Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

S/4HANA SAML SSO with Azure AD

former_member183342
Explorer
‎08-15-2023 9:04 PM
Single Sign-on configuration for S/4HANA 2021 with Azure Active Directory (Azure AD) for accessing SAP Fiori applications using SAML SSO mechanism.

Prerequisites

To get started, you need the following items:

  • A Microsoft Azure AD subscription.

  • SAP S/4HANA Application access to configure SSO (SAML2 Tcode)

  • SAP NetWeaver V7.20 required at least.


Scenario description

Identity Provider: Microsoft Azure AD

Service Provider:  S/4HANA 2021

Single Sign-on Mechanism / Protocol: SAML

SAML is browser based Single Sign-on and it will not be supported for SAP GUI.

Our case S/4HANA and Azure AD user matching attribute is E-mail.

Adding SAP Fiori from the gallery


To configure the integration of SAP S/4HANA into Azure AD, you need to add SAP Fiori from the gallery to your list of managed SaaS apps.

  1. Sign into the Azure portal using work Microsoft account, make sure you have relevant rights to configure SSO for enterprise applications.

  2. On the left navigation pane, select the Azure Active Directory

  3. Navigate to Enterprise Applications and then select All Applications.





  1. To add a new application, select New application.

  2. In the Add from the gallery section, type Fiori in the search box.

  3. Select SAP Fiori from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.


Configure and test Azure AD SSO for SAP S/4HANA Fiori.


Configure and test Azure AD SSO with SAP S/4HANA using a test user called Raju. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SAP S/4HANA.

To configure and test Azure AD SSO with SAP S/4HANA, perform the following steps:

  1. Configure Azure AD SSO to enable your users to use this feature.

    1. Create an Azure AD test user to test Azure AD single sign-on with Raju.

    2. Assign the Azure AD test user to enable Raju to use Azure AD single sign-on.



  2. Configure SAP Fiori using SAML to configure the SSO settings on the application side.

    1. Create SAP S/4HANA test user to have a counterpart of Raju in SAP S/4HANA that is linked to the Azure AD representation of user.



  3. Test SSO to verify whether the configuration works.


Configure Azure AD SSO


In this section, you enable Azure AD single sign-on in the Azure portal.

To configure Azure AD single sign-on with SAP S/4HANA, perform the following steps:

  • Make sure that http and https services are active and appropriate ports are assigned in SMICM T-Code.

  • Sign on to business client of SAP S/4HANA system SID is ABC, where SSO is required and activate HTTP Security session Management.

  • Go to Transaction code SICF_SESSIONS. It displays all relevant profile parameters with current values. They look like below: -


login/create_sso2_ticket = 2

login/accept_sso2_ticket = 1

login/ticketcache_entries_max = 1000

login/ticketcache_off = 0

login/ticket_only_by_https = 0

icf/set_HTTPonly_flag_on_cookies = 3

icf/user_recheck = 0

http/security_session_timeout = 1800

http/security_context_cache_size = 2500

rdisp/plugin_auto_logout = 1800

rdisp/autothtime = 60

  • Make the necessary parameter changes in the instance/default profile of SAP system and restart SAP system.




  • Activate below SICF services:


/sap/public/bc/sec/saml2
/sap/public/bc/sec/cdc_ext_service
/sap/bc/webdynpro/sap/saml2
/sap/bc/webdynpro/sap/sec_diag_tool (This is only to enable / disable trace)

  • Go to Transaction code SAML2in business client of SAP system ABC. It will open a user interface in a browser. In this example, we assumed 100 as SAP business clients.

  • Provide your username and password to enter in user interface and click Edit.

  • Replace Provider Name from ABC100 to http://ABC100 and click on Save.


Note

  • By default, provider name come as <sid><client> format but Azure AD expects name in the format of <protocol>://<name>, recommending maintaining provider name as https://<sid><client> to allow multiple SAP NetWeaver ABAP engines to configure in Azure AD.


 

  • Generating Service Provider Metadata: - Once we are done with configuring the Local Provider and Trusted Providers settings on SAML 2.0 User Interface, the next step would be to generate the service provider’s metadata file (which would contain all the settings, authentication contexts and other configurations in SAP). Once this file is generated, we need to upload this in Azure AD.

  • Go to Local Provider tab.

  • Click on Metadata.

  • Save the generated Metadata XML file on your computer for uploading it in Azure AD.


Follow these steps to enable Azure AD SSO in the Azure portal.

