Introduction -
Fiori Applications are really useful and user friendly mechanism to access SAP transactions and reports . To access these applications securely over Internet SAML Authentication can be used.
For this, single sign-on can be implemented using SAML 2.0 based authentication in conjunction with IdP (Identity Provider) software such as SAP IDP, Ping Federate or Microsoft’s Active Directory Federation Service (AD FS).
The user will need to authenticate themselves in a process known as Service Provider based authentication.
Here in this blog post i will provide the step by step approach to configure SAML based authentication to SAP Fiori system in your landscape ( With F5 load balancer used as Reverse Proxy instead of web dispatcher)
Prerequisites :-
- SAP Fiori system Initial Gateway configuration is completed.
- SSL should be properly configured for the Fiori System.
- Web Dispatcher or F5 Load balancer should have been configured to act as reverse proxy for redirecting Fiori URL's from internet to Fiori server.
Configuration Steps
- Login to Fiori server working client and execute transaction SICF_SESSIONS and activate /sap/bc/myssocntl for working client.
2. Goto to transaction
SICF and activate the following services.
a) /default_host/sap/bc/webdynpro/sap/saml2
b) /default_host/sap/public/bc
c) /default_host/sap/public/bc/icons
d) /default_host/sap/public/bc/icons_rtl
e) /default_host/sap/public/bc/webicons
f) /default_host/sap/public/bc/pictograms
g) /default_host/sap/public/bc/webdynpros
h) /default_host/sap/public/bc/uics
i) /default_host/sap/public/bc/sec/saml2
j) /default_host/sap/public/bc/sec/cdc_ext_service
3. Run Transaction
SAML2, it will open in web browser . Enter Fiori credentials to login
4. Create and enable a
Local Provider.
This identifies your NW Gateway server as a system that can accept SAML based
authentication.
5. Provide Local provider name in the format
https://<SIDCLNTxxx>;
6. System
configured as Local Provider
7. Download the
SAML2 Metadata and send it to Azure ADFS (Active Directory Federation Service) to configure SSO and request for
Azure metadata and certificate file for Azure AD team .
10. Once the Azure metadata file and certificate file is received ,go to
trusted provider tab and Add the files using the wizard.
11. Upload Azure Metadata file
<file>.xml
12. Upload the
Azure certificate file received .
13. Give the
Name of Identity Provider
14. Under
Artifact profile change Require Signature to Never.
15. Select Http Redirect
16.
Confirm if Http Redirect is selected .
17 . Leave blank
18. Select
Http Artifact under
Authentication Response
19. Under Trusted Provider -> Identity Federation -> click Add and select E-Mail ( AS email will e used for Authentication . Make sure to maintain proper email id's under SU01 in Fiori system for all user using Fiori Apps
20. Configuration Completed
21.
Final Screen with Identity Provider
Enabled.
22. Goto Local Provider -> Service Provider Setting and Under Miscellaneous switch
ON Legacy system Logon tickets
References
SAP Note 2323725 - Transaction SAML2 or SAML2_IDP returns HTTP error 403, 404 or 500
2389051 - ICF service for Clickjacking Framing Protection is inactive.
S4HANA On Premise - SAP Cloud Identity SAML 2.0 Configuration with S4HANA Fiori Launchpad
2689013 - How to configure SAML2 with SAP Fiori Launchpad and Web Dispatcher | SAP Knowledge Base Ar...
Conclusion
To conclude , this blog post provides a high level steps for configuring SAML 2 for authentication of Fiori Applications from Internet to make it more user friendly without compromising on security. This document covers Azure AD specific steps used as IDP , for using other IDP's few steps might change . We have used these steps to configure End to End SAML configuration for accessing Fiori Application for one of the prestigious client successfully .
Dear Reader's please provide your valuable feedback on this post in the comment section , as this will help me to improve upon my future posts .
You can post your questions related to this blog post at
https://community.sap.com/topics/fiori