Single Sign On – SAML Configuration for Fiori Application using Azure Enterprise
Step-by-step configuration instructions of single sign on for SAP Fiori application with Azure AD
SSL need to be configured first before configuring for SAML2 authentication.
Activating the Services
1. Goto Transaction SICF, enable below services
2. On the Maintain Services page, enter one of the service name from the list.
3. Right-click the service in the tree menu view, select Activate Service.
4. Prompt to activate the service, click Yes with tree option.
Enable SAML2 Local Provider Setting
1. Run the transaction SAML2 or open the URL
Note : If you want to use webdispatcher then open the SAML2 URL through webdispatcher Url
2. Click on Enable SAML2.0 Support and Select “Create SAML 2.0 Local provider”.
3. Enter the Provider Name https://<SID>CLNT<CLIENT_NO> on Initial setting screen. Click Next.
4. Choose Automatic in Selection Mode on Service Provider Settings and Select Finish.
5. After Click on Finish, it will be redirect you to Configuration Page.
6. Click on Metadata button to get pop-up for the metadata download, then select Download Metadata.Make sure browser pop-up is allowed.
7. Now the RPT can be performed at Azure Enterprise Application, by either directly uploading the metadata.xml file or providing the details manually in enterprise application of fiori.
9. Provide the fiori sign-on url in the configuration and Click on save.
8. Configure the following user attributes & claims for application. To manage these attribute values, select Edit and set the Name identifier as Unspecified & source attribute as user.onpremisesamaccountname.
9. Now the signed certificate and federation can be downloaded from the section SAML Certificates
10. As a next step, open the SAML2 and click on Trusted Providers tab.
11. Select the the Upload Metadata File.
12. Upload the federation metadata xml which was downloaded in step 9
13. In the Next Step Metadata Verification, Upload the federation certificate downloaded in Step 9 and Click Next
14. In Signature and Encryption Step Choose the Digest Algorithm
15. In Authentication Requirements, Choose the shown and Click Finish.
16. First Click on Edit and then Add then select the Unspecified and then Save the setting as shown.
17. Then Click on Enable to activate the configuration.
18. Goto Transaction SICF , enter the service name or external alias example /sap/bc/ui2/flp and open the service
19. Select Logon Data Tab. Choose the Alternative Logon Procedure and set SAML Logon at 1 and Save.
20 . Test the Service by openeinf the fiori URL in the browser.