMetadata.xml

Note: ADFS server always access through HTTPS:// and NOT HTTP://

 

Go to Trusted Providers TAB and upload Metadata File

Click Next on screen

Provide signing certificate and click next

Note getting certificate.

Create new blank file with file type .cer

Edit file with Notepad.

 

 

Open your FederationMetadata.xml

and Copy certificate content in TXT file.

 

You can find this at the beginning of the file

Open ADFS website and export certificate and opening with notepad and copy content to text file you created

 

Final file is ready

 

Click Next and provide Alias name

Click Next on this screen

Click Next

Click Next

Click Next

Select Comparison Method: Better and click Finish

You have trusted provider setup almost ready as below

 

Click edit and add Supported NameID Formats

I have selected option as below

 

Final Screens of Trusted Providers are as below

 

Now Save changes and enable configuration

Click OK

Configuration is enabled now

 

     Configure ADFS

Go to TAB Local Provider and download MetaData

Select All option and download

 

Save the file.

 

Login to your ADFS server through remote desktop session and copy metadata.xml to desktop of server

 

Open AD FS Management tool from – Control Panel\System and Security\Administrative Tools

 

Navigate to Trusted Relationship >> Relying Party Trusts

and

Add Relying Party Trust

 

Click Start

Provide metadata file

 

Click OK

 

Provide name

Note: I prefer SAP SID name

For now I am going with defaults on next screen and you can select accordingly

 

Permit all users

 

Click Next

Check TABs inside you have information below

Identifiers
Encryption
 Signature
 Endpoints
 Advanced

 

Click Close

Note: Make sure you have checkbox selected

Add Rule

 

Click Next

 

Provide information what you previously selected under “Supported NameID formats”

 

Click Apply and OK

 

Edit newly created Relying Party Trust prperties

 

Go to Advanced TAB and change Secure hash algorithm to SHA-1

Note: Match this with what you selected on your ABAP system

 

Testing

 

Open URL of your SAP WEBGUI

https://HOST:PORT/sap/bc/gui/sap/its/webgui/

 

Note: If you want to disable SAML2 on your URL please append URL with saml2=disabled

 

Error as below

 

Apply SAP Note : 2447142 – Error in ST program DECOMPRESS_TEXT

 

Test URL again and you will able to login without password.

 

Thank you for reading.

Yogesh

Assigned Tags

      53 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Matt Fraser
      Matt Fraser

      Hi Yogesh,

      Thanks for providing all these steps; this looks fairly complex! More so than SPNEGO configuration for the Portal, anyway.

      One question I have is with regard to licensing (yeah, yeah, I know, we're not supposed to discuss licensing, blah blah blah, but I think that applies more to details of individual contracts, not generic questions). My understanding has been that to provide Single Sign-On for ABAP systems, a license for NWSSO is required, which is different from the case of using SPNEGO in Java systems (where it's "built in"). If I understood your blog correctly, you aren't using the NWSSO product at all here; you're demonstrating a native capability for SSO within the ABAP system. Is that correct? If so, what does that imply for NWSSO licensing requirements?

      Cheers,
      Matt

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Matt,

      You are right. We looked in to buying SAP NW SSO 2.0 product but it was quite expensive. We do not wanted to buy that and achieve SSO on ABAP/JAVA systems.

      Since we are big shop of Microsoft we decided to go with FREE version of SSO and this is what it is. SSO with ADFS. Soon I am going to publish blog for JAVA.

      Cheers,

      Yogesh

       

      Author's profile photo Matt Fraser
      Matt Fraser

      I wrote one for Java two years ago: https://blogs.sap.com/2016/02/08/single-sign-on-for-java/

      Of course, it was based on NetWeaver 7.01, but I highlighted where things would be slightly different (easier) in NetWeaver 7.1+, so the overall process should still apply.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Yea, I saw that but we disabled SPNEGO and use SAML 🙂

      Author's profile photo Roy Brasse
      Roy Brasse

      The SAML option is great, but only supports the Fiori Launchpad or other browser based sessions.

      How are you addressing SAP GUI, Business Client, etc. SSO?

      I agree that SAP should include the SSO license in their existing licensing model (per user) as this is a basic feature that most other vendors provide at no cost.  That's my $0.02.

      Thanks,

      Roy

       

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Roy,

      Agreed with your comment  but, we have achieved all this different ways as below 🙂

      SAP GUI = SAP Note - 121178 - NT: Installation note for SSO Single Sign On  and  352295 - Microsoft Windows Single Sign-On options

      Business Object  = SSO Configuration with Active Directory SAP Business Objects 4.2 (AES Encryption)

      ABAP = ADFS

      JAVA = ADFS / SPNEGO

       

      Regards

      Yogesh

      Author's profile photo Former Member
      Former Member

      Does this handle automatic certificate rollover on ADFS?

