SAML2 Made Easy-Step by Step guide: SAML2 configuration for SAP Fiori / S/4 HANA

 

SAML2 configuration in Fiori system via web dispatcher with 3rd party portal

SP : Service Provider – SAP systems

IDP : Identity Provider – Non SAP Portal or AD

Ref Note : 

2485474 - How to configure SSO from Fiori Launchpad to a back-end system with logon ticket
2740052 -
Which paths are necessary to configure Web Dispatcher for Fiori Launchpad scenarios

Pre Requisites

(A) Add the system in Web dispatcher

wdisp/system_0 = SID=<Fiori SID>, MSHOST=<Fiori host>, MSPORT=8101, SRCSRV=*:<srcport>,SRCURL=/sap/bc/webdynpro/sap/saml2;/sap/saml2/sp/metadata;/sap/saml2;/sap/public/bc/themes;/sap/public/bc/ui2/logon;/sap/public/bc/ui2/services;/sap/vui/;/sap/bc/ping/;/sap/bc/lrep;/sap/bc/ui2/;/sap/bc/ui2/flp/;/sap/bc/ui5_ui5/;/sap/opu/odata/;/sap/bw/ina;/sap/opu/odata4/;/sap/resources/sap/ushell/;/sap/bc/webdynpro/sap/dba_cockpit;/sap/bc/webdynpro/sap/sec_diag_tool,SSL_ENCRYPT=1,SSL_IGNORE_HOST_MISMATCH=true

(B) Activate webgui and wendyanpro services in sicf  in the system

1.       /default_host/sap/bc/webdynpro

2.       /default_host/sap/bc/gui/sap/its/webgui

3.       /sap/public/bc/ sec/saml2

4.       /sap/public/bc/sec/cdc_ext_service

5.       /sap/public/bc/ur

(C) Set the below parameter in Fiori system

1.       login/ticket_only_to_host is set to 0

2.       login/create_sso2_ticket = 2

(D) Set the below parameter in S/4 Hana system

1.       login/accept_sso2_ticket = 1

(E) Set up the SSO inbetween S/4 HANA , Fiori before the SAML2 : 

Reference Note - 2485474

(F) SAML2 Configuration 

1. Enable "Use All Logon Procedures" checkbox for the required service
 

2. Transaction SAML2 in Fiori system


3. Open the link above link in browser


4. Remove the Fiori host and port from the link and put the Web-dispatcher host and port

5. Login with the Fiori system User ID and Password

6. Login to the client in which you need to configure the SAML2

Here the client is 320

 


7.Click on Create SAML 2.0 Local provider


8. In the initial Setting provide the Provider Name : EX – SAML_<SID>_<Client>


Click on Next

9. General Setting : Tolerance as 120 Sec


10. SP : Service Provider Setting

     Selection Mode : Manual


11. Once you click on Next the below screen will appear and you can see the Signature and encryption created in the Fiori system .

12. To check login to the Fiori system and user the Tcode : Strustsso2


13. Leave the Authentication Context as It is


14. Service Provider Settings

      Make the Legacy Systems Support as On and provide the Default Application Path /sap/bc/ui2/flp


15. Click on Metadata. (This needs to shared with AD team)


 

If error is 403 Forbidden

Activate service /sap/public/bc/ sec/saml2 & /sap/public/bc/ sec/cdc_ext_service

 

16. Click on Trust provider and upload Metadata received from Non-SAP Protal team or AD team





17. Select the provider name as given by AD team


18. As per the Metadata all the details will reflect automatically


19. Select the post Redirect in the Single Sign-On Endpoint. ( Consult with Customer to know the redirection End point)





20.Click on Finish

Click on Identity Federation and add the Supported NameID Format


Here Email as Name ID


Click on Save and Enable


Once Enabled it will reflect as Green


Do the above steps for all Clients.

 

Proved your valuable comments if this is useful.

 

Comments

  1. Fantastic Document ! Very helpful .

    ReplyDelete
  2. Very useful documentation. Thanks mate👍

    ReplyDelete
  3. All the steps are described in details and with screenshot. Really good documentation.

    ReplyDelete

Post a Comment

Popular posts from this blog

Implementing SSL using Wildcard certificate on S4HANA_Fiori_WebDispatcher

Implementing SSL using Wildcard certificate in SAP PO system