SAML2 Made Easy-Step by Step guide: SAML2 configuration for SAP Fiori / S/4 HANA
SAML2 configuration in Fiori system via web dispatcher with 3rd party portal
SP : Service Provider – SAP systems
IDP : Identity Provider – Non SAP Portal or AD
Ref Note :
2485474 - How to configure SSO from Fiori Launchpad to a back-end system with logon ticket
2740052 - Which paths are necessary to configure Web Dispatcher for Fiori Launchpad scenarios
Pre Requisites
(A) Add the system in Web dispatcher
wdisp/system_0 = SID=<Fiori SID>, MSHOST=<Fiori host>, MSPORT=8101, SRCSRV=*:<srcport>,SRCURL=/sap/bc/webdynpro/sap/saml2;/sap/saml2/sp/metadata;/sap/saml2;/sap/public/bc/themes;/sap/public/bc/ui2/logon;/sap/public/bc/ui2/services;/sap/vui/;/sap/bc/ping/;/sap/bc/lrep;/sap/bc/ui2/;/sap/bc/ui2/flp/;/sap/bc/ui5_ui5/;/sap/opu/odata/;/sap/bw/ina;/sap/opu/odata4/;/sap/resources/sap/ushell/;/sap/bc/webdynpro/sap/dba_cockpit;/sap/bc/webdynpro/sap/sec_diag_tool,SSL_ENCRYPT=1,SSL_IGNORE_HOST_MISMATCH=true
(B) Activate webgui and wendyanpro services in sicf in the system
1. /default_host/sap/bc/webdynpro
2. /default_host/sap/bc/gui/sap/its/webgui
3. /sap/public/bc/ sec/saml2
4. /sap/public/bc/sec/cdc_ext_service
5. /sap/public/bc/ur
(C) Set the below parameter in Fiori system
1. login/ticket_only_to_host is set to 0
2. login/create_sso2_ticket = 2
(D) Set the below parameter in S/4 Hana system
1. login/accept_sso2_ticket = 1
(E) Set up the SSO inbetween S/4 HANA , Fiori before the SAML2 :
Reference Note - 2485474
(F) SAML2 Configuration
1. Enable "Use All Logon Procedures" checkbox for the required service
2. Transaction SAML2 in Fiori system
3. Open the link above link in browser
4. Remove the Fiori host and port from the link and put the Web-dispatcher host and port
5. Login with the Fiori system User ID and Password
6. Login to the client in which you need to configure the SAML2
Here the client is 320
7.Click on Create SAML 2.0 Local provider
8. In the initial Setting provide the Provider Name : EX – SAML_<SID>_<Client>
Click on Next
9. General Setting : Tolerance as 120 Sec
10. SP : Service Provider Setting
Selection Mode : Manual
11. Once you click on Next the below screen will appear and you can see the Signature and encryption created in the Fiori system .
12. To check login to the Fiori system and user the Tcode : Strustsso2
13. Leave the Authentication Context as It is
14. Service Provider Settings
Make the Legacy Systems Support as On and provide the Default Application Path /sap/bc/ui2/flp
15. Click on Metadata. (This needs to shared with AD team)
If error is 403 Forbidden
Activate service /sap/public/bc/ sec/saml2 & /sap/public/bc/ sec/cdc_ext_service
16. Click on Trust provider and upload Metadata received from Non-SAP Protal team or AD team
17. Select the provider name as given by AD team
18. As per the Metadata all the details will reflect automatically
19. Select
the post Redirect in the Single Sign-On Endpoint. ( Consult with Customer to know the redirection End point)
20.Click on Finish
Click on Identity Federation and add the Supported NameID Format
Here Email as Name ID
Click on Save and Enable
Once Enabled it will reflect as Green
Do the above steps for all Clients.
Proved your valuable comments if this is useful.
Fantastic Document ! Very helpful .
ReplyDeleteVery useful documentation. Thanks mate👍
ReplyDeleteAll the steps are described in details and with screenshot. Really good documentation.
ReplyDelete