Skip to Content
Technical Articles
Author's profile photo Barath Kakaday

Configure SSO for SAP S/4HANA Fiori Launchpad using SAML2 with Azure AD

The technical work for SSO setup was jointly worked by Srinivasan Mohan babu and Barath Kakaday.

Single SignON is common ask of business to enable users to login with centralized authentication mechanism, usually it is AD credentials. This blog post talks about configuring Single Sign ON (SSO) for SAP S/4HANA Fiori application for an enterprise. The protocol used is SAML2 that is ideal for HTTPS connection.

This procedure contains steps for components individually such as Web dispatcher and SAP S/4HANA ABAP stack. As result of this procedure, end users are expected to use Windows AD credentials to gain access to Fiori login page.

Following factors are assumed to improve the understanding :

  • Fiori is embedded in SAP S/4HANA.
  • SAP S/4HANA is a Production environment with High Availability on Azure Infrastructure platform.
  • Use Azure AD as Identity Provider.
  • High availability for Fiori URL is setup as per below diagram.
  • Load balancer backend pool pointing to two web dispatchers.
  • Operating system is SUSE Linux.
  • Engage Azure Cloud Security team for meta data and certificate files.
  • Fiori Launchpad URL should not contain port information e.g. to use 443 port.



Extract diagram of Frontend load balancer and backend Web dispatchers


Web dispatcher Configurations

[For reference purposes we use following sample naming conventions

  1. Two web dispatchers as WP1 and WP2
  2. Common name of SAP S/4HANA Front end URL as PRDS4.DOMAIN.COM
  3. SID of Production SAP S/4HANA as S4P]

Step 1: Apply configurations SAP Web Dispatcher Kernels as per OSS note “421359 – ICM: Binding ports < 1024 on UNIX”


Reference commands from SAP note : 421359


Step 2: Edit profile to include following parameters on both WP1 and WP2.


# Back-end system configuration


wdisp/system_0 = SID=S4P,, MSPORT=8100, *


# Configuration of maximum number of concurrent connections


icm/max_conn = 500


# SAP Web Dispatcher Ports


icm/ssl_config_0 = CRED=S4PRD.PSE, SNI_CREDS=S4PRD.PSE

icm/server_port_0 = PROT=HTTPS, PORT=443, PROCTIMEOUT=600, SSLCONFIG=ssl_config_0, EXTBIND=1

icm/server_port_1 = PROT=HTTP, PORT=8080, PROCTIMEOUT=600

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, PROT=https, FOR=*, HOST=,

wdisp/add_client_protocol_header = true

icm/HTTPS/forward_ccert_as_header = true

icm/trace_secured_data = TRUE

exe/icmbnd = /usr/sap/WP1/SYS/exe/run/icmbnd


Step 3: Create alias in DNS for as

Step 4: Generate CSR request :

Login to WP1 host and backup security directory before CSR request generation.



Open Web Dispatcher admin page

Example URL : https://<WP1 hostname>/sap/wdisp/admin/public/default.html

Click Create New PSE

Distinguished Name convention :, O=<Org name>, OU=Information Technology, L=<Location>, SP=<State>, C=<Country>

and click Create


Now Click on Create CA Request


This will generate the key.

Extract the CA request in notepad as .txt file.

Repeat steps for WP2.

Send email to Cloud Security with the following :

  1. Attach both CSR files and request to generate a signed certificate. Note : You may choose to get it signed internally or externally based on customer requirement to have Fiori page hosted on intranet or internet respectively.
  2. Request for certificate file created along with meta data generation.
  3. Request metadata by giving following details.

S4HANA Production:

Single Sign ON URL          :

Identifier                             : Fiori_PRDS4

Reply URL                            :


Step 5: Import SAP S/4HANA self-certificate to Web dispatchers.

Login to SAP S/4HANA and go to STRUST Tcode.

Select self certificate and click on Export Certificate.

Open WP1 admin page and click on Import Certificate.

Select the exported file and click Import.


Imported Certificate message appears.


Repeat steps to import SAP S/4HANA self certificate into WP2.


Step 6: Import CSR Signed certificates in respective web dispatchers

Take backup of security directory


To import the chain key, go to web dispatcher admin page

Open each file using notepad and carefully concatenate content of each certificate in following order into make chain key in a new txt file.

Sequence of certificates import.

  1. CA Root
  2. UserTRUST
  3. CA5
  4. Own certificate

Paste the concatenated entire certificate chain as shown below and click on Import.

Imported response message appears.

Repeat the steps in WP2

Verify the certificates by tying the Fiori URL on browser. https warning should not appear. That’s the indication that certificates are applied correctly.



S4HANA Configurations

Step 1: Create shortcut SICF shortcut for S4

Login to S4HANA and goto Tcode SICF.

Click on External Aliases

Click Create


Here we’ve used /s4 as alias under /default_host/sap/bc/ui2/flp path.

Under Error Pages tab, Click on Configuration

Select Protocol as Do NOT Switch

Check Do NOT Display Warnings checkbox and

Select Custom Implementation with ABAP Class as /UI2/CL_SRA_LOGIN



Click OK to continue.




