Skip to Content

Identity Federation to AS ABAP with SAML and corporate IdP

Hello everybody

I've tried to implement Identity Federation from our corporate Active Directory through ADFS (IdP) to SAP ABAP Backend with FIORI Frontend on it.

My sources were:

https://blogs.sap.com/2018/01/26/fiori-launchpadsso-made-easy-by-saml-2.0-with-adfs/

https://help.sap.com/viewer/f118a8960caf41808bd374e28a834f58/7.5.9/de-DE/f4a4aa9a3f9e47e09f5cc2eeb017c1ec.html

But after selecting the right AD behind ADFS and authenticate with my Mail-Adress and Password, I still get the FIORI Launchpad Logonscreen https://dns-alias:8001/fiori

Edit:
Error in SM21 of AS ABAP:

SAML: Path "/fiori", Code 222, Class SAML, Number 011, Text: Error during Login for external ID "": Error during SAML 2.0 Login

I suggest that the problem lies within NameID configuration, which is set this way:

SAML2 --> Trusted Providers --> Identity Federation --> NameID format: Unspecified / Persistent Users

Details: User ID Source: Assertion Subject NameID / User ID Mapping Mode: E-Mail

Did anyone else try to setup Identity Federation to AS ABAP based on mail adress?

I also tried to maintain mapping entry in table USREXTID between my mail and my SAP user jmeyer and switched the User ID Mapping Mode in SAML2 to Assigning to USREXTID-Table, Type SA ... without success!

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • May 18 at 01:22 PM

    maybe this is the solution, as I also have 1024 length certificates on SP side in STRUST, but a 2048 length certificate from ADFS.

    https://archive.sap.com/discussions/message/16392110#16392110

    Add comment
    10|10000 characters needed characters exceeded

    • meanwhile we have re-created these certificates in STRUST and added them in ADFS' relying party trust, but the whole thing is still not working and NameID arrives at ABAP with no value (empty).