Technical Articles
Accessing the Fiori Applications on Internet using SAML 2.0 Authentication
Introduction –
Fiori Applications are really useful and user friendly mechanism to access SAP transactions and reports . To access these applications securely over Internet SAML Authentication can be used.
For this, single sign-on can be implemented using SAML 2.0 based authentication in conjunction with IdP (Identity Provider) software such as SAP IDP, Ping Federate or Microsoft’s Active Directory Federation Service (AD FS).
The user will need to authenticate themselves in a process known as Service Provider based authentication.
Here in this blog post i will provide the step by step approach to configure SAML based authentication to SAP Fiori system in your landscape ( With F5 load balancer used as Reverse Proxy instead of web dispatcher)
Prerequisites :-
- SAP Fiori system Initial Gateway configuration is completed.
- SSL should be properly configured for the Fiori System.
- Web Dispatcher or F5 Load balancer should have been configured to act as reverse proxy for redirecting Fiori URL’s from internet to Fiori server.
Configuration Steps
- Login to Fiori server working client and execute transaction SICF_SESSIONS and activate /sap/bc/myssocntl for working client.
2. Goto to transaction SICF and activate the following services.
a) /default_host/sap/bc/webdynpro/sap/saml2
b) /default_host/sap/public/bc
c) /default_host/sap/public/bc/icons
d) /default_host/sap/public/bc/icons_rtl
e) /default_host/sap/public/bc/webicons
f) /default_host/sap/public/bc/pictograms
g) /default_host/sap/public/bc/webdynpros
h) /default_host/sap/public/bc/uics
i) /default_host/sap/public/bc/sec/saml2
j) /default_host/sap/public/bc/sec/cdc_ext_service
3. Run Transaction SAML2, it will open in web browser . Enter Fiori credentials to login
4. Create and enable a Local Provider.
This identifies your NW Gateway server as a system that can accept SAML based
authentication.
5. Provide Local provider name in the format https://<SIDCLNTxxx>
6. System configured as Local Provider
7. Download the SAML2 Metadata and send it to Azure ADFS (Active Directory Federation Service) to configure SSO and request for Azure metadata and certificate file for Azure AD team .
10. Once the Azure metadata file and certificate file is received ,go to trusted provider tab and Add the files using the wizard.
11. Upload Azure Metadata file <file>.xml
12. Upload the Azure certificate file received .
13. Give the Name of Identity Provider
14. Under Artifact profile change Require Signature to Never.
16. Confirm if Http Redirect is selected .
17 . Leave blank
18. Select Http Artifact under Authentication Response
20. Configuration Completed
21. Final Screen with Identity Provider Enabled.
22. Goto Local Provider -> Service Provider Setting and Under Miscellaneous switch ON Legacy system Logon tickets
References
SAP Note 2323725 – Transaction SAML2 or SAML2_IDP returns HTTP error 403, 404 or 500
2389051 – ICF service for Clickjacking Framing Protection is inactive.
S4HANA On Premise – SAP Cloud Identity SAML 2.0 Configuration with S4HANA Fiori Launchpad
Conclusion
To conclude , this blog post provides a high level steps for configuring SAML 2 for authentication of Fiori Applications from Internet to make it more user friendly without compromising on security. This document covers Azure AD specific steps used as IDP , for using other IDP’s few steps might change . We have used these steps to configure End to End SAML configuration for accessing Fiori Application for one of the prestigious client successfully .
Dear Reader’s please provide your valuable feedback on this post in the comment section , as this will help me to improve upon my future posts .
You can post your questions related to this blog post at https://community.sap.com/topics/fiori
Hi Kailash,
thanks for valuable document. It really helps on Fiori Configuration.
Regards
Kumar