Step 2: Activate SICF as per Notes:

  1. 1088717 – Active services for Web Dynpro ABAP in transaction SICF
  2. 2389051 – ICF service for Clickjacking Framing Protection is not active


Step 3: Import XML Metadata file.

Login to SAP S/4HANAand go to Tcode SAML2 and click on Enable SAML2.0 Support

Click Create

Provide Name should be same as when requested. In our case it was Fiori_PRDS4.

Click Next

Selection Mode as Automatic and Artifact resolution Service Mode as Enabled.

Click Finish

Next screen appears as below.

Click on Trusted providers and select Upload Metatdata file.

Select the metadata file downloaded.

Click Next and select the certificate generated along with meta data.

Click Next (no change)

Click Next (no change)

Click Next (no change)

Click Next (no change)

Click Next (no change)



Select Assertion Consumer Service as Application URL

Binding as HTTP POST

Click Finish.


Add Identify Federation.

Under Trusted Providers tab, select Identify Federation and click on Add.


Select Email and Click Ok

Entry for NameID is added now.

Click SAVE


Click Enable


Click Ok.


Step 3: Maintain table HTTPURLLOC

Go to SE16 Tcode and check for existing entries


Since it is new install, no entries existing previously.

Maintain entry for port 443: For example:

After adding entry, table looks as below.


SAP Security requirements

For a user to successfully get authenticated following factors should be complied from security perspective.

  1. The Email ID maintained in S4HANA SU01 should be same email address as configured in Azure domain.
  2. User should contain valid AD account for SSO to work in S4HANA.
  3. (Optional) User to have relevant Fiori roles assigned for respective tile to be visible.


Test Sigle Sign ON

Steps to test the SSO URL :

  1. Place Fiori URL i.e. https://<lb alias> in our case example URL and hit Enter. Preferably browser with in-cognito mode to avoid cache related issues.
  2. URL will automatically redirect to Microsoft login prompt to give AD login ID and password.
  3. After authentication, Fiori Home page appears.


After following the individual steps for Web Dispatcher and S4HANA, you should be able to setup Single Sign ON is configured for SAP S/4HANA Fiori (on HA) launch pad.

Hope this blog helps you design and procedure for SSO setup using Azure AD as identify provider.  This procedure holds good even for Fiori client which uses same Fiori launchpad HTTPS URL.

Happy to take up questions or clarifications should there be. Encourage to use below URL to post your questions.


References :

HA for SAP NetWeaver :

Document followed for Fiori Help Configuration:

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Mani Mandadi
      Mani Mandadi

      Good Stuff.

      Author's profile photo Narender Singh
      Narender Singh

      Very well technically detailed @barath

      Author's profile photo Prasit Raychaudhuri
      Prasit Raychaudhuri

      HI Barath,

      Thanks for the nice and really important topic

      Where did you point The DNS alias To SAP WD or Azure Load balancer?
      Can you please clarify the overall flow a bit more

      1. HTTPS://
      2.-> Azure Load balancer
      3.-> to which hostnames (There should be 2 hostnames for 2 WD) and protocol(HTTP/HTTPS?) of WD. I am a bit confused here as I see in both WD Https is using the same CN

      Thanks and Regards

      Author's profile photo Barath Kakaday
      Barath Kakaday
      Blog Post Author

      Hi Prasit,

      • The CN is an alias given to front ending Azure load balancer. This alias is maintained at DNS.
      • The two WD's IP addresses are configured as backend pool in Azure load balancer. Therefore WD IP's does not appear in any configuration.

      Note that Azure load balancer act as only a traffic redirector to two web dispatchers.

      Hope this clarifies



      Author's profile photo Santasree Bhattacharya
      Santasree Bhattacharya

      Hi ,


      couple of questions


      1. you have generated the CSR with the same CN name for both the webdispatchers here , so while your CA is signing the CSR how will it differentiate between the two . As far as I’m aware the CA reads from the unique identifiers supplied to it at the time of generating CSR for example : CN name , ou etc etc . So since your both the webdispatcher have the same CN name : will the CA have any issues while signing the certificate ??since the parameters given to the CA while signing are literally the same for both the webdispatchers .


      ps : we have an exact scenario in our case , please note getting CSR for second webdispatcher is not a mandate , you can just have one CSR generated for your webdispatcher , and generate the private key from webdispatcher no 1 after importing the CSR into webdispatcher no 1, import this private key into load balancer and webdispatcher 2 . Things will work as expected .


      2. My second question here is : how did you make the azure load balancer trust both the webdispatchers ? Did you import the signed certs into the load balancer ?

      Author's profile photo Leela sai sankar yelisetty
      Leela sai sankar yelisetty

      Great information

      Author's profile photo Accenture Basis Team
      Accenture Basis Team

      We did all the above configurations. But the Fiori URL is not directly opening to Microsoft login page.

      It is going directly to fiori home page login.

      What can be the root cause?

      Author's profile photo Mathi Aravind
      Mathi Aravind

      For users who do not have mail ids, can we Evade the fiori SAML2 login page?