As part this blog, we would like to explain how to configure " SAML2 enable for SAP FIORI Applications". This will cover Single Sign-On (SAML2) setup for FIORI Launchpad using Microsoft Azure (IDP).
SAP Basis team will co-ordinate with ADFS team to perform all required IDP related activities. Below are the high level activities that needs to performed.
Before proceeding with the configuration part, we need to look at the architecture and understand the scenario.
Below are the environment details on which we implemented.
Service Provider (SP) - NetWeaver 7.40 SP19 (SAP FIORI Application).
Application details - SAP FIORI Launchpad will be accessed using browsers (IE, Chrome etc) via internet and also supports Mobile devices.
Identity Provider (IDP) – Microsoft Azure.
1.Service Provider Configuration (SAP FIORI).
1.1 Activate the SAML2 SICF Services.
Logon to the SAP System -- > Go to SICF Services and Enable all SAML2 Related Services.
/sap/public/bc
/sap/public/bc/ur
/sap/bc/webdynpro/sap/saml2
1.2 Enable SAML 2.0 Local Provider Settings.
Once the service has been activated, execute the t-code: SAML2.
we would see the following screen as below.
Select Create SAML 2.0 Local Provider.
Now enter a name that represent the Local Provider Configuration.
We recommend the provider name syntax as below.
https://<sid><client>; so that we can easily identify when we setup multiple SAP FIORI Applications in Azure AD.
Click on next.
keep the values as default and proceed with the next steps.
Go to Identity Provider Discovery: Common Domain cookie (CDC)
Chose Selection mode as Manual.
By Selecting Mode "Automatic", user will not be asked to select the
default authentication provider. It will be selected automatically.
Click on Finish button and proceed with the next steps.
After finishing the setup SAML2 status is disabled by default, so we should enable it.
1.3 Download Service Provider Metadata file.
After download the metadata file a Go to Local Provider à Click on Metadata file and Save it into local machine.
This metadata file must be imported into Identity provider (IDP) server (Azure AD)
1.4 Export SAML2 Certificate (STRUST) in Service Provider (SP).
Export the SAML2 Service Provider certificate in T-code: STRUST
Go to SSF SAML2 Service Provider – Export the certificate.
2.Identity Provider (Microsoft Azure) Configuration.
Go to Azure Portal
https://portal.azure.com
Select Azure Active Directory.
Go to Enterprise Application.
Create a new Application (e.g SAP FIORI).
Here we have to choose SAML.
2.1 Importing Service Provider (SP) Metadata file into IDP.
In the Setup Single Sign-On with SAML page, select edit to open the Basic SAML Configuration page.
In the Basic SAML Configuration section, we have to complete the below steps.
Select Upload metadata file option and upload the metadata file which we downloaded from the Service Provider (SAP FIORI).
When the metadata file is successfully uploaded, the Identifier and Reply URL values are
automatically populated in the Basic SAML Configuration pane.
In the Signon URL box, enter the below FIORI PRD Alias URL.
2.2 Setup the User attributes and Claim rules.
The SAP Fiori application expects the SAML assertions to be in a specific format. Configure the following claims for this application. To manage these attribute values, in the Setup Single SignOn with SAML page, select Edit.
In the below Screen.
Set the Name Identifier Format is Unspecified.
Source Attribute is User.onpremisessamaccountname
2.3 Download the Federation Metadata XML and IdP Certificate.
In the Setup Single Sign-On with SAML page, goto SAML Signing Certificate section,
select the Federation Metadata XML and Certificate (Base 64).
This Metadata file and Certificate can be used for import into Service Provider.
2.4Upload the Federation Metadata XML and IDP Certificate into Service Provider.
Go Back to Service Provider and Open SAML2 page.
Click on Trusted Providers and upload IDP Metadata file.
Enter the next page, we have to upload IDP certificate.
Here we can enter IDP Name.
In the below screen, we kept all the options as default.
Click on continue and put all the options as default and finish.
In the below screen we have to choose the Comparison method as Better.
Go to next step, we have to choose NameID Formats as Unspecified.
In the below screen, User ID Mapping mode is Logon ID in Identity Federation.
After done all the settings and we enabled Azure IDP in the Trusted Provider
3.0Testing SAML Authentication Using SAP Fiori launchpad.
Open the browser and enter below FIORI launchpad URL.
http://hostname:port//sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html ?sap-client=&sap-language=EN FioriLaunchpad
You should be logged on to the FIORI Portal without having to enter the password.
Troubleshooting steps.
