Skip to Content
Technical Articles
Author's profile photo Shankar Gomare

How to setup Auth0 as Identity provider (IdP) for SAP Fiori launchpad

In this article, you will learn to setup Auth0 as SAML2 Identity Provide (IdP) to facilitate SSO/MFA for SAP Netweaver, it is a global configuration meaning every web service in SAP Netweaver will utilize SAML2 and Auth0.

Auth0 is a flexible, drop-in cloud based solution to add authentication and authorization services to your applications.

The setup needs Auth0 account and SAP Netweaver with SAML2 access, along with minimum Fiori Launchpad access for testing.

The very first step is to setup service provider (SP) in SAP Netweaver, if it missing. (It is not part of SAP installation, so if SSO is not configured in your system most likely you will not find SP configurations either)

This article is available in two different ways, if you prefer see it in action than you can watch the following video, else you can ignore the video and continue with the article.

We will start with Service Provider (SP) setup first in SAP Netweaver by running SAML2 transaction.

The SAML2 transaction will bring you to the above screen, if SAML2 is not active in you system.

Next, fill mandatory service provider name.

Continue with setup wizard until following page, and set “Identity Provider Discovery: Common Domain Cookie (CDC)” to automatic from manual and click finish.

Once configuration wizard is complete, you will see active SP page as follows.

At this point we are done with partial SAP Netweaver setup, we will resume once IdP metadata is available in Auth0.

Navigate to Applications -> Application in Auth0 after login. (Auth0 allows developer accounts so you should be able to get one for yourself)

Click on “Application”  to create a new application for SAP SAML2 setup.

Input application name and select a type, it doesn’t mater what type we select, but I have always left default as native apps.

Click on create and navigate to settings page on the top, here we need to update “Application Login URI” and “Allowed Callback URLs”.

Note: The host and port should match with your netweaver setup, you will find these settings under SMICM transaction in SAP GUI.

Next, open Addon page and enable SAML2, which will lead to a popup with SAML2 configuration s page. This is where you will be able to download Identity Provider Metadata to use in SAP Service Provider.


Next, we need to maintain SAML attributes to map Auth0 users to SAP Netweaver, you can find attributes/settings at my github repository used in this example.

This concludes settings in Auth0, now we have setup trust relationship in SAP by creating “Trusted Provider” in SAML2 configuration. All we need to do is upload Metadata file downloaded earlier from Auth0 SAML2 settings page.


The setup wizard will prefill required settings from the metadata file, continue with the default options until “Authentication Context Settings” and update configuration as follows and click finish.

This will complete the trust relationship setup between Auth0 and SAP Netweaver, but we did not maintain user mapping. Auth0 users needs to identified in SAP Netweaver, this process takes place by reading SAML2 attribute values. We will configure “Identity Federation” to maintain required user mapping.

We will use email address from Auth0 to identify users in SAP Netweaver using user alias, The user alias configuration is available under user settings in “SU02” transaction.

Now you can save and activate trusted provider. I used Fiori launchpad to test this setup. The launchpad should redirect automatically to Auth0 login page confirming proper SAML2 setup.

Once Auth0 authentication succeeds you will be redirected back to Fiori launchpad.

In this end, you will get smile on your face if you see the following screen.


If you like this article, feel free to share, tweet, like or follow me for new articles.


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Ariel Bravo Ayala
      Ariel Bravo Ayala

      Hi Shankar Gomare,

      This is very well explained. May I suggest two things?

      • The SAML Setting in Auth0 is missing the logout callback. If you try to log out from the Fiori launchpad, it would fail. To address this, you can add the following setting to your json snippet,

      (change the path accordingly to your single logout service, this is the default one)

      • When it comes to the identity federation, why not leveraging the email straight away? You can add the email address to your user.


      Besides your Arch-based distro (Kilimanjaro?), I liked your video. :nerd: 







      Author's profile photo Shankar Gomare
      Shankar Gomare
      Blog Post Author

      Thank you,

      I'll update the logout URL in git repo so others can refer to the updated file.

      The distro is a custom DWM (Dynamic Window Manager) build on Arch.