How to Configure Fiori

Launchpad using Azure

Identity Provider
Step-by-Step
SAP Netweaver or S4H – Gateway

© 2016 SAP AG. All rights reserved.

Ali Chalhoub SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products
and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and other
countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal

Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business
Objects products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of Business Objects Software
Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and
other Sybase products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Sybase Inc.
Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered
trademarks of Crossgate AG in Germany and other countries. Crossgate is an
SAP company.

All other product and service names mentioned are the trademarks of their
respective companies. Data contained in this document serves informational
purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are
provided by SAP AG and its affiliated companies ("SAP Group") for
informational purposes only, without representation or warranty of any
kind, and SAP Group shall not be liable for errors or omissions with respect
Document History

Document Version Authored By Description Date Created

1.0 Ali Chalhoub First release of this whitepaper October 8, 2020

Document Version Reviewer Description

Christopher Leonard October 9, 2020

2
How to Configure Fiori Launchpad using Azure Identity Provider
www.sap.com

TABLE OF CONTENTS

Document History ...................................................................................................................................................... 2

ABSTRACT .....................................................................................................................................................4
Chapter 1 - Configuring SAP Service Provider ........................................................................................................... 4
Chapter 2 - Configuring Fiori Launchpad to Support SAML2 ..................................................................................... 4
Chapter 3 – Troubleshooting ..................................................................................................................................... 4
CHAPTER 1 CONFIGURING SAP SERVICE PROVIDER ........................................................................................5
Overview of the Architecture .................................................................................................................................... 5
Parameters Configuration in S/4HANA System ......................................................................................................... 7
Activating required SICF services ............................................................................................................................... 7
Configuring Local Provider....................................................................................................................................... 10
Configuring Azure Active Directory Single sign-on .................................................................................................. 16
Importing Azure Active Directory Identity Provider Certificate into Service Provider ............................................ 34
CHAPTER 2 CONFIGURING FIORI LAUNCHPAD TO SUPPORT SAML2 ............................................................. 45
Configuring Fiori Launchpad .................................................................................................................................... 45
Testing SAML Using Fiori launchpad........................................................................................................................ 53
Configuring Fiori Launchpad Designer ..................................................................................................................... 55
CHAPTER 3 TROUBLESHOOTING ................................................................................................................... 56
Error 1 – No RelaySate mapping found for RelayState value …. ............................................................................. 56
How to trace SAML issues in S/4HANA or Netweaver............................................................................................. 56
Microsoft Tutorial on SAML and Netweaver using Azure ....................................................................................... 56
Abstract
Chapter 1 - Configuring SAP Service Provider
1.1. Overview of the Architecture
1.2. Configuring Scenario Service Provider
1.3. Configuring Scenario Identity Provider
1.4. Downloading Identity Provider Metadata
1.5. Importing Azure Identity Provider Certificate into SAP S/4HANA Service Provider

Chapter 2 - Configuring Fiori Launchpad to Support SAML2

2.1. Configuring Fiori Launchpad
2.2. Configuring IDP to support Login Name
2.3. Testing SAML Using Fiori launchpad
2.4. Configuring Single Logout Endpoint
2.5. Configuring Fiori Launchpad Designer

Chapter 3 – Troubleshooting
5.1. No RelaySate mapping found for RelayState value ….
5.2. How to trace SAML issues in S/4HANA or Netweaver
5.3. Microsoft Tutorial on SAML and Netweaver using Azure

4
 Chapter 1
Configuring SAP Service Provider

Welcome to How to Configure Fiori Launchpad to Support SAML2 Using Microsoft Azure Identity Provider Step-
by-Step. In this e-book you will find all the details are needed to let you configure a Fiori launchpad on on-
premise SAP S/4HANA 1909 system. In this eBook we will discuss and show the user how to configure:
• Azure Active Directory Single sign-on
• Fiori launchpad on on-premise system running S/4HANA 1909 or higher

To make the process simple, the steps provided in this book are done against a
Note single NetWeaver Gateway system no ERP involved.

Any errors or configuration issues or support issues regarding Microsoft Azure

Disclaimer Active Directory Single Sign-on, it should be followed with Microsoft Support
and not SAP Product Support. SAP is not responsible for any issues or support
issues related to Microsoft Azure.