  1. In the Azure portal, on the SAP Fioriapplication integration page which is created, find the Manage section and select Single sign-on.

  2. On the Select a Single sign-on method page, select SAML.

  3. On the Set up Single Sign-On with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

  4. On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, perform the following step:

    • Click Upload metadata file to upload the Service Provider metadata file, which you have obtained earlier.

    • Click on folder logoto select the metadata file and click Upload.

    • After the metadata file is successfully uploaded, the Identifier and Reply URL values get auto populated in Basic SAML Configuration section textbox as shown below:

    • In the Sign-on URL text box, type a URL using the following pattern: https://<your company instance of SAP Fiori>SAP Fiori application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click Edit icon to open User Attributes dialog.



  5. In the User Claims section on the User Attributes dialog, configure SAML token attribute as shown in the image above and perform the following steps:

    • Click Edit icon to open the Manage user claims dialog.

    • From the Source Attribute list, select user.mail.

    • Make sure Name identifier format is Unspecified.

    • Click Save.



  6. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.

  7. On the Set up SAP Fiorisection we need the below URL to configure.


Create an Azure AD test user.


Create a test user in the Azure portal called Raju.

  1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.

  2. Select New user at the top of the screen.

  3. In the User properties, follow these steps:

    1. In the Name field, enter

    2. In the User name field, enter the username@companydomain.extension. For example, Raju@xyz.com.

    3. Select the Show password check box, and then write down the value that's displayed in the Password

    4. Click Create.




Assign the Azure AD test user.


Now you’ll enable Raju to use Azure single sign-on by granting access to SAP Fiori Access.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.

  2. In the applications list, select SAP Fiori.

  3. In the app's overview page, find the Manage section and select Users and groups.

  4. Select Add user, then select Users and groups in the Add Assignment






  1. In the Users and groups dialog, select Raju from the Users list, then click the Select button at the bottom of the screen. If you are expecting a role to be assigned to the users, you can select it from the Select a role If no role has been set up for this app, you see "Default Access" role selected.

  2. In the Add Assignment dialog, click the Assign


Configure SAP Fiori using SAML.



  1. Login to SAP ABAP system in GUI and go to transaction code SAML2. It opens a new browser window with SAML configuration screen.

  2. For configuring End points for trusted Identity provider (Azure AD) go to Trusted Providers

  3. Press Add and select Upload Metadata File from the context menu.

  4. Upload metadata file, which you have downloaded from the Azure portal.

  5. From the Azure AD downloaded Federation XML metadata copy the certificate from the XML tag <X509Certificate> </X509Certificate> as below and paste in a notepad with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

  6. Create a new notepad and paste the above certificate as below and save it in your PC.

  7. Browser the certificate as below and click Next

  8. Give the Alias name for your Identification if we configure more than one AD, Click Next

  9. Make sure that your Digest Algorithm should be SHA-256and doesn’t require any changes and press Next.

  10. On Single Sign-On Endpoints, use HTTP POST and click Next to continue.

  11. On Single Logout Endpoints select HTTPRedirect and click Next to continue.

  12. On Artifact Endpoints, press Next to continue.

  13. On Authentication Requirements, click Finish.

  14. Go to tab Trusted Provider > Identity Federation (from bottom of the screen). Click Edit.

  15. Click Add under the Identity Federation tab (bottom window).

  16. From the pop-up window, select Unspecified from the Supported NameID formats and click OK.

  17. Give the User ID Source value as Assertion Attribute, User ID mapping mode value as Email and Assertion Attribute


Scenario: Select SAP user ID based on configured email address in SU01. In this case email ID should be configured in su01 for each user who requires SSO.

  1. NameID details screenshot from SAP.

  2. screenshot mentioning Required claims from Azure AD.

  3. Click Save and then click Enable to enable identity provider.

  4. Click OK once prompted.


 

Test SSO


Try accessing the Fiori URL, make sure the AD user email should exist only one of the user in S/4HANA, If the same email exist more than one user then SSO will fail to login.

SAML Troubleshooting URL:

http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<100>

 

Guided Procedure : https://ga.support.sap.com/dtp/viewer/#/tree/121/actions/779

 

Microsoft Reference : https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sap-fiori-tutorial

 

Wiki Reference:

https://wiki.scn.sap.com/wiki/display/Security/Troubleshooting+SAML+2.0+Scenarios

 
3 Comments
Labels in this area
Popular Blog Posts