cancel
Showing results for 
Search instead for 
Did you mean: 

Fiori SAML AD

Former Member
0 Kudos

          Hi,

I have a Fiori ABAP based system connected to ECC backend. The apps need to be accessed from inside the network. what would be the best architecture to enable SSO?

From the docs I have read, I think there should be another AS Java system which should integrate between AD and Fiori - probably configure SAML steps as mentioned in ?

But how do I setup the "identity provider" or in my language- integration with AD? What add-on's do i need on the Netweaver AS JAVA box to enable this?

Thanks in advance.

Accepted Solutions (0)

Answers (1)

Answers (1)

donka_dimitrova
Contributor
0 Kudos

Hello Jim,

In order to implement this scenario you need a SAML Identity Provider. The SAML Identity Provider coming with SAP Single Sign-On product (license required) is the one that you have to deploy on AS Java Server in order to integrate your MS AD.


Regards,

Donka Dimitrova

Former Member
0 Kudos

Many thanks Donka.

So, is this configuration done in 2 steps?

1) The mobile device setup (based on the link in my first post) on the AS JAVA server, where SAP SSO component is installed.

2) Integration of AS JAVA server with AD (active directory) where the SSO component is installed.

Is this correct? If it is, can you please let me know if any guides/notes for the integration of AD using the SSO add-on? The ultimate intention is to have the fiori apps with AD authentication.

Thanks,

Former Member
0 Kudos

+ in addition to my last comment:

I also see usage of "Secure Login Server". Is that needed? Thanks.

donka_dimitrova
Contributor
0 Kudos

Hello Jim,

If you want to implement also Mobile SSO for SAP Fiori you can use SAP Single Sign-On and the Mobile SSO solution based on One-Time Passwords and SAML. This scenario is available also for the SAP Fiori Client (native mobile app).

Here you will be able to find more details how to implement this scenario step-by-step:

For this scenario you do not need the Secure Login Server.

Regards,

Donka Dimitrova

Former Member
0 Kudos

Hi Donka

I hope you doing good.

Can it work with Federated IDP like SAP FIORI SP-> SAP NW JAVA IDP -> NW JAVA SP -> Siteminder IDP.

My company policy is to challenge any external access at DMZ through Siteminder ONLY.

Please advice.


Thank  you

Santosh Lad

donka_dimitrova
Contributor
0 Kudos

Hi Santosh,

Yes, it is possible via the "SAML proxy" scenario if Siteminder supports this scenario. Maybe you remember that we discussed with you this sceario last year via the e-mail. You have to make sure that the implementation is following the IDP initiated configuration. SAP SAML IDP will have to call the SP side of the non-SAP solution (Siteminder) and then the IDP side of the non-SAP solution (Siteminder) will have to call Fiori (AS ABAP SP).

Regards,

Donka Dimitrova

Former Member
0 Kudos

Hi Donka, Thanks for all the information.

I am still not understanding this clearly. When a box with NW SSO is implemented, will it replace the AD and act as the LDAP or user repository? How does the users from AD sync to NW SSO?

Former Member
0 Kudos

I am still not understanding this clearly. When a box with NW SSO is implemented, will it replace the AD or ADFS and act as the LDAP or user repository? How does the users from AD sync to NW with SSO?

Former Member
0 Kudos

Sorry, Donka, can you please let me know little more details?

I have installed SSO on the AS JAVA system. I know I have to work on the Mobile SSO as you mentioned in your post.

What do I need to do to sync with my AD? Is this same as the SPNEGO config? I am confused the role of SAP Single Sign-on product over SPNEGO. Thanks for your help.

former_member182254
Active Participant
0 Kudos

Hello Jim,

No, you don't need to enable SPNEGO. You need to configure the User Management Engine (UME) of your AS Java system to read the users and groups from Active Directory. Check the following documentation for details - http://help.sap.com/saphelp_nw74/helpdata/en/12/7678123c96814bada2c8632d825443/frameset.htm.

Regards,

Dimitar

Former Member
0 Kudos

Many thanks Dimitar. I was waiting for some info on this for a long time.