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Sorry, I did not understand your question.

      -Yogesh

      Author's profile photo Conrad Thonger
      Conrad Thonger

      In ADFS, the signing and encryption certificates are good for a year.  Sixty days before it expires, ADFS generates a new set of certificates and sets them as secondary. Ten days before the certificate expires, ADFS will do a certificate flip where it makes the new certificate the primary and moves the old one down to secondary.

      In a number of other systems, they will have automatically have pulled down that new certificate from ADFS and when the flip happens, it’s ready to use it.

      What the original poster was asking is, does SAP have the capability to pull down the new certificate and start using it automatically in advance of the old one expiring, or do you have to manually update the certificate at least 20 days before it expires to prevent your SSO from breaking due to ADFS’ certificate switch?

      This was the very issue that happened to me today which crippled our Fiori environment for two hours until we sorted it out.

      -Conrad

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      I haven't come to this situation yet but I guess you need to manually update certificate...

      Author's profile photo Thomas Müller
      Thomas Müller

      After one year, my ADFS Admin ask me, if an automatic certificate federation SAP and ADFS is now possible, like Conrad Thonger has described above?

      Thomas

      Author's profile photo Shantanu Bansal
      Shantanu Bansal

      Hi Yogesh,

      Our Fiori and S/4HANA systems are on Red Hat Linux platform. With respect to client wishes, we are researching our options for SSO.

      SAP support has informed us that due to Linux being our OS, we cannot use Kerberos based SSO for ABAP and Fiori (via SPNego or SAML2.0). In other words, out of box SSO options for SAP systems on Linux are unavailable.

      Do you think otherwise? Are you SAP application running on Windows?

      Thanks, Shantanu

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      I am running my all apps on windows. I am not 100% sure about Linux but you can try to configure SAML on sandbox environment.

      Author's profile photo Shantanu Bansal
      Shantanu Bansal

      Thank you. We'll try that.

      Author's profile photo Bobby Gunawan
      Bobby Gunawan

      SAML2.0 or SPNEGO functionality are built into SAP system, independent of the OS you use.

      We're using Linux and have ran these SSO authentication for years.

       

      Author's profile photo Kumar Subramaniam
      Kumar Subramaniam

      Hi Yogesh,

      I followed your document as well to configure the SSO with ADFS and it is a great article. Thanks for  it.

      Quick question, Whenever I launch the fiori URL, it is always prompting me to enter the Windows AD user and password? I thought it should be password free when you are in the network?  Any settings that you need to make that password free?

      Thanks

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Its doing the way it should be. We have it published on our Share point web portal so its seamless for us but you are right it is taking windows username password to login because its going through AD authentication.

      -Yogesh

       

      Author's profile photo S. van Gemert
      S. van Gemert

       

      Hi Yogesh

       

      Nice job on detailing all the steps.

       

      We have setup S/4 with separate Fiori fontend server.

      For FLP I now setup saml2 and for sapgui we are using spnego.  During the setup of Enterprise Search the S/4 system is requesting spnego tokens, which are not in the request header. We are going to fix that.

       

      But what I am wondering is why not replace saml2 with spnego also for the web access? We do not have an SAP Portal that the customers access, so will probably not get that popup.

       

      Was that extra screen the only reason not to choose spnego/Kerberos?

       

      Thanks for your time and effort

       

      gr

      Sander van Gemert

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      I am not sure what you mean by web access?

      -Yogesh

      Author's profile photo Bobby Gunawan
      Bobby Gunawan

      Hi Sander,

      The reason was stated on the blog.

      SAML2.0 is an option to go if you do not want to induce additional cost to your implementation, as activating SPNEGO within your system means a SAP NWSSO license.

       

      Author's profile photo zhihua Zuo
      zhihua Zuo

      Hi Yogesh,

      Great work and very detailed.

      Really appreciate it.

      I have a question, does this solution support Fiori use scenario with SAP Fiori Client, which is a mobile app delivered by SAP itself.

      Many thanks.

      zhihua

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hi zhihua,

      Sorry but I have not tested it so I do not know its going to work or not. You can give it try and share results with community.

      -Yogesh

      Author's profile photo Former Member
      Former Member

      Hi Yogesh,

      First off, thanks for the well documented steps for both JAVA and Fiori Launchpad SAML2 configuration with ADFS.
      I have a scenario to configure SSO for Fiori and EP where the AD user IDs are completely different from the SAP user ids. Also the AD users are from three different domains.
      And after going through various documents and your blog, what I understood is that the basic configuration remains same, but the claim configuration at ADFS side and SAP side will need to be configured accordingly. Could you please confirm if my understanding is correct and also what attributes I can use to attain SSO for EP and Fiori.

