cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fiori Launchpad SSO with domain user

giulia-felappi
Participant

on ‎05-07-2018 11:43 AM

0 Kudos

We want to implement SSO to Fiori Launchpad with Active Directory credentials: when users login to their pc with their domain user, Fiori Launchpad should open from browser without asking for credentials. It should automatically take AD credentials.
Furthermore, if Fiori Launchpad is accessed by an external user, logon credentials should be asked.

Is it possible to achieve this scenario? Which technology can provide this? ADFS? SAP SSO? Please give us advice.

Thanks

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎05-08-2018 4:18 PM

Hello,

Yes this is possible. I have done this many times with Fiori and MS AD. 1st I would suggest setting up Fiori integrated SAP web dispatcher for external and internal users. Also you can setup end to end SSL or TLS. If you have issues the SAML trace is very useful.

Here is brief overview on how to start.

1. Activate the service below

  • /default_host/sap/bc/saml2
  • /default_host/sap/public/bc/sec/ - All Services
  • /default_host/sap/public/bc/ICF
  • /default_host/sap/public/bc/icons_rtl
  • /default_host/sap/public/bc/icons
  • /default_host/sap/public/bc/webicons
  • /default_host/sap/public/bc/webdynpro - All Services
  • /default_host/sap/public/myssocntl
  • /default_host/sap/public/bc/pictograms
  • /default_host/sap/bc/webdynpro/sap/saml2
  • /default_host/sap/bc/webdynpro/sap/samlt

2. When you are setting up SAML to be used through a WD, access the SAML configuration page using the WD. Do not go directly to the backend ABAP system.

EX.

3. Enable SAML

4. The wizard will take you through these settings. Just reference the below.

Click Save and Enable

Once this is all done you need yo export your metadata file and send it your AD team. They will also need to send you their metadata file in return along with the signing certificate.

Once you import it just follow the wizard. You will need the ADFS signing cert.

Endpoints = HTTP Redirect

Identity Federation = Unspecified

Signature and Encryption SSO Authenication Request Sign = Always

Require Signature = Never

Authentication Requirements - Binding = HTTP Artifact

The rest of the tabs are not used for us.

SICF - Setup

  • Navigate to t-code SICF and filter on *SHELL* and open ushell under UI2
  • Change Logon Data tab - Procedure is Alternative Logon Procedure
  • Change the logon procedure and move SAML Logon to the top or #2. It won't let you make it #1 (at least for me)
  • Next we have to add a custom implementation.
  • Go to Error pages tab under the same service and click the configuration button
  • /UI2/CL_SRA_LOGIN - In Fiori 2.0 FES 4.0 this is populated already

Show replies
Show replies
giulia-felappi
Participant
‎05-10-2018 11:35 AM
0 Kudos

Hi Joshua,

thank you very much for the detailed answer. I will get back to you with feedback once I discuss this solution with my team.

Regards

patelyogesh
Active Contributor
‎05-08-2018 4:36 PM

Hello Giulia Felappi,

This could be an option in your case...

Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS

Thanks

Yogesh

Show replies
Show replies
giulia-felappi
Participant
‎05-10-2018 11:46 AM
0 Kudos

Hi Yogesh,

thank you, I also found this blog while searching for answers. I was unsure of this solution because I coudn't understand if it requires a form-based login first. The scenario we are looking for should perform the Launchpad authentication with domain credentials used to login to the Windows pc.

Regards

patelyogesh
Active Contributor
‎05-10-2018 1:33 PM
0 Kudos

Hello,

SAML will work with your AD credentials. If you login to PC and open Fiori link it will log you in with AD credentials.

-Yogesh

giulia-felappi
Participant
‎05-10-2018 1:45 PM
0 Kudos

Hi,

thank you for the confirmation. I will definitely consider this solution with my team.

Regards

former_member446547
Discoverer
‎05-21-2018 8:27 PM
0 Kudos

Hi,

We have the scenario that the SAP user id is completely different from the AD user ID. Please suggest which method to use for configuring SSO for EP and Fiori Launch pad. SPNEGO or SAML.

We also have license for SAP SSO 3.0 product and have used SLC 3.0/Kerberos for SSO for AS ABAP.

Please suggest .

Thanks,

Harsh

Show replies
Show replies
BJarkowski
Active Contributor
‎05-07-2018 1:24 PM
0 Kudos

Single Sign-On with Kerberos should work perfectly as long as you are connecting from company network.

As you ask about SAP Fiori I could also recommend using Azure Active Directory. Then you can configure SAML Single Sign-On. Such configuration doesn’t require additional license from SAP (however Azure AD may imply some cost).

Show replies
Show replies
former_member189774
Participant
‎02-08-2022 5:01 PM
0 Kudos

Hello, can you recommend documents from SAP or other, that will allow me to configure SSO for Fiori using SAP Single Sign-On with Kerberos?

Regards.

cris_hansen
Advisor
Advisor
‎05-07-2018 11:50 AM
0 Kudos

Hi Giulia,

You should consider the SAP SSO product.

Kind regards,

Cris

Show replies
Show replies
giulia-felappi
Participant
‎05-07-2018 1:17 PM
0 Kudos

Hi Cristiano,

to implement SAP SSO an additional license is needed, is it correct?

Alternatively, is there something that would do without a SAP SSO license?

Thanks

cris_hansen
Advisor
Advisor
‎05-07-2018 1:26 PM

Hi Giulia,

Yes, SAP SSO is a different product, that requires a separate license.

You can also check whether SAML2 can be used for your case.

Kind regards,

Cris

Former Member
‎05-09-2018 2:41 PM

Giulia,

SAML2 will work, I have done it many times. I actually set up 2 methods of authentication. X.509 and SAML2. If a user has a X.509 cert it will is ask for the cert then authenticate with that 1st if not it uses SAML2. The SAP SSO product is very nice but we had to do it the free way.

Regards,

Josh

Ask a Question