1. NetWeaver 7.5 or higher

2. Fiori launchpad already configured and working with SSL support
Requirement 3. Administrator has an account with Microsoft Azure that has access to creating
application from a gallery

Overview of the Architecture

Before we can start our configuration, we need to look at the Architecture that this book will address. This
eBook will cover the following scenario:
Microsoft Azure Active Directory Single sign-on with SAP Fiori launchpad running on on-premise S/4HANA
system.

5
Figure 1 Microsoft Azure Active Directory with Fiori launchpad
1. A web client makes a request to SAP Fiori launchpad
2. SAP Fiori launchpad (SP) redirects the client to Microsoft Azure Active Directory
3. Client is asked to authenticate with Microsoft Azure Active Directory
4. After the client is authenticated successfully, a SAML XML assertion is generated which contains all
the information needed about the client such as user id, first name, last name and all this sent to
the client
5. The client makes a post request to SAP Fiori launchpad where the XML assertion is validated at the
NetWeaver level and a session is created and the client is granted access to Fiori launchpad

6
Parameters Configuration in S/4HANA System

• In order to configure SAML in S/4HANA, the following services http and https must be active and functioning
• The following profile parameters should match what it is shown below:

Activating required SICF services

In this section we need to activate few SICF services. Here is the list
/sap/public/bc/sec/cdc_ext_service
/sap/public/bc/sec/saml2
/sap/bc/webdynpro/sap/saml2
/sap/bc/webdynpro/sap/sec_diag_tool

To activate the above services, we will show you the process of how to do it for one and repeat the process for
the rest. For example, to activate /sap/public/bc/sec/cdc_ext_service, do the following:
1. Login to S/4HANA system
2. Issue the following tCode SICF

7
3. Enter the service path of /sap/public/bc/sec/cdc_ext_service as shown below:

8
4. If it is grayed out, right click on cdc_ext_service and select Activate Service

9
 5. Select Yes as shown below:

6. Repeat the same process for the rest of the services

Configuring Local Provider

In this scenario we will be configuring SAP Fiori launchpad on-premise to authenticate with Microsoft Azure
Active Directory.

In this section there is an assumption, that Fiori launchpad is configured in

Note S/4HANA system and Fiori launchpad can be accessed using HTTPS. As
well the user does have access to Microsoft Azure Active Directory.

2. Connecting to SAP Service Provider. In our configuration that would be our S/4HANA System

1. Login to SAP S/4HANA System

2. Execute tCode saml2 or execute this from the browser
https://<HOST-NAME>:<PORT>/sap/bc/webdynpro/sap/saml2?sap-client=<CLIENT-ID>

It is important the URL in the browser after execution of saml2, must be

the full domain name including the port if it is not port 443. The URL
Note domain must be reachable externally. That could be the Web Dispatcher
or the fully qualified name. ( i.e If you can access the configuration page
using http after executing saml2, then the URL must be changed manually

10
 to include the fully qualified domain and SSL port if it is not 443 and https
protocol.

3. Login as shown below

4. Click on Enable SAML 2.0 Support if no SAML has been configured in the system
5. We should see the following screen below

Figure 4 Enabling SAML2 in S/4HANA

6. Select Create SAML 2.0 Local Provider

7. Now enter a name that represent the Local Provider Configuration. Azure requirement of the name
must be <protocol>://<NAME>, in our case that would be <protocol>://<sid><client> ( i.e

11
 https://<sid><client>)

Figure 5 Providing name to the Local Provider Service Provider

8. Click Next

12
9. On this screen below do not do anything, click Next as well

Figure 6 Miscellaneous
10. Under Identity Provider Discovery: Common Domain Cookie (CDC), make sure selection Mode is set
to Automatic as shown below:

Figure 7 Setting selection Mode

13
 Note Selection Mode Automatic means the user will not need to select the
default authentication provider. It will be selected automatically.

