Skip to Content
Technical Articles
Author's profile photo Ipsita Behera

SSO of S/4HANA and Okta with SAP IAS as Proxy

The SSO for S/4HANA Rise system for various connections can be a daunting task in the initial phase of a project.  The best practices for SSO in S/4HANA Rise environment can be found in this blog post  ,which describes various SSO approaches available for S/4HANA Rise (Private Edition )

In this blog we have consolidated various SAP knowledge resources and lesson learnt for connection of S/4HANA (Rise Private edition) with Okta using SAP IAS as Proxy.

1        System Considerations:

  • Backend is S/4HANA Rise Private Edition
  • SAP Cloud Identity Services ( SAP IAS/IPS)
  • SAP BTP ( In case auto provision of users is required from S/4HANA to SAP IAS)
  • Okta

2        Scenario

  • The below use case is IdP Initiated SSO for SAP Fiori using Okta

3        Process to Integrate S/4HANA to SAP IAS

The whitepaper for the process is mentioned in

Few considerations while performing the setups are

  • While creating the application in IAS, please upload the meta data of S/4HANA using web dispatcher /LB URL if they are in place as per architecture.
  • Add Fiori URL as one of the Assertion Consumer Service Endpoints in IAS tenant (This will be used in okta configuration as index number)

Example : https://<Load Balancer URL>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=<Client Number>&sap-language=EN


  • The Subject Name Identifier in IAS for the S/4HANA application should be set to email in case using the same in Okta for user identification

  • We can upload IAS meta data in S/4HANA instead of manually creating the trusted providers
  • Few parameters to make sure are present in S/4HANA SAML2 Config are

In Local Provider –> Service Provider Setting


In Trusted providers –> Identity Federation

User ID Mapping Mode is set to email in case okta is using email to verify the identity of the user



In Trusted provider –>  Signature and Encryption


  • In case of using any alias for Fiori URL, please change the login method for the alias also in sicf : In our case we were using /sap/bc/ui5_ui5/ui2/ushell/shells/abap as alias for /default_host/sap/bc/ui2/flp

  • For the sicf services, SAML should be the preferred method under Logon Procedure List as well

4        Connect Okta to Identity Authentication

Blog which can be followed to perform the initial setups is

  • As our use case is IDP initiated the following URL can be used at Okta end

Single Sign on URL : https://<XXXXXX><XXXXXX><ProviderName>&index=1

Request able SSO URLs : https://<XXXXXX><XXXXXX>

Recipient URL and Destination URL:


Audience Restriction  :  https://<XXXXXX>


https://<XXXXXX>  :Tenent URL for SAP IAS ( Can be found under tenant setting –>  Identity provider setting –> Name )

sp=<ProviderName> :  This is the provider name in SAML2 config in S/4HANA which reflect under the application in IAS as well

index=1 : This index number is derived from the index number of Fiori UI in the Assertion Consumer Service Endpoints section of application in IAS


5        Make Okta as Corporate IdP for S/4HANA in IAS

  • Go to SAP IAS –>  Application –> Click on Application Name –> Conditional Authentication

With these setup, you should be able to create tile in okta which will provide SSO functionality to S/4HANA web based URL such as Fiori .

In a upcoming blog post, we can share how to auto provision users from S/4HANA to SAP Cloud Identity services .


Additional resources:

2689013: How to configure SAML2 with SAP Fiori Launchpad and Web Dispatcher

2943651: How to configure Okta as corporate identity provider with Identity Authentication

2693814: Service Provider does not match specified audience in the SAML2Assertion

2332686: SAML2.0 No RelayState mapping found for RelayState value






Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.