Skip to Content
Technical Articles
Author's profile photo Vijay Bhaskar Reddy

Single Sign-On (SAML2) Configuration for SAP FIORI Application.

As part this blog, we would like to explain how to configure ” SAML2 enable for SAP FIORI Applications”. This will cover Single Sign-On (SAML2) setup for FIORI Launchpad using Microsoft Azure (IDP).

SAP Basis team will co-ordinate with ADFS team to perform all required IDP related activities. Below are the high level activities that needs to performed.

S.No                            Description Owner of the Activity
1 Service Provider Configuration (SAP FIORI) SAP BASIS
1.1 Activate the SAML2 SICF Services. SAP BASIS
1.2 Enable SAML 2.0 Local Provider Settings. SAP BASIS
1.3 Download Service Provider Metadata file SAP BASIS
1.4 Export SAML2 Certificate (STRUST) in Service Provider (SP). SAP BASIS
2 Identity Provider (Microsoft Azure) Configuration. ADFS Team
2.1 Uploaded the IDP Metadata XML and IDP Certificate into Service Provider. SAP BASIS
2.2 Setup the User attributes and Claim rules. SAP BASIS
2.3 Download the Federation Metadata XML and IdP Certificate. SAP BASIS
2.4 Upload the Federation Metadata XML and IDP Certificate into Service Provider. SAP BASIS
3 Testing SAML Authentication Using SAP Fiori launchpad. SAP BASIS


Before proceeding with the configuration part, we need to look at the architecture and understand the scenario.

Below are the environment details on which we implemented. 

Service Provider (SP) – NetWeaver 7.40 SP19 (SAP FIORI Application).

Application details – SAP FIORI Launchpad will be accessed using browsers (IE, Chrome etc) via internet and also supports Mobile devices.

Identity Provider (IDP) – Microsoft Azure.

1.Service Provider Configuration (SAP FIORI).

1.1 Activate the SAML2 SICF Services.

Logon to the SAP System — > Go to SICF Services and Enable all SAML2 Related Services.





1.2 Enable SAML 2.0 Local Provider Settings.

Once the service has been activated, execute the t-code: SAML2.
we would see the following screen as below.



Select Create SAML 2.0 Local Provider.

Now enter a name that represent the Local Provider Configuration.

We recommend the provider name syntax as below.

https://<sid><client> so that we can easily identify when we setup multiple SAP FIORI Applications in Azure AD.

Click on next.


keep the values as default and proceed with the next steps.

Go to Identity Provider Discovery: Common Domain cookie (CDC)

Chose Selection mode as Manual.

By Selecting Mode “Automatic”, user will not be asked to select the

default authentication provider. It will be selected automatically.

Click on Finish button and proceed with the next steps.

After finishing the setup SAML2 status is disabled by default, so we should enable it.


1.3 Download Service Provider Metadata file.

After download the metadata file a Go to Local Provider à Click on Metadata file and Save it into local machine.

This metadata file must be imported into Identity provider (IDP) server (Azure AD)



1.4 Export SAML2 Certificate (STRUST) in Service Provider (SP).


Export the SAML2 Service Provider certificate in T-code: STRUST

Go to SSF SAML2 Service Provider –  Export the certificate.



2.Identity Provider (Microsoft Azure) Configuration.

Go to Azure Portal

Select Azure Active Directory.


Go to Enterprise Application.


Create a new Application (e.g SAP FIORI).


Here we have to choose SAML.


2.1 Importing Service Provider (SP) Metadata file into IDP.


In the Setup Single Sign-On with SAML page, select edit to open the Basic SAML Configuration page.

In the Basic SAML Configuration section,  we have to complete the below steps.

Select Upload metadata file option and upload the metadata file which we downloaded from the Service Provider (SAP FIORI).



When the metadata file is successfully uploaded, the Identifier and Reply URL values are

automatically populated in the Basic SAML Configuration pane.

In the Signon URL box, enter the below FIORI PRD Alias URL.



2.2 Setup the User attributes and Claim rules.


The SAP Fiori application expects the SAML assertions to be in a specific format. Configure the following claims for this application. To manage these attribute values, in the Setup Single SignOn with SAML page, select Edit.

In the below Screen.

Set the Name Identifier Format is Unspecified.

Source Attribute is User.onpremisessamaccountname


2.3 Download the Federation Metadata XML and IdP Certificate.


In the Setup Single Sign-On with SAML page, goto SAML Signing Certificate section,

select the Federation Metadata XML and Certificate (Base 64).


