cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Fiori LDAP Integration

Former Member

Hello,

We are implementing SAP Fiori as a Central Hub Deployment model, front end is NW 740 SP8, Back end is SAP ECC EHP7 on HANA. We want to integrate SAP Fiori with LDAP so that user's can use their AD user id and password.  We are not using SAP NW SSO or SAP EP.

Can you please let me know how this can be achieved ? Since User ID's should be same in front end, back end and HANA, how do i map user id's ?

Please help

Thanks,

Ravi

Accepted Solutions (1)

Accepted Solutions (1)

kirankola
Advisor
Advisor
0 Kudos

Hi Ravi,

SAP Identity Management (SAP IdM) is one of the solution that is being used by customers to
synchronize all the users across the landscape. For Fiori enablement, check out following example for Mobile SSO (SAP Authenticator) scenario:

http://scn.sap.com/community/sso/blog/2014/11/03/mobile-single-sign-on-for-sap-fiori-with-sap-authen...

Regards,

Kiran

Former Member
0 Kudos

Dear and

Thanks for the links. Looks like SAP NW SSO is most widely used solution

We do not have SAP NW SSO, IDP or SMP servers. I think the only option is ABAP stack integration to LDAP , in this case i am not sure how far this serves as depends on the firori apps , clients can make calls directly to either fronted or to HANA XS.

Regards,

Ravi

kirankola
Advisor
Advisor
0 Kudos

Surely possible! Maintenance would be painful for manual user replication or
synchronization so worth having a tool to automate the process.

Regards,

Kiran

Former Member
0 Kudos

Dear Kiran,

Do you have any help documentation/knowledge base for above said config type ?

Thanks,

Ravi

Answers (6)

Answers (6)

Former Member
0 Kudos

Hi Ravidnran and Aoki,

what is the decision based on your research?

We are in similar situation, Users access FIORI app from Internet. Our Gateway server is separated and sits in corporate network.

we have LDAP to authenticate   , but need to understand how did you guys approached? We do not have SAML, SMP,or NW SSO tools .

Please provide some guidance or Input.

Thanks

Krish

Former Member
0 Kudos

Hello Krish,

SAML authentication against Microsoft ADFS server is the best approach i come across, most of the customers has ADFS already in place. This is the best way to setup SSO for Fiori if you have HANA backend.

You dont need NW SSO license for this approach.

Ravi

Former Member
0 Kudos

Thanks Ravindran for quick response.

We do not have SAML IDP right now, is it free from SAP?

if we use SAML do we still need SAP NW SSO ?

if we don't have SAML , can we achieve this using SAP NW SSO with LDAP.

Thanks

Krishna

Former Member
0 Kudos

SAML 2.0 is the authentication type supported by SAP, You can try setting up Microsoft IDP if you don't have one. You don't need NW SSO license for this.

NW SSO supports SAML authentication too but you would need SAP IDM for that.

Ravi

Ramesh_Cirrus
Explorer
0 Kudos

Hello Ravi,

Is it possible to authenticate Fiori using LDAP which is inside our corporate network? We have NW SSO 2.0 and SAML. The issue is users don't want to remember another password to login to FIori app.

Please guide me thru some documentation on how to do this.

Thanks in advance,

Ramesh

0 Kudos

Hello Ravi,

I,m late with the SAML configuration. The ADFS was installed by the customer for test purposes but already intending to be a future production service, but when we tried to import the metadata file generated by SAML2 transaction on SAP Gateway/ Fiori appears an validation error such as 'SAML2 service not accessible'.

I checked the SICF and metadata file content and the configuration appears OK. They match the screenshots on pdf guide 'SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS" made by Navin Sahadev.

The metadata 'URL https://<server>:<port>/sap/saml2/sp/metadata?sap-client=200' works fine but not the 'https://<server>:<port>/sap/saml2/sp/acs/200' test executed by ADFS.  Does acs service provided by SAP IDM as mentioned above?

Do you have a idea about what is wrong here?  I´m not using the default HTTPS port. Could be this a problem?

Regards,

Rodrigo Aoki

0 Kudos

Hi Ravi,

Based on the setup you mentioned for Hub based landscape , so we have a Web dispatcher, Gateway server, ERP and HANA DB.


Are you suggesting SAML authentication with Microsoft ADFS server is the best approach for using Fiori on Mobile and PC.

Can you provide with heads on setting up SAML with ADFS.

Thanks

Jayesh

Former Member
0 Kudos

Hi Ravi,


I'm facing the same issue here. We need to sincronize the windows passwords to Fiori application, and we do not have the SSO. By chance, could you get implement the solution without SSO?


Regards

Amanda

Former Member
0 Kudos

Hello Amanda, Former Member

I have managed to configure SAML authentication to Fiori front-end and logon tickets to HANA DB. SSO in Fiori infra works fine now. You will have to setup SAML in front end using with SAML2 T-code and import the cert file from your IDP to ABAP, Import your ABAP cert to IDP.

Are you configuring SSO using with SAML ?

Thanks,

Ravi

Former Member
0 Kudos

Hi Ravi,

I've read this blog: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c06d6ac9-5f4d-3210-0989-89a92bcfc...

Is this the arquitecture that you are using? We don't have licensed the SSO 2.0. I was trying to find a solution without this product.

Regards

Amanda

Former Member
0 Kudos

We don't have NW SSO license too, but i have done like this.

Our Fiori landscape is Hub based landscape , so we have a Web dispatcher, Gateway server, ERP and HANA DB.

Configured Gateway server for SAML authentication using with MS ADFS

Trusted RFC and STRUSTSSO2 between Gateway and ERP

Logon tickets to HANA DB

So the landscape is covered for full SSO.

Please use the following documentation to setup your gateway for SAML authentication

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b078814a-49f9-3110-21a6-f5436e5f0...

For logon tickets i hope you know how to do it.

Thanks,

Ravi

0 Kudos

This solution using SAML 2.0 as abstraction level (HTTP layer integrated to ABAP) appears to be the response.

The customer doen´t have the ADS corporate domain federated so the idea must be tested and analyzing how to integrate to keep the assumption to using the user/password from AD as the main credential.

I´m following this path here...

Regards,

Rodrigo Aoki

Former Member
0 Kudos

Hi Ravi,


I'm facing the same issue here. We need to sincronize the windows passwords to Fiori application, and we do not have the SSO. By chance, could you get implement the solution without SSO?


Regards

Amanda

Former Member
0 Kudos

HI Ravi

Please let me know if you have setup Fiori LDAP integration, we are also looking to implement the same LDAP- ABAP Integration

Thanks,

Bharathi

0 Kudos

Hello,

I already tried this configuration for LDAP integration on ABAP. Unfortunately this integration (transaction LDAP using LDAP connector) only enables the ABAP to identify groups and another characteristics from the LDAP server based on replication using the user id as key but NOT the password.

So, ABAP doesn´t authenticates with the user/password combination from the LDAP server.

Regards,

Rodrigo Aoki

SAP Basis

Former Member
0 Kudos

Fiori Infra Experts - Please help if anyone has integrated Fiori front end with LDAP .

masa_139
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Ravi,

Some search result.

Regards,

Masa

Former Member
0 Kudos

Dear Masa,

Thanks for the scn links. I have gone through the search results already and most of them are un- answered. I was also looking for some information how existing customers are using Fiori (SAP User id base access or Ldap)

Thanks again for the search result

Regards,

Ravi

midhun_vp
Active Contributor
0 Kudos

Hi Ravi,

I believe that you can achieve it if you proxy Fiori client through SMP server,

Regards, Midhun

SAP Customer Experience Group - CEG