Technical Articles
How to configure SSO with Fiori Launchpad and Google IDP
Background
In this blog post I will discuss and demonstrate the configuration of single sign on (SSO) with Fiori Launchpad and Google G-Suite as the Identity Provider (IDP).
I found that after some extensive searches, I was unable to find any information or documentation covering this combination (most focus on Azure AD as an IDP with SAP). Instead, I had to use various documentation covering similar topics, but with differing technologies, and through by own discoveries managed to get this working.
I decided to share my experience in a step-by-step procedure in this blog, I hope that this fills the apparent gap in available documentation.
Assumptions
Before following this guide, the following would already need to be set up and working correctly:
- Google G-suite configured successfully and that the domain used is managed and has been validated by Google
- The reader can log in successfully to Google G-suite and has administration rights to create SAML Apps
- SAP Fiori Launchpad has already been configured and working with SSL
Overview of the Architecture
The following diagram summarizes the communication flow between the client, SAP Fiori, and Google:
Communication flow between the client, Fiori, and Google
- The client makes a request to SAP Fiori launchpad
- A redirect to Google G-suite is issued by Fiori launchpad
- Google G-suite presents the client with a login screen, where the client logs on with their Google credentials
- After successfully logging in to Google, a SAML XML assertion is generated which contains information about the client, this is sent back to the client
- The client makes a post request to Fiori launchpad, the XML assertion is validated, and the client is granted access to Fiori launchpad
Let’s get started then! Here follows the steps required to get the combination working:
1. FIORI: Configuring the Service Provider
Parameter configuration in the Fiori system
The following table contains the required parameters in the Fiori system. Most of these parameters will be set by default already, so this table can be used just for reference purposes and to ensure that the parameters are set correctly.
You can check the parameters with transaction code RZ11.
Parameter Name | Dynamic parameter | Default Value | Required Value |
---|---|---|---|
login/create_sso2_ticket | Yes | 3 | 2 |
login/accept_sso2_ticket | Yes | 1 | 1 |
login/ticketcache_entries_max | No | 1000 | 1000 |
login/ticketcache_off | No | 0 | 0 |
login/ticket_only_by_https | Yes | 0 | 0 |
icf/set_HTTPonly_flag_on_cookies | Yes | 3 | 3 |
icf/user_recheck | Yes | 0 | 0 |
http/security_session_timeout | Yes | 1800 | 1800 |
http/security_context_cache_size | No | 2500 | 2500 |
rdisp/plugin_auto_logout | Yes | 1800 | 1800 |
rdisp/autothtime | Yes | 60 | 60 |
SICF services required
SSO will require some SICF services being activated if they aren’t already. Please check and activate where necessary.
/sap/public/bc/sec/cdc_ext_service
/sap/public/bc/sec/saml2
/sap/bc/webdynpro/sap/saml2
/sap/bc/webdynpro/sap/sec_diag_tool
To activate these services, follow the instructions for the first service listed, repeat the same procedure for the remaining services.
- Logon to the Fiori system (or S/4HANA, if Fiori is embedded)
- Go to transaction SICF
- Enter the service name in the ‘Service Path’ field and then click ‘Execute’ as in the following screenshot:
- If the service is greyed out, this indicates that it is inactive. Activate it by right-clicking on the service and then select ‘Activate Service’ from the context menu:
- Select the 2nd ‘Yes’ button (this will activate any underlying services too, if there are any):
- Repeat this process for the other services.
Configuring SAML on SAP Fiori
This section explains the configuration process for the Fiori launchpad, either as a standalone Fiori Frontend system, or as an embedded Fiori in S/4HANA.
- Logon to the Fiori system (or S/4HANA, if Fiori is embedded)
- Go to transaction SAML2, or execute the following from a browser:
https://<hostname>:<port>/sap/bc/webdynpro/sap/saml2?sap-client=<client-id>
- Login with your SAP credentials:
- If SAML has not previously been configured, you should encounter the following screen:
- Select the ‘Enable SAML 2.0 Support’ button and then select ‘Create SAML 2.0 Local Provider’:
- Insert a Provider Name, use the convention: “<protocol>://<sid><client>”, e.g.: https://SID120 and then click ‘Next’:
- In the next screen, don’t change the value, click Next:
- In the screen that follows, change the ‘Selection Mode’ to ‘Automatic’ from the drop-down, and then select the ‘Finish’ button:
- You should see a screen similar to the following:
2. G-SUITE: Configuring Google G-suite
Accessing the Google Admin Console
- Log in to the Google Admin Console by accessing the following URL from a browser:
https://admin.google.com
- Ensure you are using the correct user and insert your password:
Creating a custom SAML App
- From the Admin console, select Apps -> Web and Mobile apps:
- Add a custom SAML app as indicated by selecting ‘Add app’ then ‘Add custom SAML app’:
- Give the app a name, for example: ‘SAP Fiori Integration’ and then click the ‘Continue’ button:
- In the next screen, select the ‘Download metadata’ button. An XML file called “GoogleIDPMetadata.xml” will downloaded to your system, likely to be found in your ‘Downloads’ folder. This file is needed later to be imported into SAP Firoi. Click ‘Continue’ after downloading the file:
- In the next screen you are asked to insert an ACS URL and entity ID. The URL will take the form of the following:
-
- https:<Fiori-hostname>:<port>/sap/saml2/sp/acs/100
- Use the URL for a Webdispatcher, gateway, or load balancer if these are being used to redirect traffic to your Fiori system, which may reside in a private subnet. Click ‘Continue’:
- Accept the defaults in the next screen and then select ‘Finish’:
- The following result should be shown:
Enabling new SAML app for all users
If this section is not completed, you will see an error like the following when trying log on to the launchpad:
- In your SAML App in G-suite, select ‘User access’:
- Select ‘ON for everyone’ in the next screen and then click ‘SAVE’:
3. FIORI: Configuring the Trusted Provider
Creating the Identity Provider
In the previous chapter, you downloaded the metadata during the process of creating a SAML app in the Google Admin console. This file will now be needed to create the Identity Provider in the Fiori SAML configuration.