This Metadata file and Certificate can be used for import into Service Provider.

2.4Upload the Federation Metadata XML and IDP Certificate into Service Provider.


Go Back to Service Provider and Open SAML2 page.

Click on Trusted Providers and upload IDP Metadata file.



Enter the next page, we have to upload IDP certificate.


Here we can enter IDP Name.

In the below screen, we kept all the options as default.


Click on continue and put all the options as default and finish.

In the below screen we have to choose the Comparison method as Better.



Go to next step, we have to choose NameID Formats as Unspecified.


In the below screen, User ID Mapping mode is Logon ID in Identity Federation.

After done all the settings and we enabled Azure IDP in the Trusted Provider



3.0Testing SAML Authentication Using SAP Fiori launchpad.

Open the browser and enter below FIORI launchpad URL.

http://hostname:port//sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html ?sap-client=&sap-language=EN FioriLaunchpad

You should be logged on to the FIORI Portal without having to enter the password.



Troubleshooting steps.

In order to trace SAML2 related issues, activate security Diagnostic tool in ABAP system and     access by using following URL:

http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX> in a browser


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Dmitry Borisov
      Dmitry Borisov


      Vijay, thanks for sharing your experience.

      Will SSO work with Fiori client on Windows 10? I install this configuration(ADFS work on Windows server, not Azure)  and Fiori client always make request (pops up for user and password credentials) to ADFS server firstly. But any browser with Fiori Launchpad have SSO authorization without problem.

      Author's profile photo Gustavo Carrera Martinez
      Gustavo Carrera Martinez

      Hi Vijay


      Do you have the SAP KB or SAP Guide as reference for this Configuration?

      I looked for it but not luck so far.

      Author's profile photo Celio Ferreira
      Celio Ferreira


      2978838 - How to configure SAML2 with SAP Fiori Launchpad using Azure


      Author's profile photo Fabio Belli
      Fabio Belli

      Hi Vijay Bhaskar Reddy


      How are you, my name is Fabio.


      We nee to know if we need to download some certificate after we execute all this configuration on Azure AD and on SAP  to insert on user computer, to after user is able to enter on SAP Fiori.

      Is access validation performed via a user who is configured in AD Azure who is accessing the machine, or is it necessary to install a certificate on the user's computer?



      I'll wait your comments.


      Best Regards

      Fabio Belli

      Author's profile photo Kenneth Monge
      Kenneth Monge


      I have a problem when I use the Web Dispatcher, outside the domain, the ADFS asks for the credential and then redirects me to fiori, but with the URL of the ABAP System (fiori hostname) and not the Web Dispatcher, here is the error, because I do not I am in internal net.

      How can I change this? The ADFS has to redirect to the URL of the Web Dispatcher, right?



      Author's profile photo Jegadeesh K
      Jegadeesh K

      Hi Vijay,

      I am a Java person, and I am trying to understand the way cookies are working.


      After SAML authentication, the session cookie will get generated, isn't it?

      Can we set the root domain for the session cookies?

      For example, Let me say the Fiori is hosted in the and I would like to have the session cookies set to so that other application runs with the can have visibility of the session cookies.

      Thanks and Regards,

      Jegadeesh K

      Author's profile photo Manmath Manjunatha
      Manmath Manjunatha

      Hello Vijay Bhaskar Reddy,

      Thanks for the very good article. I see in the above steps you export the certificate in STRUST (set 1.4). Where do I use that exported certificate?



      Author's profile photo Vijay Bhaskar Reddy
      Vijay Bhaskar Reddy
      Blog Post Author

      Hi Manmath,

      Certificates are exported along with XML file and no need exported the certificate from STRUST ...You just download the xml file in the T-CODE SAML2 and send to AZURE team to setup the configuration from there end..


      Author's profile photo Alessandro Lapenna
      Alessandro Lapenna

      ok thank you very much for the guide. Is there a possibility to map user assertion with SNC name in SAP (SU01) and not with LOGON ID ?


      thank you


      Author's profile photo Luiz Gomes
      Luiz Gomes

      How to connect BTP via Cloud Conecto with SAML2?

      Author's profile photo Former Member
      Former Member

      Dear Vijay,


      Thanks for this article, it worked well for me.

      But how can we avoid initial password change display regarding creationg of Dialog users ?



      Author's profile photo Vijay Bhaskar Reddy
      Vijay Bhaskar Reddy
      Blog Post Author

      Hello Andre,


      You can setup the profile parameter to ignore the initial password of dialog users .