Skip to Content
Technical Articles

Accessing the Fiori Applications on Internet using SAML 2.0 Authentication

Introduction –

Fiori Applications are really useful and user friendly mechanism to access SAP transactions and reports . To access these applications securely over Internet SAML Authentication can be used.
For this, single sign-on can be implemented using SAML 2.0 based authentication in conjunction with IdP (Identity Provider) software such as SAP IDP, Ping Federate or Microsoft’s Active Directory Federation Service (AD FS).
The user will need to authenticate themselves in a process known as Service Provider based authentication.

Here in this blog post i will provide the step by step approach to configure SAML based authentication to SAP Fiori system in your landscape ( With F5 load balancer used as Reverse Proxy instead of web dispatcher)

Prerequisites :-

  1. SAP Fiori system Initial Gateway configuration  is completed.
  2. SSL should be properly configured for the Fiori System.
  3. Web Dispatcher or F5 Load balancer should have been configured to act as reverse proxy for redirecting Fiori URL’s from internet to Fiori server.

Configuration Steps

  1. Login to Fiori server working client and execute transaction SICF_SESSIONS and activate /sap/bc/myssocntl for working client.

           

       2. Goto to transaction SICF and activate the following services.

a) /default_host/sap/bc/webdynpro/sap/saml2

b) /default_host/sap/public/bc

c) /default_host/sap/public/bc/icons

d) /default_host/sap/public/bc/icons_rtl

e) /default_host/sap/public/bc/webicons

f)  /default_host/sap/public/bc/pictograms

g) /default_host/sap/public/bc/webdynpros

h) /default_host/sap/public/bc/uics

i) /default_host/sap/public/bc/sec/saml2

j) /default_host/sap/public/bc/sec/cdc_ext_service

 

3.  Run Transaction SAML2, it will open in web browser . Enter Fiori credentials to login

           

   4. Create and enable a Local Provider.
This identifies your NW Gateway server as a system that can accept SAML based
authentication.

    5. Provide Local provider name in the format https://<SIDCLNTxxx>

   

                       

 

                             

 

6. System configured as Local  Provider

       

       7.   Download the SAML2 Metadata and send it to Azure ADFS (Active Directory Federation Service)  to configure SSO and request for Azure metadata and certificate file for Azure AD team .

   

        10.  Once the Azure metadata file and certificate file is received ,go to trusted provider tab and Add the files using the wizard.

       

      11.  Upload Azure Metadata file  <file>.xml

       

 

12.  Upload the Azure certificate file received .

     13.  Give the Name of Identity Provider

 

 

14.  Under Artifact profile change Require Signature to Never.

 

    15.   Select Http Redirect

    16.  Confirm if Http Redirect is selected .

     17 .  Leave blank

 

    18.   Select Http Artifact under Authentication Response

 

   19.  Under Trusted Provider -> Identity Federation -> click Add and select E-Mail  ( AS email will e used for Authentication . Make sure to maintain proper email id’s under SU01 in Fiori system for all user using Fiori Apps

    20.  Configuration Completed

    21.   Final Screen with Identity Provider Enabled.

 

22.  Goto  Local Provider ->  Service Provider Setting  and Under Miscellaneous switch ON                       Legacy system Logon tickets

 

 

 References

SAP Note 2323725 – Transaction SAML2 or SAML2_IDP returns HTTP error 403, 404 or 500

2389051 – ICF service for Clickjacking Framing Protection is inactive.

S4HANA On Premise – SAP Cloud Identity SAML 2.0 Configuration with S4HANA Fiori Launchpad

2689013 – How to configure SAML2 with SAP Fiori Launchpad and Web Dispatcher | SAP Knowledge Base Article

 

  Conclusion

To conclude , this blog post provides a high level steps for configuring SAML 2 for authentication of Fiori Applications from Internet to make it more user friendly without compromising on security.  This document covers Azure AD specific steps used as IDP , for using other IDP’s few steps might change .  We have used these steps to configure End to End SAML configuration for accessing  Fiori Application for one of the prestigious client  successfully .

 

Dear Reader’s please provide your valuable feedback on this post  in the comment section , as this will help me to improve upon my future posts .

You can post your questions related to this blog post at https://community.sap.com/topics/fiori

 

 

 

 

 

 

 

 

 

1 Comment
You must be Logged on to comment or reply to a post.