Skip to Content
0

SAML2 in flp and enterprise search

Feb 26 at 01:05 PM

90

avatar image

Hello,

We have a Fiori frontend system FES and an S/4 backend DS4.

Saml2 has been setup and its working ok, if you access the systems on their own fqdn.

We are now setting up the enterprise search in the web dispatcher.

For each SAP system we created an fqdn on the enduser domain that ends up at the webdispatcher. The landscape would look something like this:

sapdfes.domain.com = dev abap 7.52 fiori gateway server

sapds4.domain.com = dev S4 backend system

In my webdisp I than create these systems, like

#----------------------------------------------------------------------- # Back-end system configuration #-----------------------------------------------------------------------

wdisp/system_0 = SID=SRC, MSHOST=s4host.internal.com, NR=00, MSPORT=8101, SRCURL=/sap/es/ina/;/ENTERPRISE_SEARCH/, SRCVHOST=sapdfes.domain.com, SSL_ENCRYPT=1

wdisp/system_1 = SID=FES, MSHOST=feshost.internal.com, NR=00, MSPORT=8101, SRCVHOST=sapdfes.domain.com, SSL_ENCRYPT=1

wdisp/system_2 = SID=DS4, MSHOST=s4host.internal.com, NR=00, MSPORT=8101, SRCVHOST=sapds4.domain.com, SSL_ENCRYPT=1

wdisp/system_conflict_resolution = 1

........ (and the other stuff in the profile)

This works ok for the Fiori launchpad (FLP), but not for the Enterprise search setup.

FLP would be accessed on the url https://sapdfes.domain.com/sap/bc/ui2/flp, this works ok.

Enterprise search would be accessed on the url https://sapdfes.domain.com/ENTERPRISE_SEARCH/

but the SAML2 token of the FES system would be offerd to the DS4 system, so you get a popup for logon.

So how to get the Enterprise working with SAML2 and a separate backend S4 system?

Thanks for your help

Sander van Gemert

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Kevin Bates
Feb 26 at 05:54 PM
1

If you have access to SAP KBA's, please try looking at KBA 2490978 as it describes your issue.

-kevin

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Thanks Kevin for the note. Thats indeed the issue we are having.

SSO has been setup been setup, so certs have been exchanged in strust between the two.

I can redo the sso part, maybe that will help. Will get back if that did the trick.

I also tried a different setup in which I did a rewrite of the /enterprise_search and the /sap/es/ina with the icm rewrite option, but that ended up in an endless loop with ADFS that kept on extending the url with SAML tokens. so that didnt work at all.

0

If that doesn't work, you may need to open an issue with either the Webdispatcher team or Enterprise search team.

-kevin

0
John Taylor
Feb 26 at 05:58 PM
0

Hello Sander,

I'm not aware of the tag, but you may want to tag this for the SAML2 area as well.

For other backends, using logon tickets from the frontend to the backend is a common setup, but I'm not sure this would be possible with the Enterprise Search backend.

Show 3 Share
10 |10000 characters needed characters left characters exceeded

Hi John,

Since we now setup SAML on both the FES and DS4 system, its not clear to me anymore if the SAP (STRUST) SSO is still being used between FES and DS4 or if all SSO is done using SAML.

Without SAML everyting worked ok, so thats why I am not sure about which sso is being used now

0

S. van Gemert Are you using IDP initiated SAML or SP initiated SAML? Does the same problem occur for both types? When you look at the cookies in an HTTP trace, do you see the MYSAPSSO2 ticket/cookie?

0

Hi John,

The saml token is generated by ADFS.

In my firefox trace I do see a sap passport cookie, but need to find out if that is for the FES or DS4

0
avatar image
Former Member Feb 27 at 02:00 PM
0

Hi,

if you are sure that webdispatcher forwards the SAML2 ticket, you can also check the logon sequence for that node in SICF,

you must specify the as 1- SAML logon, normally there is Basic Authentication there therefore you get a logon screen

as far as I remember ENTERPRISE_SEARCH should be an alias to /sap/es/, if it is so then you can check configurations in Tab Logon Data under the Logon Sequence for this node /sap/es/ and set SAML-Logon as number 1

BR

Kairat Alaichiev

Share
10 |10000 characters needed characters left characters exceeded
S. van Gemert Mar 29 at 10:57 AM
0

Seems in the end the solution is quite simple

https://launchpad.support.sap.com/#/notes/2538350 describes the issue and soluiton

When using SAML2 the ABAP doesnt create MYSAPSSO2 tokens, by default. So, accessing something on a different ABAP system doesnt provide the token to the backend.

By settting parameter "Legacy System Support" to "On" in the SAML2 config of the ABAP Frontend server fixes the issue.

Share
10 |10000 characters needed characters left characters exceeded