      Regards,
      Harsh

      Author's profile photo Michael Walker
      Michael Walker

      How can I let a user deactivate the SSO on the launchpad so that they can log in as someone else?  For security role testing for instance?

      Author's profile photo Yogesh Patel
      Yogesh Patel

      Add below at the end of your URL saml2=disabled

      Author's profile photo Module EAI
      Module EAI

      Hi Yogesh,

      This is really nice.

      Can I have a question?

      You said "First download Metadata file from your ADFS".

      Is the Metadata file has SAP's login ID?

       

      Many thanks.

       

      Dong Woo

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      No, Metadata file has some certificates and other AD-related information.

      -Yogesh

      Author's profile photo Module EAI
      Module EAI

      Thank you for replying.

      One more question, when we call https://host:port/sap/bc/gui/sap/its/webgui, we need to put AD's ID/PW.

      Could you give me more help?

       

      Many thanks.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hi,

      It should not ask for it if your computer is in domain and user on it log in with domain credentials

      -Yogesh

      Author's profile photo Bobby Gunawan
      Bobby Gunawan

      Hi Module,

       

      webgui (SAPGUI for HTML) differs from fiori launchpad.

      For that, you need configuration in different areas.

      There's a specific blog for that.

      Author's profile photo Roongkiat Kerdlapphon
      Roongkiat Kerdlapphon

      Hi Yogesh

      Thanks for sharing. Could you please share step for setup user mapping between AD and SAP? I logon AD with user abc@test.com but on SAP my user ID is xyz.

      Best Regards,

      W.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      You need to set up an Alias on SAP user account but frankly speaking, I never tried this ...

      -Yogesh

      Author's profile photo B. Wiegers
      B. Wiegers

      Hi,

      There is an mapping table USREXTID for that.

      See: https://help.sap.com/saphelp_nw73/helpdata/en/b3/56e39da6e1a3438b42c29c6b2da17b/frameset.htm

      For this to work you need also change the User ID Mapping Mode to: 'Mapping in USREXTID table, type SA'

      The User ID Mapping Mode is under Trusted Providers - Identity Federation.

      I have succesfully implemented this at our site.

      Succes

      Bart

       

      Author's profile photo Roongkiat Kerdlapphon
      Roongkiat Kerdlapphon

      Dear Yogesh and Bart

       

      Thank you for kindly help. Now I can mapping user between ADFS and SAP.

       

      Best Regards,

      Roongkiat

      Author's profile photo Sreekanth S
      Sreekanth S

      Hi Yogesh,

       

      We have configured sap Fiori SSO with adfs.

       

      When we try to open sap fiori url , it is prompting to enter ad/adfs credentials after that again it is prompting to enter sap Fiori system credentials.

      Could you please let me know where we are missing.

       

      Regards

      Sreekanth

       

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Seems configuration issue under Supported NameID Formats.

      -Yogesh

      Author's profile photo Renan Ceguinato
      Renan Ceguinato

      Yogesh Patel I understood your blog. I have a question about handling redirection login, in this case, How can i reach redirect login AD and SU01? Example: SU01 (until 12 characters: RCRR) > AD (renan.ceguinato) through SAML 2.0?

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      You need an alias setup on SAP ID

      -Yogesh

       

      Author's profile photo Saba Sheikh
      Saba Sheikh

      Hello Yogesh,

       

      Your blog's super helpful ! Thanks 🙂

       

      We've setup stuff as described here...however, we see one anomaly:

      The first attempt prompts us for Windows (AD) credentials.

      After entering these, it goes in an infinite loop & ends up with a redirect error.

      The second time when the URL is used in the same browser, SSO works fine (without a prompt for Windows credentials).

      It picks up credentials from the cache & everything's Ok.

       

      Any idea what could be amiss ?

      Please advise...

       

      Thanks a lot !

      saba.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Saba Sheikh,

      This is something unexpected to see. Are you logged in to a computer with same AD username and password?

      -Yogesh

      Author's profile photo Saba Sheikh
      Saba Sheikh

      Hi Yogesh,

       

      Yes, I'm logged in with the same AD creds.

      Attempt 1: There is a SAML Outgoing Authentication Request without a Response 

      Attempt 2: SAML Outgoing Authentication Request with an Incoming Response

      We're not sure why the ADFS does not respond the first time...

