Skip to Content

Fiori Launchpad SSO with domain user

We want to implement SSO to Fiori Launchpad with Active Directory credentials: when users login to their pc with their domain user, Fiori Launchpad should open from browser without asking for credentials. It should automatically take AD credentials.
Furthermore, if Fiori Launchpad is accessed by an external user, logon credentials should be asked.

Is it possible to achieve this scenario? Which technology can provide this? ADFS? SAP SSO? Please give us advice.


Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

5 Answers

  • May 08, 2018 at 03:18 PM


    Yes this is possible. I have done this many times with Fiori and MS AD. 1st I would suggest setting up Fiori integrated SAP web dispatcher for external and internal users. Also you can setup end to end SSL or TLS. If you have issues the SAML trace is very useful.

    Here is brief overview on how to start.

    1. Activate the service below

    • /default_host/sap/bc/saml2
    • /default_host/sap/public/bc/sec/ - All Services
    • /default_host/sap/public/bc/ICF
    • /default_host/sap/public/bc/icons_rtl
    • /default_host/sap/public/bc/icons
    • /default_host/sap/public/bc/webicons
    • /default_host/sap/public/bc/webdynpro - All Services
    • /default_host/sap/public/myssocntl
    • /default_host/sap/public/bc/pictograms
    • /default_host/sap/bc/webdynpro/sap/saml2
    • /default_host/sap/bc/webdynpro/sap/samlt

    2. When you are setting up SAML to be used through a WD, access the SAML configuration page using the WD. Do not go directly to the backend ABAP system.


    3. Enable SAML

    4. The wizard will take you through these settings. Just reference the below.

    Click Save and Enable

    Once this is all done you need yo export your metadata file and send it your AD team. They will also need to send you their metadata file in return along with the signing certificate.

    Once you import it just follow the wizard. You will need the ADFS signing cert.

    Endpoints = HTTP Redirect

    Identity Federation = Unspecified

    Signature and Encryption SSO Authenication Request Sign = Always

    Require Signature = Never

    Authentication Requirements - Binding = HTTP Artifact

    The rest of the tabs are not used for us.

    SICF - Setup

    • Navigate to t-code SICF and filter on *SHELL* and open ushell under UI2
    • Change Logon Data tab - Procedure is Alternative Logon Procedure
    • Change the logon procedure and move SAML Logon to the top or #2. It won't let you make it #1 (at least for me)
    • Next we have to add a custom implementation.
    • Go to Error pages tab under the same service and click the configuration button
    • /UI2/CL_SRA_LOGIN - In Fiori 2.0 FES 4.0 this is populated already

    enable-saml.png (18.6 kB)
    saml1.png (56.3 kB)
    saml2.png (76.2 kB)
    saml3.png (124.7 kB)
    saml4.png (89.3 kB)
    saml5.png (11.7 kB)
    saml7.png (52.1 kB)
    saml3.png (86.9 kB)
    Add comment
    10|10000 characters needed characters exceeded

  • May 08, 2018 at 03:36 PM

    Hello Giulia Felappi,

    This could be an option in your case...

    Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS



    Add comment
    10|10000 characters needed characters exceeded

  • May 07, 2018 at 10:50 AM

    Hi Giulia,

    You should consider the SAP SSO product.

    Kind regards,


    Add comment
    10|10000 characters needed characters exceeded

    • Giulia,

      SAML2 will work, I have done it many times. I actually set up 2 methods of authentication. X.509 and SAML2. If a user has a X.509 cert it will is ask for the cert then authenticate with that 1st if not it uses SAML2. The SAP SSO product is very nice but we had to do it the free way.



  • May 07, 2018 at 12:24 PM

    Single Sign-On with Kerberos should work perfectly as long as you are connecting from company network.

    As you ask about SAP Fiori I could also recommend using Azure Active Directory. Then you can configure SAML Single Sign-On. Such configuration doesn’t require additional license from SAP (however Azure AD may imply some cost).

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    May 21, 2018 at 07:27 PM


    We have the scenario that the SAP user id is completely different from the AD user ID. Please suggest which method to use for configuring SSO for EP and Fiori Launch pad. SPNEGO or SAML.

    We also have license for SAP SSO 3.0 product and have used SLC 3.0/Kerberos for SSO for AS ABAP.

    Please suggest .



    Add comment
    10|10000 characters needed characters exceeded