cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need to configure SAP Fiori Front End Gateway (NW7.4 ABAP) with Active Directory.

anoarul_islam
Explorer

on ‎09-09-2015 5:31 AM

0 Kudos

Dear Experts,

We have SAP Fiori apps configured in our landscape. We have SAP Netweaver
7.4 as Front End Gateway server. And we have SAP ECC 6.0 EHP6 as backend server
for Fiori apps.

The Fiori URLs are exposed to Internet via SAP Web dispatcher on DMZ,
for our employees.

Now our need is to allow our employee to use their Domain ID ( Active
Directory user id)  to use the SAP Fiori application.

My questions are:

  1. Do i need to use SAP SSO for this scenario to be configured?

  2. If so, then do i need to add any AS JAVA between SAP Web dispatcher and
Gateway server?

Any documents related to this would be highly appreciable please...

Kind Regards,

Mohammad Anoarul Islam

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎06-15-2016 11:56 PM
0 Kudos

Hi Mohammad,

I hope all is well and enjoy the blessings of Ramdhan.

Have you implemented the process and documented it.

Please let me know if you could share the documentation.

Cheers,

Usman

usman_muhammad@hotmail.com

Show replies
Show replies
tim_alsop
Active Contributor
‎09-13-2015 7:43 AM
0 Kudos

If you want to connect AS ABAP to AD for Fiori user authentication, you can do this without needing a Java stack.

Thanks

Tim

Show replies
Show replies
anoarul_islam
Explorer
‎09-13-2015 7:51 AM
0 Kudos

Thanks a lot Tim Alsop,

Actually my requirement is to allow our employee to use their AD user id to work with SAP FIORI application from Internet. (out side of our Domain)

I have configured SAP Webdispathcer in DMZ , i have SSL certificate for https://fiori.dewa.gov.ae  , this URL is configured on SAP Web dispatcher server. SAP Web Dispatcher is connected to SAP FIORI Front End server which is SAP Nw 7.4 SPS08 and the back end server is SAP ECC 6.0 EHP6.

Please suggest me how can i achieve this goal...

thanks in advance please...

Regards,

Mohammad Anoarul Islam

tim_alsop
Active Contributor
‎09-13-2015 7:56 AM
0 Kudos

So, do you want a user on internet to access Fiori launchpad (on NetWeaver Gateway) and get prompted to enter their AD user and password ?

Thanks

Tim

anoarul_islam
Explorer
‎09-13-2015 7:59 AM
0 Kudos

Yes Tim,

Our employee will use the SAP FIORI Launchpad from Internet with their AD user and password...

Thanks ..

Mohammad Anoarul Islam

tim_alsop
Active Contributor
‎09-13-2015 8:05 AM
0 Kudos

It is possible to do what you want, as shown below:

Web browser <--- Internet ---> Firewall <---> Web dispatcher <---> SAP NW Gateway <---> Active Directory

For above you need to buy a product from a SAP partner.

If you want to use AS JAVA with SAP SSO product, then you need to buy SAP SSO product from SAP.

Thanks

Tim

anoarul_islam
Explorer
‎09-13-2015 8:14 AM
0 Kudos

Thanks once again Tim for your meaningful suggestion.

May i ask to eleborate more about:

1. "For above you need to buy a product from a SAP partner".-- Please mention me the product name and partnet from where we can buy

2. If I want to use AS JAVA with SAP SSO , then how configuration will be, any documents for the same thing will be highly appreciaable please....

mostly we may  prefer option-2.

Thanks ....

Mohammad Anoarul Islam

tim_alsop
Active Contributor
‎09-13-2015 8:18 AM
0 Kudos

This message was moderated.

tim_alsop
Active Contributor
‎09-13-2015 8:21 AM
0 Kudos 


Mohammad Anoarul Islam wrote:




1. "For above you need to buy a product from a SAP partner".-- Please mention me the product name and partner from where we can buy

It is against SCN rules to mention third party products/vendors on SCN. I can help you with this, but not using SCN forums.

anoarul_islam
Explorer
‎09-13-2015 8:29 AM
0 Kudos

Hi,

How to get the information then please?

is this possible to share the email id please...

