Combining different SSO methods on SAP Fiori – SAML2 on a remote gateway (Fiori Server) and logon tickets between remote gateway and SAP backend
There are lots of different methods for enabling SSO for Fiori. (see SAP Help on that SAP Help: User Authentication and Single Sign-On 🙂 )
However, SAML2 protocol and Azure AD as IdP (Identity Provider) seems to be a widely used one. If you wonder how to configure SSO using Azure AD, there are a lot of different and very useful blogs on that by other contributors on SAP community blog posts (i.e. by Vijay Bhaskar Reddy “Single Sign-On (SAML2) Configuration for SAP FIORI Application” or by Manish Shah “Configure SAML based Single Sign-on for SAP Fiori and NetWeaver using Azure Active Directory”)
This blog post focuses on the SSO connection between Fiori (remote gateway) and the SAP backend, in case Fiori has been deployed in a hub scenario, after configuration of SSO using SAML2 for the remote gateway.
As you might know if you have a remote Fiori Server in place and want to access WDA (Web Dynpro) applications from the Fiori Launchpad: If you did not configure SSO via Logon Tickets, you will need to authenticate twice: first, when accessing the Fiori Launchpad and second, when kicking on the WDA app.
In order to avoid logging in twice between remote gateway, where the Fiori Launchpad resides, and a SAP backend system, where for example WDA resides, you have to configure trust between these two systems. And the best and easiest way to do that is using logon tickets (as log as these two systems are found in the same DNS domain).
The manual configuration of Logon Tickets can be tricky though. Therefore, it is recommended to make use of takslist (T-Code STC01; Sap Help Info) for this purpose:
- Use tasklist SAP_SAP2GATEWAY_TRUSTED_CONFIG to configure a trusted connection from a SAP system to SAP Gateway on the back-end server.
- Use tasklist SAP_GATEWAY_ADD_SYSTEM to configure a trusted connection from the SAP Gateway a SAP system on the front-end server.
Having this in place you should not experience the second login screen for NetWeaver but be directly rooted to your WDA that is residing on the back-end server, as soon as you use Basic Authentication (User ID and Password) for your remote gateway/ Fiori Launchpad.
If, however, SAML2 SSO is enabled for the remote gateway and you expect logon tickets to work the same way as with Basic Authentication, you will be disappointed 🙁 …
The expected trust federation does not work and you’ll get the NetWeaver logon page back, despite having Logon Tickets configured. The reason behind this is that the default settings in SAML2 configuration on the local provider not allow to issue logon tickets, when the user authenticates via SAML2 SSO. You have to explicitly enable that in your local provider settings (please also check SAP Help on this if you need):
Voilà, one entire blog post about only one small setting. Hope this helps you and your clients to have a better user experience using Fiori.