Skip to Content

How to configure SAML2 authentication to Azure AD for two ITS nodes?

Hello,

We currently have the following configuration for our QA landscape:

Web Dispatcher

Fiori Front-End Server (ABAP 7.52)

S4HANA 1709 SP00

Azure AD with ADFS

We currently have SAML2 authentication configured for Fiori Launchpad in the FES and it is working well. We would like to also configure SAML2 authentication for two custom ITS applications in our S4HANA system under the following ICF paths:

/default_host/sap/bc/gui/sap/its/zsample1

/default_host/sap/bc/gui/sap/its/zsample2

Intial setup of our S4 system as a SAML2 Service Provider has been completed and we have provided the XML file to the Azure consultant to add to the AD.

The Azure consultant has created an Identity Provider Configuration (XML file) for the first ITS application with the following details:

Sign-On URL: https://webdispatcher:port/sap/bc/gui/sap/its/zsample1

Identifier: https://webdispatcher:port/sap/bc/gui/sap/its/zsample1

Reply URL: https://webdispatcher:port/sap/bc/gui/sap/its/zsample1

However, when we try to add an Identity Provider configuration for the second URL (zsample2), we get the error "Trusted Provider with the same name already exists."

How should we configure our S4 system to support SAML2 authentication correctly? I'm aware of activating the "Alternative Logon Procedure" for the ICF nodes, but once we configure SAML2 for that, how do we configure the Identity Provider configuration from AD? Is there a way to use a generic Reply URL so that when users authenticate, they are brought back to the correct ITS application (e.g. zsample1 & zsample2)?

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • Oct 10, 2018 at 08:08 PM

    Hi Folks,

    Sorry for the delayed response. We resolved this about a week ago. The solution was to go to the Application configuration in AD for the SAP system and add an additional reply URL. We were not aware at the time that you could have multiple Reply URLs in the configuration.

    Geferson Hess , I will review the link you provided as well. Thanks!

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 29, 2018 at 08:26 PM

    Hello Douglas,

    There is no need to configure different IDPs to different Service URLS.

    I believe the desired behavior can be achieved by configuring RelayStates.
    Please, refer to Mapping Relay States to Applications.

    Regards,
    Geferson Hess

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 06, 2018 at 03:22 PM

    Hi Douglas:

    I am curious to know if you have been able to achieve the desired results using Relay States setting? We also have same problem where we are trying to achieve SSO using SAML for our ECC 6 system but the results are not positive.

    Thanks.

    Add comment
    10|10000 characters needed characters exceeded