11. Click Finish

12. We should see the following screen below:

Figure 8 Creating Local Provider Configuration

13. Next, we need to download the Metadata of our Local Provider, so it can be imported into Azure
Active Directory single sign-on configuration. Click on Metadata as shown below:

14
 Figure 9 Accessing Metadata information
14. Click on Download Metadata

Figure 10 Downloading Metadata xml information

15. Save the XML file to your local machine because it will be required in the next step when we
configure the Identity Provider. We are going to call the xml file s4hana_host.xml

15
Configuring Azure Active Directory Single sign-on

3. Connecting to Microsoft Azure Active Directory Single sign-on if it is not already configured

1. Open your Web browser

2. Enter the URL of the Microsoft Azure Identity Provider. For example:
IDP Host: https://portal.azure.com/?quickstart=True#home
3. Once logged in the screen may look like the one below. Click on Azure Active Directory

Figure 11 Microsoft Azure Services

16
4. Click on Enterprise applications

Figure 12 Accessing Applications section

17
5. Click on + New application

Figure 13 Adding new application

18
6. Search for NetWeaver application from the gallery as shown below

Figure 14 Creating application

7. Once it is found, click on it. We should see the screen below

Figure 15 Configuration screen of the application

19
8. Click on Create
9. We should see the following screen below

20
10. Click on Assign users and groups

21
11. Click on + Add user to assign a user to this application

22
12. After adding the user, we should see the user listed as below. For example, in my case it is my user ID

13. Click on Single sign-on so we can enable SAML

23
14. Click on the SAML box

15. Once clicking on SAML, we should see the screen below:

24
16. In this step we need to upload the metadata.xml from the service provider, S/4HANA system. In this
example we called the xml file s4hana_host.xml or whatever name you called the xml file when it was

25
 downloaded. Click on the Upload metadata file as shown below

17. Select the metadata xml file and click on Add

26
18. We should see some like that below where the Identifier and Reply URL are being populated

19. Next step we need to edit the User Attributes & Claims which is required for the SAML assertions and it
has to be in a specific format but for S/4HANA or NetWeaver, we need to provide a custom one. Click on

27
 the Edit pencil as shown below

20. Click on Unique User Identifier (Name ID)

21. Form the Manage Claim click on Transformation

28
22. Click on Transformation. We should see Undefined. Click on the Pencil to add a tranformation

23. We need to add a transformation from the below screen

29
24. By default, S/4HANA or NetWeaver expects a Logon ID to be sent in the SAML Assertion (value
populated to the NameID attribute of the SAML assertion).. Therefore; we need to extract the User ID
from the Microsoft email
25. To-do that, set the following transformation as shown below and click Add

26. We should have something like this screen, click on Save

30
 If the requirement to use email ID and not Logon ID, then select Attribute instead of
Transformation and select from the Source Attributer “user.mail”
In S/4HANA you need to go to SU01 and find the user that you have and the Microsoft
email address to the email field and Make sure the User ID Mapping Mode for the
NameID format in the Identity Federation is set to mail as shown below:
Note

31
27. Our User Attributes & Claims should have the following configuration below:

28. Now we need to go back and download the Federation Metadata XML, click on SAML-based Sign-on

32
29. Click on Download as shown below

30. Save the file to your local drive. By default, the name is “SAP NetWeaver.xml”. You can name it anything
you like or keep it as the default.

31. Next download the Azure Certificate. Click on Download beside Certificate (Base64)

32. Save it to your local disk. By default it is called “SAP Netweaver.cer”

33
Importing Azure Active Directory Identity Provider Certificate into Service Provider

1. Now that the Metadata has been downloaded go back to the Service Provider and access your SAML2
configuration screen as shown below by either using tCode saml2 or access the SAML2 configuration by
using the URL. Example:

http(s)://<HOST-NAME>:<PORT>/sap/bc/webdynpro/sap/saml2?sap-client=<CLIENT-ID>

34
2. Select the Azure Federation XML file

3. Click on Next
4. We should see the following screen below:

5. We need to provide now the certificate of the IDP which is Azure Active Directory Single Sign-on. Click
on Upload from File and select browse to select “SAP Netweaver.cer” or whatever the file name is called
and click on Next

35
6. Provide an alias

7. Click on Next
8. We should see the following screen below. Note: Make sure Digest Algorithm is set to SH-256

36
9. Click on Next. Now we are on the Single Sign-on Endpoints

10. Click on Next

11. Click on Next

12. Click on Edit

37
13. Click on Add as shown below to add a NameID attribute

38
14. Select “Unspecified”