In order to trace SAML2 related issues, activate security Diagnostic tool in ABAP system and access by using following URL:
http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX> in a browser
https://FQDN/sap/bc/webdynpro/sap/sec_diag_tool
SAP Basis team will co-ordinate with ADFS team to perform all required IDP related activities. Below are the high level activities that needs to performed.
| S.No | Description | Owner of the Activity |
| 1 | Service Provider Configuration (SAP FIORI) | SAP BASIS |
| 1.1 | Activate the SAML2 SICF Services. | SAP BASIS |
| 1.2 | Enable SAML 2.0 Local Provider Settings. | SAP BASIS |
| 1.3 | Download Service Provider Metadata file | SAP BASIS |
| 1.4 | Export SAML2 Certificate (STRUST) in Service Provider (SP). | SAP BASIS |
| 2 | Identity Provider (Microsoft Azure) Configuration. | ADFS Team |
| 2.1 | Uploaded the IDP Metadata XML and IDP Certificate into Service Provider. | SAP BASIS |
| 2.2 | Setup the User attributes and Claim rules. | SAP BASIS |
| 2.3 | Download the Federation Metadata XML and IdP Certificate. | SAP BASIS |
| 2.4 | Upload the Federation Metadata XML and IDP Certificate into Service Provider. | SAP BASIS |
| 3 | Testing SAML Authentication Using SAP Fiori launchpad. | SAP BASIS |
Before proceeding with the configuration part, we need to look at the architecture and understand the scenario.
Below are the environment details on which we implemented.
Service Provider (SP) - NetWeaver 7.40 SP19 (SAP FIORI Application).
Application details - SAP FIORI Launchpad will be accessed using browsers (IE, Chrome etc) via internet and also supports Mobile devices.
Identity Provider (IDP) – Microsoft Azure.
1.Service Provider Configuration (SAP FIORI).
1.1 Activate the SAML2 SICF Services.
Logon to the SAP System -- > Go to SICF Services and Enable all SAML2 Related Services.
/sap/public/bc
/sap/public/bc/ur
/sap/bc/webdynpro/sap/saml2
1.2 Enable SAML 2.0 Local Provider Settings.
Once the service has been activated, execute the t-code: SAML2.
we would see the following screen as below.
Select Create SAML 2.0 Local Provider.
Now enter a name that represent the Local Provider Configuration.
We recommend the provider name syntax as below.
https://<sid><client>; so that we can easily identify when we setup multiple SAP FIORI Applications in Azure AD.
Click on next.
keep the values as default and proceed with the next steps.
Go to Identity Provider Discovery: Common Domain cookie (CDC)
Chose Selection mode as Manual.
By Selecting Mode "Automatic", user will not be asked to select the
default authentication provider. It will be selected automatically.
Click on Finish button and proceed with the next steps.
After finishing the setup SAML2 status is disabled by default, so we should enable it.
1.3 Download Service Provider Metadata file.
After download the metadata file a Go to Local Provider à Click on Metadata file and Save it into local machine.
This metadata file must be imported into Identity provider (IDP) server (Azure AD)
1.4 Export SAML2 Certificate (STRUST) in Service Provider (SP).
Export the SAML2 Service Provider certificate in T-code: STRUST
Go to SSF SAML2 Service Provider – Export the certificate.
2.Identity Provider (Microsoft Azure) Configuration.
Go to Azure Portal
https://portal.azure.com
Select Azure Active Directory.
Go to Enterprise Application.
Create a new Application (e.g SAP FIORI).
Here we have to choose SAML.
2.1 Importing Service Provider (SP) Metadata file into IDP.
In the Setup Single Sign-On with SAML page, select edit to open the Basic SAML Configuration page.
In the Basic SAML Configuration section, we have to complete the below steps.
Select Upload metadata file option and upload the metadata file which we downloaded from the Service Provider (SAP FIORI).
When the metadata file is successfully uploaded, the Identifier and Reply URL values are
automatically populated in the Basic SAML Configuration pane.
In the Signon URL box, enter the below FIORI PRD Alias URL.
2.2 Setup the User attributes and Claim rules.
The SAP Fiori application expects the SAML assertions to be in a specific format. Configure the following claims for this application. To manage these attribute values, in the Setup Single SignOn with SAML page, select Edit.
In the below Screen.
Set the Name Identifier Format is Unspecified.
Source Attribute is User.onpremisessamaccountname
2.3 Download the Federation Metadata XML and IdP Certificate.
In the Setup Single Sign-On with SAML page, goto SAML Signing Certificate section,
select the Federation Metadata XML and Certificate (Base 64).
This Metadata file and Certificate can be used for import into Service Provider.
2.4Upload the Federation Metadata XML and IDP Certificate into Service Provider.
Go Back to Service Provider and Open SAML2 page.
Click on Trusted Providers and upload IDP Metadata file.
Enter the next page, we have to upload IDP certificate.
Here we can enter IDP Name.
In the below screen, we kept all the options as default.
Click on continue and put all the options as default and finish.
In the below screen we have to choose the Comparison method as Better.
Go to next step, we have to choose NameID Formats as Unspecified.
In the below screen, User ID Mapping mode is Logon ID in Identity Federation.
After done all the settings and we enabled Azure IDP in the Trusted Provider
3.0Testing SAML Authentication Using SAP Fiori launchpad.
Open the browser and enter below FIORI launchpad URL.
http://hostname:port//sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html ?sap-client=&sap-language=EN FioriLaunchpad
You should be logged on to the FIORI Portal without having to enter the password.
Troubleshooting steps.
In order to trace SAML2 related issues, activate security Diagnostic tool in ABAP system and access by using following URL:
http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX> in a browser
https://FQDN/sap/bc/webdynpro/sap/sec_diag_tool
- SAP Managed Tags:
12 Comments