- Logon to the Fiori system (or S/4HANA, if Fiori is embedded)
- Go to transaction SAML2, or execute the following from a browser:
https://<hostname>:<port>/sap/bc/webdynpro/sap/saml2?sap-client=<client-id>
- Login with your SAP credentials.
- In the SAML configuration screen, select ‘Trusted Providers’, then click the ‘Add’ button, and then select ‘Upload Metadata File’:
- In the next screen, locate the metadata XML file (likely in your Downloads folder) and then click “next’:
- Insert an Alias and then click ‘Next’:
- In the next screen, change the Digest Algorithm to SHA-256, and the ‘Require Signature’ to ‘Never’:
- Click ‘Next’ in the screen that follows:
- Click ‘Next’ in the following screen:
- Again, click ‘Next’ in the following screen:
- Finally, in the last screen, click ‘Finish’:
Configuring the Identity Provider
We must adjust the configuration of the Identity Provider in Fiori for our needs.
- In the same SAML2 screen that we used previously, select the Identity Provider and click the ‘Edit’ button:
- Select the ‘Identity Federation’ tab, and then under ‘Supported NameID Formats, select ‘Add’:
- In the pop-up screen, select ‘E-mail’ and then ‘OK’:
- Confirm User ID Mapping Mode is Email, then select ‘Save’:
Activate the Identity Provider
Now that the Identity Provider has been configured, we need to activate it to take effect. By doing so, future log on attempts to Fiori will result in a redirected to Google.
- In the same SAML2 screen, ensure that ‘Trusted Providers’ is selected, and the required trusted provider is selected, then click the ‘Enable’ button:
- Confirm in the next screen:
Configure the relay state for the Local provider
- In the same SAML2 screen, ensure that ‘Local Provider’ is selected, and the ‘Service Provider Settings’ tab is selected, click ‘Edit’:
- Insert ‘/sap/bc/ui2/flp’ in the ‘Default Application Path’ field:
- Then, in the section ‘RelayStay Mapping’, click the ‘Add’ button:
- Enter a Relay State name and the Fiori launchpad path, use the following values and then click ‘OK’:
RelaySate: fiori
Path: /sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
- Repeat the process with the following values:
RelayState: it00
Path: /sap/bc/bsp/sap/it00/default.htm
- The screen should indicate the following new entries:
4. FIORI: Configuring Fiori to support SAML2
Configuring the Fiori Launchpad
This section explains how Fiori launchpad needs to be configured to support SAML2.
- Logon to the Fiori (or S/4HANA, if Fiori is embedded) system
- Go to transaction SICF
- Enter the ‘ushell’ service name in the ‘Service Name’ field and then click ‘Execute” as in the following screenshot:
- Double-click on the ‘ushell’ service under ui5_ui5 -> ui2 as indicated here:
- In the Create/Change a Service screen, select the ‘Logon Data’ tab and then click the Display/Change button:
- At ‘Procedure’, click the checkbox for ‘Use All Logon Procedures’:
- Click Save / Store.
5. FIORI: User Configuration
In order for SSO to work for individual users, mapping needs to take place between Google IDP and SAP Fiori, so that a match is found between a Google ID and a Fiori User ID. To do this, individual users in Fiori need to have user data modified to include the Google email address for the same user. This is done as follows:
- Logon to the Fiori system (or S/4HANA, if Fiori is embedded)
- Go to transaction SU01
- Enter the userID and then click the Edit button:
- Insert the Google email address that will be used in SSO into both the Department and E-Mail Address fields as indicated below, click ‘Save’:
6. Testing SAML using Fiori Launchpad
To test the configuration, access the Fiori launchpad via a URL using a browser:
- Open your web browser
- Enter the URL of the Fiori launchpad:
https://<hostname>:<port> /sap/bc/ui2/flp
- If all works as it should, you should be redirected to a Google logon screen:
- Logon with your Google ID and password, Fiori should log you in successfully.
Hi,
Thanks a lot for the very usefull blog !
I may add some hints to make it work correctly :
Without these two hints, the SSO was only working from G-Suite to SAP, but not from SAP sso-url : we were redirected correctly to G-Suite logon, but once logged in, it didn't recognize the application : I think the affiliation name is given by the local provider as the application in G-suite.
Some screenshots of our additionnal changes for illustrating :
SAML2 configuration complements
SICF dedicated alias configuration
Many thanks, I do appreciate your contribution!
Dear Tim,
Congrats! Thanks for sharing it. Very useful info.