on 05-07-2018 11:43 AM
We want to implement SSO to Fiori Launchpad with Active Directory credentials: when users login to their pc with their domain user, Fiori Launchpad should open from browser without asking for credentials. It should automatically take AD credentials.
Furthermore, if Fiori Launchpad is accessed by an external user, logon credentials should be asked.
Is it possible to achieve this scenario? Which technology can provide this? ADFS? SAP SSO? Please give us advice.
Thanks
Hello,
Yes this is possible. I have done this many times with Fiori and MS AD. 1st I would suggest setting up Fiori integrated SAP web dispatcher for external and internal users. Also you can setup end to end SSL or TLS. If you have issues the SAML trace is very useful.
Here is brief overview on how to start.
1. Activate the service below
2. When you are setting up SAML to be used through a WD, access the SAML configuration page using the WD. Do not go directly to the backend ABAP system.
EX.
3. Enable SAML
4. The wizard will take you through these settings. Just reference the below.
Click Save and Enable
Once this is all done you need yo export your metadata file and send it your AD team. They will also need to send you their metadata file in return along with the signing certificate.
Once you import it just follow the wizard. You will need the ADFS signing cert.
Endpoints = HTTP Redirect
Identity Federation = Unspecified
Signature and Encryption SSO Authenication Request Sign = Always
Require Signature = Never
Authentication Requirements - Binding = HTTP Artifact
The rest of the tabs are not used for us.
SICF - Setup
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Giulia Felappi,
This could be an option in your case...
Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS
Thanks
Yogesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Yogesh,
thank you, I also found this blog while searching for answers. I was unsure of this solution because I coudn't understand if it requires a form-based login first. The scenario we are looking for should perform the Launchpad authentication with domain credentials used to login to the Windows pc.
Regards
Hi,
We have the scenario that the SAP user id is completely different from the AD user ID. Please suggest which method to use for configuring SSO for EP and Fiori Launch pad. SPNEGO or SAML.
We also have license for SAP SSO 3.0 product and have used SLC 3.0/Kerberos for SSO for AS ABAP.
Please suggest .
Thanks,
Harsh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Single Sign-On with Kerberos should work perfectly as long as you are connecting from company network.
As you ask about SAP Fiori I could also recommend using Azure Active Directory. Then you can configure SAML Single Sign-On. Such configuration doesn’t require additional license from SAP (however Azure AD may imply some cost).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Giulia,
You should consider the SAP SSO product.
Kind regards,
Cris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Giulia,
Yes, SAP SSO is a different product, that requires a separate license.
You can also check whether SAML2 can be used for your case.
Kind regards,
Cris
Giulia,
SAML2 will work, I have done it many times. I actually set up 2 methods of authentication. X.509 and SAML2. If a user has a X.509 cert it will is ask for the cert then authenticate with that 1st if not it uses SAML2. The SAP SSO product is very nice but we had to do it the free way.
Regards,
Josh
User | Count |
---|---|
82 | |
10 | |
10 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.