Skip to Content
0

SAP Fiori mobile SSO using windows AD

Nov 30, 2016 at 04:25 PM

475

avatar image

Hello All,

Am trying to integerate all the SAP system into portal and accessing it via SSO. Portal integerated with windows AD. Hence users are able to login to the portal using windows AD and they can able to perform their work. Now customer required to access the fiori app in mobile using mobile fiori application. Can anyone let me know how i can take it up with with windows AD authentication for the same. Mobile fiori application with windows AD.

Thank you.

Regards,

Jones Seenivasan.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
jones seenivasan Dec 29, 2016 at 01:05 PM
0

Hello Andrew Purgert,

thanks for the update. I have resolved the issue by keeping SAP JAVA as IDP and using SAML authentication method I have achieved it.

Thanks you.

Regards,

Jones Seenivasan.

Share
10 |10000 characters needed characters left characters exceeded
Andrew Purgert Dec 01, 2016 at 07:16 PM
1

Hello Jones,

Assuming you have ADFS configured, you can use that as an identity provider (IdP) for SAML authentication. You would then set up your SAP system as a service provider (SP) via transaction SAML2. At that point, you would be able to utilize the Fiori Client to use the Windows username and password.

However, we have seen that once you close the Fiori Client, it will prompt for credentials again. This is not a seamless SSO solution, and we are testing the SAP SSO 3.0 solution to see if it will better achieve an easier user experience. If you have an MDM that can handle creating the tickets first, you may be able to avoid the need for SAP SSO. I have heard of some companies where you log in once a day and that the authentication is good for the day, but we do not have that set up.

With SAP SSO, you need a Java stack to act as the IdP which can just pull the user accounts from AD. It sounds like your Portal is already set this way, so you would just configure the Java stack that the SSO is running on the same way. If you don't have a Windows AD IdP, then getting SSO would allow you to set up an IdP for your SAML SP's. Plus you would be able to utilize the SAP Authenticator as well.

We've also had some success by using Azure AD as the IdP by setting the email as NameID in the SAML claim. However, it still would time out after a few hours. From what we could tell, it never got the second assertion from Azure that creates a longer login validity.

This guide is a good one to follow on how to get SAML set up for ADFS and SAP. http://sapassets.edgesuite.net/sapcom/docs/2014/07/4e233a50-5a7c-0010-82c7-eda71af511fa.pdf

Share
10 |10000 characters needed characters left characters exceeded