Regards,

Mohammad Anoarul Islam

tim_alsop
Active Contributor
‎09-13-2015 8:32 AM
0 Kudos

You can access my contact details by clicking on my name in SCN.

Thanks

Tim

former_member182254
Active Participant
‎09-09-2015 1:15 PM
0 Kudos

Hello Mohammad,

Using SAP SSO will allow you to implement this scenario. In addition you will have the options to enable multi-factor authentication for external access and SSO for mobile devices. The AS Java system where SAP SSO is deployed has to be exposed to Internet as well but it is not 'between' the Web Dispatcher and the GW server. It is behind the Web Dispatcher and next to the GW server. A similar setup is shown in scenario 3 of the following blog: http://scn.sap.com/community/sso/blog/2015/05/22/stronger-security-for-your-business-data-at-risk, where SAP Web Dispatcher = Reverse Proxy, SAP SSO = Portal / IDP, Gateway = ERP

Regards,

Dimitar

Additional resources:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60f9f0b6-9c39-3210-9284-843cd5ec3...

Show replies
Show replies
anoarul_islam
Explorer
‎09-13-2015 5:00 AM
0 Kudos

Hi Dimitar Mihaylov,

Thanks a lot for your reply. I have seen the reference URL and scenario 3.

What I understood is to install SSO on SAP AS Java and expose to internet. with SSO i can connect AD with AS Java system. Our employee will browse FIORI URL but how the URL will reach to FIORI Gateway server ?

I am new to SSO , any related docs i can read please...

thanks once again ...

Regards

Mohammad Anoarul Islam

donka_dimitrova
Contributor
‎09-13-2015 10:23 AM
0 Kudos

Hello Mohammad,

In addition to the guides provided by Dimitar, Please, find the documentaton how to connect AD with your AS Java:

Configuring the UME to Use an LDAP Directory as Data Source - Identity Management - SAP Library

Regards,

Donka Dimitrova

anoarul_islam
Explorer
‎09-13-2015 10:34 AM
0 Kudos

Hello Donka Dimitrova,

thanks a lot for the sharing the guide.

But our scenario is different.

We want our employee to use SAP FIORI Lunchpad Apps from Internet ( like from mobile, Tab etc..)

The flow will be like as follow:

Internet<----(https)----> SAP WebDispacther( on DMZ) <-----Firewall-----> SAP FIORI Front Server (NW 7.4 SPS8 ABAP)

Hope you will suggest an option to achieve this...

Regards,

Mohammad Anoarul Islam

donka_dimitrova
Contributor
‎09-13-2015 2:00 PM
0 Kudos

Hello Mohammad,

I wanted only to provide info about the topic "connecting AD with AS JAVA".

My colleague Dimitar Mihaylov already proposed a proper document to you regarding your scenario. In his post to you Dimitar mentioned a very good document describing recommended by SAP architecture for Fiori implementation and specially securing Fiori scenarios for mobile usage with our SAP Single Sign-On product.

This is from his post above:

".....A similar setup is shown in scenario 3 of the following blog: http://scn.sap.com/community/sso/blog/2015/05/22/stronger-security-for-your-business-data-at-risk, where SAP Web Dispatcher = Reverse Proxy, SAP SSO = Portal / IDP, Gateway = ERP"


Regards,

Donka Dimitrova

former_member182254
Active Participant
‎09-14-2015 8:04 AM
0 Kudos

Hello Mohammad,

The AS ABAP (Fiori Front End Server) cannot be configured to authenticated users directly with AD username/password. That's the reason to include AS Java (SAP SSO) in the scenario. The AD credentials are checked by the AS Java system and after successful authentication an SAML 2.0 assertion is issued. The SAML 2.0 assertion is used to authenticate to the Fiori Front End Server. For the end user this is transparent and he only needs to provide his AD credentials.

Using SAP Authenticator you can achieve also Mobile SSO for Android and iOS devices using the setup described above.

If you need further details or would like to see the scenario working we can have a web conference. Just contact me via email at dimitar.mihaylov<AT>sap.com.

Best regards,


Dimitar Mihaylov

anoarul_islam
Explorer
‎09-14-2015 8:15 AM
0 Kudos

Thanks a lot Dimitar,

I will contact with you via email...

Regards,

Mohammad Anoarul Islam

Ask a Question