Technical Articles
SAP ABAP – SAML2 SSO with Okta IDP using SAP Web-Dispatcher
We have seen several blogs or documentations from IDP providers which does not help us to understand SAML2 SSO setup using SAP Web-Dispatchers. In my recent case, I came across SAML2 SSO authentication with Okta Identity Provider using SAP Web-Dispatcher with Logon ID and not from AD.
SAP GUI Settings –
Below settings are important for launching Web-URLs using SAML2 SSO –
For using Microsoft Edge seamlessly, SAP recommends deploying WebView.
- Deployed WebView to enable Edge for proper functioning using below SAP notes or Microsoft URL.
- You will have to work with Client’s IT service desk to send this setting across all users. Otherwise, they will face challenge in Web-based URLS like BRF+, SAML2, NWBC, WebGUI, or any Z-SICF, etc.
2901278 – SAP GUI HTML Control based on Chromium Edge: Legacy HTML does not work (correctly) / present limitations
2796898 – New and changed features in SAP GUI for Windows 7.70
3043532 – Web Dynpro application opens always in Internet Explorer (IE11) when called from SAPGUI
https://learn.microsoft.com/en-us/microsoft-edge/webview2/
Below blog will help you with all the necessary information to setup SAML2 SSO authentication with Okta IDP using SAP Web-Dispatcher –
- Case-1: SAP Systems with one MANDT (or SAP Client) used.
1. Make sure you use only one authentication method – SAML2 or SPNEGO. SAP strongly recommends using one authentication at the same time.
2. In Web-dispatcher, maintain backend systems and make sure to include mysapsso2 cookie because all Web-URLs / Okta tiles uses myssocntl sicf.
3. Go to Tx – SPNEGO and Disable/Deactivate spnego or remove complete settings.
4. Maintain web-dispatcher entries in table – HTTPURLLOC in Tx – SE16 within Customer MANDT/Client other than 000.
5. In Tx – SICF, go to service name – SAML2 and maintain Logon Procedure with Priority-1 for SAML2 LOGON.
6. Apply Okta related settings.
| Validation Required |
| Check Parameters |
|
* login/ticket_only_by_https = 1 login/accept_sso2_ticket = 1 login/create_sso2_ticket = 2 or 3 |
| Check Services |
| * SYSTEMLOGINJS (activate the service) |
| * saml2 (Change priority of SAML) |
| * /default_host/sap/bc/webdynpro/sap /sap/public/bc/icf/systemloginjs /sap/public/bc/pictograms /sap/public/bc/ur /sap/public/bc/icons /sap/public/bc/webdynpro /sap/public/bc/webicons /sap/public/icf_info/icr_groups /sap/public/icf_info/icr_urlprefix /sap/public/bc/ping /sap/public/myssocntl /sap/bc/bsp/sap/system_test /sap/bc/webdynpro/sap/configure_application |
| Check Tcodes |
| * SPNEGO |
| * SMLG |
| * RZ12 |
| * STRUST / SSO2 |
| * SNC |
| Check Tables from SE16 |
| * HTTPURLLOC |
You may encounter an issue where SAML2 screen using web-dispatcher URL for backend system shows blank. Applied below SAP Note fix to get the next screen.
3037454 – ESI – “Logon is being prepared” when accessing SOAMANAGER
7. Ask your Okta administrator to maintain below endpoint URL in Okta Relay mapping as –
https://<Public-ALB>:<port>/sap/saml2/sp/acs/123
or
https://<Web-Dispatcher hostname>:<port>/sap/saml2/sp/acs/123
where 123 is an arbitrary Customer’s MANDT/Client for their backend SAP system.
- Case 2: SAP Systems with multiple MANDT (or SAP Clients) used.
Our customer faced an issue where SAML2 SSO works only for one client out of three clients. As a solution, apply Okta certificate in all three clients after every activation. Please follow below SAP Note for more details and fix –
3095581 – SAML2.0 ABAP: SAML authentication only works in one client despite SAML is configured in multiple clients
- Case 3: Within Hub/Embedded Fiori, first level authentication through SAML2 SSO works but when it points to another Fiori URL internally it asks for Username and password, and SSO does not works. Please follow below SAP Note for more details and fix –
2051210 – Fragments in HTTP URLS are not handled after SAML 2.0 authentication
Finally, SAML2 SSO setup is completed using Okta IDP with Web-dispatcher.
Best Regards,
Ashish Verma
Nice Read !! Thank you for this blog.
Thanks a lot ! Badri 🙂
Hi Ashish
Thank you for putting this together!
I had few questions as we explore the access to SAP system via OKTA,with the above setting users would get access to SAP systems on SAP GUI using their OKTA credentials OR SAP ABAP credentials?
Thanks Shradha. this is a great question!
It would be Okta credentials. Reason - Because we are setting up SSO using Okta IDP. So, we are getting rid of ABAP credentials here.
In my current case/client, their end users does not have their ABAP credentials ever. They simply login to Okta site, login with Okta credentials, select/click the Tile prepared for their ABAP system and in the backend Okta Relay Mapping setting will recognize the host details of your ABAP settings and will directly open the SAP Logon pad from SAPLogon GUI which will eventually hold the host details(incl. SID, Instance No.). This will help the SAP Logon procedure smooth and passwordless.
Also, if you go through the blog in depth, we have maintained Logon ID as "User ID Mapping Mode" in SAML2 settings. I have highlighted it in Yellow in one of the screenshots.
Please feel free to ask any question and I'll try to answer them.
Best Regards,
Ashish Verma