Your S/4HANA environment – Part 7 – Fiori Launchpad SAML Single Sign-On with Azure AD

Our journey with technical configuration of S/4HANA system continues and in today’s episode we will take a closer look at the Single Sign-On using SAML and Microsoft Azure Active Directory.

If you are interested in different approach to Fiori and Single Sign-On I highly encourage you to check out Frank Schuler detailed walk through on how to implement SSO with X.509 certificates.

I bet you already heard about Active Directory before. It’s a directory service, that is shipped together with Windows Server, that automates user management, security and network management

Is Azure Active Directory the same? Yes and no. It is still a directory service, but the biggest difference is that currently Azure AD does not support Group Policy Objects. Therefore, you can’t decide what will be users wallpaper and you can’t manage their Internet Explorer google bookmarks. Instead, you are getting identity management capabilities including multi-factor authentication, device registration and self-service password management. Azure Active Directory provides solution to easily deploy Single Sing-On across your cloud and on-premise application with the use of SAML. Of course there is much more benefits – but if you are interested in details, you can easily find additional information in the internet.

Our goal for today is to enable Single Sign-On between Microsoft Azure Active Directory and S/4HANA Fiori Launchpad!

This time we will use the new Azure Portal. To enable Single Sign-on we require Active Directory tenant. We can use the one that is delivered by default, when you create your Azure account or you can create a new one.

There are four levels of Azure AD available within your subscription. The important fact is, that SSO functionality can be enabled even for the free edition (you can read about limitations here)

And just before we start I’d like to explain two terms which are important when using SAML:

Identity Provider – is a trusty provider that stores your user credentials and let you use Single Sign-On to access other services. In our case it’s the Azure Active Directory

Service Provider – is an external service / web page which requests and obtains an identity assertion from the identity provider. In our landscape it is SAP Netweaver

AZURE ACTIVE DIRECTORY SET UP

Please log in to your Azure portal and go to Azure Active Directory maintenance. You can use either default directory or you can switch to any other which is available within your account.

What we need to do is to add SAP Netweaver as Enterprise Application:

Now, go to Single Sign-On tab and maintain three parameters:

Sing-on URL – it’s the address, which is used to log in to Fiori Launchpad

Identifier – custom identifier of service provider

Reply URL – address, to which we should be forwarded after successful sign in.

Next, click on Create new certificate in SAML Signing Certificate section and maintain expiry date.

You can see new certificate was created and we can download Metadata XML, which we use to configure SAP Netweaver.

In User Attributes section you need to decide what should be the user identifier – what data should identify particular user. I chose e-mail address, but you can check out different parameters as well.

Last step is about choosing the user who should has access to our Fiori Launchpad.

ENABLE SAML IN SAP NETWEAVER

Now it’s the time to configure SAML settings inside SAP Netweaver. The set up can be done in t-code SAML2 and first step in to Create SAML 2.0 Local Provider:

The provider name should be the same as we chose in Azure portal.

In step three ensure the Selection Mode is set to Automatic. You can save your settings afterwards.

The configuration of service provider is displayed. The only thing to change here is to turn on Legacy System Support. This means, that if you ever open a SAP GUI from Fiori Launchpad you won’t be asked for credentials. You can read more about this in Koen Van Loocke blog post.

Go to Trusted Providers tab and add new Identity Provider by uploading Metadata File.

Upload the file previously downloaded from Azure AD and you can confirm all steps until step 9.

In last step of Identity Provider configuration please change Authentication Response:

Identity Federation tab in Details of Identity Provider allow us to configure what data should identify the particular user. Do you remember similar step in SSO configuration in Azure? At that time I chose e-mail address and it’s the same what I need to put here – but please remember to maintain this value in user master data!

Now go to Authentication Requirements tab and verify Authentication Response fields. It should be set up as following:

TESTING

To test the configuration, I opened new browser window in Private Mode and therefore I’m ensured no cached logins are going to be used. After typing the Fiori address I was immediately redirected to Microsoft log in page.

After my credentials were verified by Azure Active Directory I was redirected again – this time to my Fiori Launchpad. I was not asked for any additional logins / passwords!

TROUBLESHOOTING

I would like to show you also the simple troubleshooting of SAML SSO. Therefore, we need to break something firstly ????

Go to Identity Federation and change Supported NameID format to Persistent. Restart the browser and try again to log in to Fiori Launchpad. This time, instead of Microsoft Login page, the Fiori Welcome screen is displayed and waiting for our input.

What went wrong? To answer that question we are going to open Security Diagnostic tool and start a trace:

https:///sap/bc/webdynpro/sap/sec_diag_tool

When the trace is on, try to log in again. Afterwards you can display the trace and easily solve the issue: