Skip to Content

SAML2 in flp and enterprise search


We have a Fiori frontend system FES and an S/4 backend DS4.

Saml2 has been setup and its working ok, if you access the systems on their own fqdn.

We are now setting up the enterprise search in the web dispatcher.

For each SAP system we created an fqdn on the enduser domain that ends up at the webdispatcher. The landscape would look something like this: = dev abap 7.52 fiori gateway server = dev S4 backend system

In my webdisp I than create these systems, like

#----------------------------------------------------------------------- # Back-end system configuration #-----------------------------------------------------------------------

wdisp/system_0 = SID=SRC,, NR=00, MSPORT=8101, SRCURL=/sap/es/ina/;/ENTERPRISE_SEARCH/,, SSL_ENCRYPT=1

wdisp/system_1 = SID=FES,, NR=00, MSPORT=8101,, SSL_ENCRYPT=1

wdisp/system_2 = SID=DS4,, NR=00, MSPORT=8101,, SSL_ENCRYPT=1

wdisp/system_conflict_resolution = 1

........ (and the other stuff in the profile)

This works ok for the Fiori launchpad (FLP), but not for the Enterprise search setup.

FLP would be accessed on the url, this works ok.

Enterprise search would be accessed on the url

but the SAML2 token of the FES system would be offerd to the DS4 system, so you get a popup for logon.

So how to get the Enterprise working with SAML2 and a separate backend S4 system?

Thanks for your help

Sander van Gemert

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    Mar 29, 2018 at 10:57 AM

    Seems in the end the solution is quite simple describes the issue and soluiton

    When using SAML2 the ABAP doesnt create MYSAPSSO2 tokens, by default. So, accessing something on a different ABAP system doesnt provide the token to the backend.

    By settting parameter "Legacy System Support" to "On" in the SAML2 config of the ABAP Frontend server fixes the issue.

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 26, 2018 at 05:54 PM

    If you have access to SAP KBA's, please try looking at KBA 2490978 as it describes your issue.


    Add comment
    10|10000 characters needed characters exceeded

  • Feb 26, 2018 at 05:58 PM

    Hello Sander,

    I'm not aware of the tag, but you may want to tag this for the SAML2 area as well.

    For other backends, using logon tickets from the frontend to the backend is a common setup, but I'm not sure this would be possible with the Enterprise Search backend.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 27, 2018 at 02:00 PM


    if you are sure that webdispatcher forwards the SAML2 ticket, you can also check the logon sequence for that node in SICF,

    you must specify the as 1- SAML logon, normally there is Basic Authentication there therefore you get a logon screen

    as far as I remember ENTERPRISE_SEARCH should be an alias to /sap/es/, if it is so then you can check configurations in Tab Logon Data under the Logon Sequence for this node /sap/es/ and set SAML-Logon as number 1


    Kairat Alaichiev

    Add comment
    10|10000 characters needed characters exceeded