       

      With a populated cache, (second attempt) everything's fine.

       

      Thanks a lot !

      saba.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Saba Sheikh

      What is endpoint configuration?

      POST or Redirect?

      -Yogesh

      Author's profile photo Saba Sheikh
      Saba Sheikh

      Hi !

       

      Its Redirect.

       

      Thanks !

      Author's profile photo Asif Pasha Shaik
      Asif Pasha Shaik

      Hi Yogesh,

      Thank you for the article. We have ADFS with our client as idP. So we can implement SSO for gateway server.

       

      Can we do SSO for mobile access as well same away. Could you please help.

       

      Author's profile photo Javier Iribarne
      Javier Iribarne

      Hi Yogesh

      Thanks for this post.

      I have doubts regarding to manipulating file cert steps.

       

      Is not clear for me how do you créate ADFS_Cert.cer file. You say:

       

      Step 1 - créate a blank file named ADFS_Cert.cer.

      Here you wrote "file type .crt". So, that's wrong?  The correct will be  .cer  right?

       

      Step2 .- Opening FederationMetadata.xml

      The interesting piece of this file is the certificate , I mean, the characters between "<X509Certificate>" and "</X509Certificate>".   Right?

      So this piece, we have to copy into blank file created before, right?

       

      Step 3 Open ebsite and export certificate

      Here we have to go into ADFS, export the certificate, into another temporal file??

      And then we have to append this temporal content to file of last step?

       

      Step 4- Final file

       

      so, the final file, named ADFS_Cert.cer Will be composend of two contents parts? firt one, the certificate extracted from metadata, and second one the certificate exported from ADFS website?

       

      Thanks and regards

      Javier

       

       

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Yes that is correct.

      -Yogesh

      Author's profile photo sudhir kumar
      sudhir kumar

      Hi Yogesh,

      I have done the SSO configuration with ADFS by SAML2.0 but after entering the Launchpad URL it redirects to ADFS with error like

      •Error details: Invalid URI: The format of the URI could not be determined.

      Thank You,

      Sudhir

      Author's profile photo Stive Marlin L
      Stive Marlin L

      Hola Yogest

      He seguido todos los pasos del Manual y funciona todo muy bien excepto para cuando finaliza la sesión , simplemente me sale que finalizo la sesión pero no envía de vuelta al ADFS ojala me puedas ayudar con eso

      Gracias SAludos

      Author's profile photo Pablo Marichal
      Pablo Marichal

      Hi Yogesh Patel thanks for this excellent post, very carefully explained in all the steps. I've implemented this scenario  (ADFS/S/4HANA1909) without any problems multiple times.

      Right now I have a client that his platform is Ubuntu + Windows + OpenLDAP + S/4HANA1909 and he wants to implements the same authentication scenario. Do you think at first sight that it can be achieved? Some thoughts about this?

      I read the answer you gave to Shantanu Bansal  in that opportunity he had a similar problem. I don't know if he went further with his implementation of the suggested sandbox and if he tried to accomplish the SAML authentication in Linux Red Hat without the assitance of any products of third parties making of use the SAP/Windows provided.

      Thanks in advance for your reply, any clue would be very appreciated and help me a lot.

      Kind regards.

       

       

      Author's profile photo Kenneth Monge
      Kenneth Monge

      Hi

      I have a problem when I use the Web Dispatcher, outside the domain, the ADFS asks for the credential and then redirects me to fiori, but with the URL of the ABAP System (fiori hostname) and not the Web Dispatcher, here is the error, because I do not I am in internal net.

      How can I change this? The ADFS has to redirect to the URL of the Web Dispatcher, right?

       

      Regards.

      Author's profile photo Lutz Rottmann
      Lutz Rottmann

      Kenneth Monge , you should better ask this as a question.

      Use the Web Dispatcher hostname for the SAML2 configuration UI when exporting Service Provider metadata from your ABAP-System. Then the URLs included in metadata will be correct. Import correct metadata to ADFS.

      Regards, Lutz

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      This is Correct!

      Author's profile photo Huy Nguyen Cong
      Huy Nguyen Cong

      Hi Yogesh Patel

      Thanks for this post. I am having an issue with setting up SSO with ADFS for SAP Fiori Launchpad. I get the below error:

      CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.
      Caused by: CX_SAML20_CORE: Error in ST program SAML2_ASSERTION when importing XML data
      Caused by: CX_SEC_SXML_ERROR: In SSF function SSFPSE_PARAMETER, error value 0 occurred at CL_SEC_SXML_XENCRYPTION->DECRYPT(Line 35)

      Any idea what could be wrong ?

      Thank you,