Single Sign-On (SAML2) Configuration for SAP FIORI Application.
As part this blog, we would like to explain how to configure ” SAML2 enable for SAP FIORI Applications”. This will cover Single Sign-On (SAML2) setup for FIORI Launchpad using Microsoft Azure (IDP).
SAP Basis team will co-ordinate with ADFS team to perform all required IDP related activities. Below are the high level activities that needs to performed.
|S.No||Description||Owner of the Activity|
|1||Service Provider Configuration (SAP FIORI)||SAP BASIS|
|1.1||Activate the SAML2 SICF Services.||SAP BASIS|
|1.2||Enable SAML 2.0 Local Provider Settings.||SAP BASIS|
|1.3||Download Service Provider Metadata file||SAP BASIS|
|1.4||Export SAML2 Certificate (STRUST) in Service Provider (SP).||SAP BASIS|
|2||Identity Provider (Microsoft Azure) Configuration.||ADFS Team|
|2.1||Uploaded the IDP Metadata XML and IDP Certificate into Service Provider.||SAP BASIS|
|2.2||Setup the User attributes and Claim rules.||SAP BASIS|
|2.3||Download the Federation Metadata XML and IdP Certificate.||SAP BASIS|
|2.4||Upload the Federation Metadata XML and IDP Certificate into Service Provider.||SAP BASIS|
|3||Testing SAML Authentication Using SAP Fiori launchpad.||SAP BASIS|
Before proceeding with the configuration part, we need to look at the architecture and understand the scenario.
Below are the environment details on which we implemented.
Service Provider (SP) – NetWeaver 7.40 SP19 (SAP FIORI Application).
Application details – SAP FIORI Launchpad will be accessed using browsers (IE, Chrome etc) via internet and also supports Mobile devices.
Identity Provider (IDP) – Microsoft Azure.
1.Service Provider Configuration (SAP FIORI).
1.1 Activate the SAML2 SICF Services.
Logon to the SAP System — > Go to SICF Services and Enable all SAML2 Related Services.
1.2 Enable SAML 2.0 Local Provider Settings.
Once the service has been activated, execute the t-code: SAML2.
we would see the following screen as below.
Select Create SAML 2.0 Local Provider.
Now enter a name that represent the Local Provider Configuration.
We recommend the provider name syntax as below.
https://<sid><client> so that we can easily identify when we setup multiple SAP FIORI Applications in Azure AD.
Click on next.
keep the values as default and proceed with the next steps.
Go to Identity Provider Discovery: Common Domain cookie (CDC)
Chose Selection mode as Manual.
By Selecting Mode “Automatic”, user will not be asked to select the
default authentication provider. It will be selected automatically.
Click on Finish button and proceed with the next steps.
After finishing the setup SAML2 status is disabled by default, so we should enable it.
1.3 Download Service Provider Metadata file.
After download the metadata file a Go to Local Provider à Click on Metadata file and Save it into local machine.
This metadata file must be imported into Identity provider (IDP) server (Azure AD)
1.4 Export SAML2 Certificate (STRUST) in Service Provider (SP).
Export the SAML2 Service Provider certificate in T-code: STRUST
Go to SSF SAML2 Service Provider – Export the certificate.
2.Identity Provider (Microsoft Azure) Configuration.
Go to Azure Portal
Select Azure Active Directory.
Go to Enterprise Application.
Create a new Application (e.g SAP FIORI).
Here we have to choose SAML.
2.1 Importing Service Provider (SP) Metadata file into IDP.
In the Setup Single Sign-On with SAML page, select edit to open the Basic SAML Configuration page.
In the Basic SAML Configuration section, we have to complete the below steps.
Select Upload metadata file option and upload the metadata file which we downloaded from the Service Provider (SAP FIORI).
When the metadata file is successfully uploaded, the Identifier and Reply URL values are
automatically populated in the Basic SAML Configuration pane.