39
15. Make sure User ID Mapping Mode is set t Logon ID as shown below. If all OK, click on Save

40
16. Finally, we need to enable our trusted provider. This is very important because if we do not,
authentication with Azure will not take place. Click on Enable

17. We should see this confirmation. Click on OK

41
18. Next, we need configure the relay state, click on Local Provider Tab

19. Click on Service Provider Settings

20. Click on Edit button

42
21. Scroll down until you see Relay State Mapping. Click on Add as shown below:

22. Enter a Relay State name and the Fiori launchpad path as shown below:

RelaySate: fiori
Path: /sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

23. Click on OK
24. Repeat the process and add the following:
a. RelayState: it00
b. Path: /sap/bc/bsp/sap/it00/default.htm
25. Click on OK

43
26. We should have the following:

Note Make sure the service /sap/saml2/sp/acs/<CLIENT> is activated.

27. Click on Save

44
 Chapter 2

Configuring Fiori Launchpad to Support SAML2

Configuring Fiori Launchpad

In this section Fiori launchpad needs to be configured to support SAML2. In this section, we will go through all
the steps needed to allow Fiori launchpad to support SAML2 authentication.

1. Login to the S/4HANA System

2. Execute tCode SICF
3. Under Service Name type USHELL

45
4. Press F8 to execute
5. Click on ushell under /ui5_ui5/ui2 as shown below

6. Click on Logon Data tab. In here there two options that the admin can follow. You just need one of those
options and not both

46
a. First option is to use under Procedure “Standard

Or

b. Second option to explicitly indicate SAML is used and follow the steps below. As mentioned,
you need either a) or b)

47
7. If you Procedure is set to “Standard” and “Use All Logon Procedures” is ticked, you can skip this section.
And if Alternative Logon Procedure and SAML Configuration already set, then you are done on this
section. If not, then follow these steps below:

48
a. Click on Edit

b. Under Procedure drop down list change it from Standard to Alternative Logon Procedure
c. In the Logon Data section scroll down

49
d. Change the Logon Procedure List by scrolling all the way until 8 SAML Logon is shown

e. Change 8 to 1

f. Press Enter

50
g. We should see the following result

Note Even though we set the order to be 1, Logon Through HTTP Fields is
always 1 and then comes our SAML Logon based on the order we set.

51
h. Click on Save

52
Testing SAML Using Fiori launchpad

To test the configuration, we need to access Fiori launchpad

1. Open web browser, preferably Chrome

2. Enter the URL of your Fiori launchpad
http://<DOMAIN>:8443/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

Because we configured our Service Provider by going to the following URL

Note http://<DOMAIN>/sap/bc/webdynpro/sap/saml2?sap-client=<CLIENT-
ID>&sap-language=EN#. WE MUST access Fiori launchpad using http and
not HTTPS. We will see how we can change this later.

53
3. If everything is configured correctly, the web browser will redirect the request to the Microsoft Azure
IDP as shown below:

4. Login with your IDP user ID and password. Fiori launchpad should log you in successfully

54
Configuring Fiori Launchpad Designer

In this section we will configure Fiori Launchpad Designer to support SAML2.

1. Login into S/4HANA or Netweaver Gateway system
2. Execute tCode /nSAML2
3. Click on Local Provider
4. Click on Service Provider Settings
5. Click on Edit button on the top left
6. Under Relay State Mapping click on Add
7. Enter the following configuration:
RelayState: fioridesigner
Path: /sap/bc/ui5_ui5/sap/arsrvc_upb_admn/main.html
8. Click OK
9. Click Save
10. Configuration should look like this screen below:

55
 Chapter 3
Troubleshooting

Error 1 – No RelaySate mapping found for RelayState value ….

Solution:

No RelayState has been created. To fix this issue, follow the steps under Chapter1 section that talks about
relaystate.

How to trace SAML issues in S/4HANA or Netweaver

To trace SAML, please follow the following KBA: 2501320 - How to get necessary traces for analyzing SAML2
issue in Netweaver ABAP system

Microsoft Tutorial on SAML and Netweaver using Azure

For more information about configuration of SAML and Netweaver using Azure from Microsoft, please refer to
this URL: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-netweaver-tutorial

56