SAP Netweaver GoogleAuthenticator/FreeOTP for Fiori Launchpad using Keycloak (on Premise)
In this article we will learn to configuring Multi-factor Authentication (MFA) or 2 Factor Authentication(2FA) for on premise Fiori Launchpad using Keycloak; an open source Identity and Access Management tool.
Image icons courtesy SAP and Keycloak
Things required for this configurations:
- Fiori Launchpad on SAP Netweaver
- Google Authenticator or FreeOTP
Keycloak is available as free to download (Apache license) in multiple deployment options, I will be using standalone server deployment for this purpose but the configuration steps will not change based on deployment options. This article covers configuration aspect of Keycloak, and installation is beyond scope of this article, though standalone installation is fairly simple and it requires just a single command.
The SAML configuration steps are nearly identical in all SAP Netweaver versions, I will be using 7.52 for this article.
We will be using Keycloak as Identity Provider (IdP) and SAP Netweaver as Service Provider(SP). First step is to configure SAP Netweaver as SP, so head over to SAP GUI and launch SAML configuration using transaction code “SAML2”. This will launch SAML configuration web page (if you see an error, activate SAML2 service in SICF) which looks like below:
Click on “Enable SAML 2.0 Support” and select “Create SAML 2.0 Local Provider” option.
On next screen enter provider name, usually FQDN is preferred for better understanding but it is not mandatory to do so, any name would work.
Click next to continue.
Everything can be left as default, however, if you prefer not see IdP selection page before redirecting to IdP login page, select “Automatically”, and click finish.
Congratulations! you have successfully configured SAP Netweaver as Service Provider(SP). isn’t that easy?
Now head-over to Keycloak, after successful login Keycloak configuration page looks like below:
We need SAML2 certificate and metadata to setup trust relationship between SAP Netweaver and Keycloak. Click on “SAML 2.0 Identity Provider Metadata” next to “Endpoints” and save it as “.xml” file.
Now, we have to upload metadata and SAML2 certificate in SAP Netweaver, switch back to SAP Netweaver SAML2 configuration page.
Click on “Trusted Providers” tab and add “Upload Metadata Files”.
Upload metadata file downloaded earlier from Keycloak configuration page.
Click next to continue, if alias configured on this page, it will be shown on IdP selection before redirecting to IdP login page.
Click next to continue, if this is production installation make sure to change “Digest Algorithm” to higher value possibly SHA-256.
Click next to continue
Click next to continue
Click next to continue
Keycloak user will be mapped using email attribute, so select “Comparison Method” “Minimum” and add “PasswordProtectedTransport” in “List of Requested Authentication Context”. These are bare minimum settings required to use user mapping, if this is production install I would recommend to use better “Comparison Method”
The configuration wizard will finish on this page, next we need to map Keycloak user attribute to SAP Netweaver user.
Click edit and add email in “Supported NameID Formats” and change “User ID Mapping Mode” to “Logon Alias”.
In this step, we will map Keycloak user attribute “Email” to SAP Netweaver user attribute “Logon Alias”, make sure to maintain both email and logon alias in respective systems.
Save and Enable.
Congratulations! another mile stone, we have successfully setup trust relationship between Keycloak and SAP Netweaver. However, Keycloak does not recognise SAP Netweaver system as a client yet. So, let’s download metadata from our Service provider i.e SAP Netweaver.
Switch to “Local Provider” tab and click on “Metadata” button, a prompt will show Metadata download option, download to local drive.
Switch back to Keycloak configuration page and select “Clients”. Create a new client using “Create” button on right.
Import SAP Netweaver metadata file downloaded earlier and save the configuration. We have successfully completed bidirectional trust relationship between Keycloak and SAP Netweaver.
Last step is to create users in both the systems and assign their mapping attributes. i,e E-mail ID and Logon Alias in Keycloak and SAP Netweaver respectively.
Click on “Users” and create a new user with email ID. Unlikely Tony Stark will use Keycloak, let’s assume JARVIS controls everything though SSO.
Save user and make sure to maintain password on “Credentials” page (turnoff “Temporary” switch to make sure system doesn’t prompt for password change)
Create a new user in SAP with logon alias as email ID created earlier in Keycloak, this is a last step in our configuration.
Now, it’s time to test our brand new configuration, run “/n/UI2/FLP” transaction in SAP GUI to launch Fiori Launchpad and copy the URL. Open launchpad URL in another browser or in a new private mode tab. If you had selected “Identity Provider Discovery: Common Domain Cookie” earlier as automatic you will be redirected to Keycloak login page else you need to click continue on SAP Netweaver login page and the system will redirect to Keycloak login page as below:
Now it is time to test our user, enter username and password and click “Log in”, on successful authentication the login page will redirect to Fiori Launchpad.
Next step is to activate MFA, switch back to Keycloak and edit user “Tony” or whatever user you had created earlier.
Select “Configure OTP” under “Required User Actions”. On next logon, the system will prompt to link you mobile device using “FreeOTP” or “Google Authenticator” OTP app, follow the instructions.
That’s it, Congratulations! You have MFA enabled Fiori Launchpad.
If you like this article, feel free to share, tweet, like or follow me for new articles.
Dear Shankar Gomare,
thank you a lot for this very helpful article.
During your demo you created the users by hand.Do you know a good way to sync the users into the SAP system automatically? Maybe by using an LDAP like FreeIPA?
yes, it is possible to sync users from freeIPA, all you need to do is setup freeIPA as federation to Keycloak and setup sync between freeIPA and SAP using LDAP, here is how authentication and synchronization flows will work.
Authentication: Launchpad <-> Keylcoak <-> <--LDAP--> freeIPA
User Synchronization: SAP -> freeIPA
I have already managed to setup authentication through freeIPA and now I'm working on synchronization, I will post once everything is ready.
Would it be possible to use keycloak and mfa with the sap gui? Some companies still use the old sap gui and want to enforce mfa using the gui.
I haven't tried that but it could be possible, you need to build a dashboard to launch SAP GUI and during this process you will be able to perform MFA.