In the Signon URL box, enter the below FIORI PRD Alias URL.
2.2 Setup the User attributes and Claim rules.
The SAP Fiori application expects the SAML assertions to be in a specific format. Configure the following claims for this application. To manage these attribute values, in the Setup Single SignOn with SAML page, select Edit.
In the below Screen.
Set the Name Identifier Format is Unspecified.
Source Attribute is User.onpremisessamaccountname
2.3 Download the Federation Metadata XML and IdP Certificate.
In the Setup Single Sign-On with SAML page, goto SAML Signing Certificate section,
select the Federation Metadata XML and Certificate (Base 64).
This Metadata file and Certificate can be used for import into Service Provider.
2.4Upload the Federation Metadata XML and IDP Certificate into Service Provider.
Go Back to Service Provider and Open SAML2 page.
Click on Trusted Providers and upload IDP Metadata file.
Enter the next page, we have to upload IDP certificate.
Here we can enter IDP Name.
In the below screen, we kept all the options as default.
Click on continue and put all the options as default and finish.
In the below screen we have to choose the Comparison method as Better.
Go to next step, we have to choose NameID Formats as Unspecified.
In the below screen, User ID Mapping mode is Logon ID in Identity Federation.
After done all the settings and we enabled Azure IDP in the Trusted Provider
3.0Testing SAML Authentication Using SAP Fiori launchpad.
Open the browser and enter below FIORI launchpad URL.
http://hostname:port//sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html ?sap-client=&sap-language=EN FioriLaunchpad
You should be logged on to the FIORI Portal without having to enter the password.
In order to trace SAML2 related issues, activate security Diagnostic tool in ABAP system and access by using following URL:
http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX> in a browser
Vijay, thanks for sharing your experience.
Will SSO work with Fiori client on Windows 10? I install this configuration(ADFS work on Windows server, not Azure) and Fiori client always make request (pops up for user and password credentials) to ADFS server firstly. But any browser with Fiori Launchpad have SSO authorization without problem.
Do you have the SAP KB or SAP Guide as reference for this Configuration?
I looked for it but not luck so far.
2978838 - How to configure SAML2 with SAP Fiori Launchpad using Azure
Hi Vijay Bhaskar Reddy
How are you, my name is Fabio.
We nee to know if we need to download some certificate after we execute all this configuration on Azure AD and on SAP to insert on user computer, to after user is able to enter on SAP Fiori.
Is access validation performed via a user who is configured in AD Azure who is accessing the machine, or is it necessary to install a certificate on the user's computer?
I'll wait your comments.
I have a problem when I use the Web Dispatcher, outside the domain, the ADFS asks for the credential and then redirects me to fiori, but with the URL of the ABAP System (fiori hostname) and not the Web Dispatcher, here is the error, because I do not I am in internal net.
How can I change this? The ADFS has to redirect to the URL of the Web Dispatcher, right?
I am a Java person, and I am trying to understand the way cookies are working.
After SAML authentication, the session cookie will get generated, isn't it?
Can we set the root domain for the session cookies?
For example, Let me say the Fiori is hosted in the abc.xyz.com and I would like to have the session cookies set to .xyz.com so that other application runs with the .xyz.com can have visibility of the session cookies.
Thanks and Regards,
Hello Vijay Bhaskar Reddy,
Thanks for the very good article. I see in the above steps you export the certificate in STRUST (set 1.4). Where do I use that exported certificate?
Certificates are exported along with XML file and no need exported the certificate from STRUST ...You just download the xml file in the T-CODE SAML2 and send to AZURE team to setup the configuration from there end..
ok thank you very much for the guide. Is there a possibility to map user assertion with SNC name in SAP (SU01) and not with LOGON ID ?
How to connect BTP via Cloud Conecto with SAML2?
Thanks for this article, it worked well for me.
But how can we avoid initial password change display regarding creationg of Dialog users ?
You can setup the profile parameter to ignore the initial password of dialog users .