on 03-14-2016 7:23 AM
Dear All,
I am searching for a solution to Integrate our ABAP gateway (Net weaver 7.5 SP01) to integrate with Microsoft Active Directory. To synchronize user ID and password from AD.
We have SSO, but this is a gateway server we are using for Fiori Launchpad only with ABAP Stack.
While using Fiori Launchpad from Mobile or tablet, user has to enter the Fiori user ID and password. We would like to avoid this and make the user ID same as the AD ID.
How can we achieve this? Which document to follow.
I found some configuration related to this in SPRO
SAP Netweaver --- > Application Sever --- > System Administration ---> Directory Integration
Configure LDAP Connector
Define LDAP Users
Configure LDAP Server
If we use SAP SSO, the AD Integration not required and the login procedure will be handled by SAP Secure login client. This is good if we use only laptop or Desktop. Will not work for Fiori Launchpad from Mobile devices.
Looking for a solution and guidelines to proceed further.
Thanks in advance.
Regards,
Abu Sandeep
Hello ABU,
You can achieve this requirement using the SAP Single Sign-On product (license required). You can implement SAML authentication and you can configure MS AD authentication to the SAML Identity Provider. Using the SAP Single Sign-On product you can also implement "one login" and your users will authenticate first to the MS Domain in the morning and then they will have SSO to SAP Fiori and no additional authentication will be necessary. SAP Single Sign-On product offers also Mobile SSO solution based on time-based one-time passwords and this solution is also available for the native mobile application SAP Fiori Client.
Please, find also the step-by-step guide for implementing this scenario: Mobile Single Sign-On for SAP Fiori - Step-by-Step Guide
Regards,
Donka Dimitrova
Message was edited by: Donka Dimitrova (a link to the step-by-step guide included)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
Maybe this helps you:
If you have an Microsoft ADFS running you could use this documentation
We have also only Fiori Launchpad with SSO and with ADFS it works also from mobile devices.
On the Fiori Gateway try tcode SAML2 as described in the document.
Regards,
Marco
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Abu,
The Mobile SSO solution available with the SAP Single Sign-On product requires SAML Identity Provider for the authentication to the AS ABAP back-end of the SAP Fiori. This solution is available for both scenarios - when the user is accessing the system from inside corporate network and also when the user is accessing the system from outside corporate network.
It is up to your company to decide if you want to allow also external access but the SAML SSO is mandatory for both.
Regards,
Donka Dimitrova
Dear Marco Noe,
Thanks for the information about Tcode SAML2. We got the link and configuration steps in Gateway Server.
We have a Secure Login Server Installed and would like to use certificate for Mobile SSO.
Secure Login Server with Netweaver 7.5 JAVA engine has option to enable SAML 2.0 support.
Do we need to enable SAML on both the servers? What is the difference doing in two servers ?
X.509 configuration requires Secure Login Server and Mobile SSO required SAML2.0, Let me know whether my statement is right.
Thanks in advance.
Regards,
Abu Sandeep
Hello Abu,
I would like just to clarify for you the following:
As part of the SAP Single Sign-On product you get:
1) Secure Login Server for issuing X.509 Client Certificates
2) SAML Identity Provider for issuing SAML assertions.
Both solutions are deployed and running on SAP NW AS JAVA.
Secure Login Server could be configured to accept SAML assertions for authentication but you do not need the Secure Login Server when you implement Mobile SSO based on TOTP (see the guide provided by me above).
In order to implement Mobile SSO solution based on TOTP, you need to implement our SAML Identity Provider and to configure the trust between the SAML IDP and your AS ABAP system as SAML SP (this all is described in the guide, provided by me above).
If you have any further questions just let me know.
Regards,
Donka
Dear Donka,
Thanks a lot for your all inputs.
We are in the middle of SAML configuration.
While uploading the metadata file from SAP Fiori server to IDP, it says the certificate is not trusted.
Do we need trusted certificate to configure this?
Can we do sandbox with with self signed certificate ?
Do we need to connect IDP with AD ? In SAML configuration its redirecting the link to IDP and the user name password should be same as AD credentials right ?
Do you have guidelines to connect IDP with Active Directory ? We are using Netweaver 7.5 SAP JAVA server for IDP.
Regards,
Abu Sandeep
Hello Abu,
Here are the details about certificates when you configure a trusted Service Provider for the SAML Identity Provider:
When you import the metadata, you have to provide the self-signed certificate also.
The SAML IDP coming with the SAP Single Sign-On product is using the authentication stack of the AS JAVA. In order your users to be able to authenticate to the SAML IDP using their MS AD credentials, you have to configure MS AD as user store for AS JAVA UME.
Here is how to configure this:
LDAP Directory as Data Source - Identity Management - SAP Library
Regards,
Donka Dimitrova
Dear Donka,
Thanks a lot for your quick response.
I could manage to fix the trusted certificate issue. and JAVA UME also configured in IDP. Now, it started taking the AD credentials itself.
Now, while accessing Fiori launchpad link, its asking to select a IDP ( made automatic later ).
Then redirecting to below message.
SAML2 service not accessible
What has happened?
Calling of URL http://<hostname><port>/sap/saml2/sp/acs/900 was terminated during SAML2 processing
Note
No RelayState mapping found for RelayState value oucqqvqvwzyodzrroreewoydeeottzwcvducezy
HTTP 404 Not Found
© 2001-2016, SAP AG
As per the Mobile single-sign-on fiori guide
29. Go to the tab “Service provider
Settings” > RelayState Mapping
and choose “Add” for a new
RelayState.
30. Provide the name for the
RelayState and provide the Path
to the RelayState. (In our case,
this is the path to the “SAP Fiori
Launchpad”.
Fiori launchpad link is same as per the document for us.
Default application path was empty and we dont know what to be entered there, its not mentioned anywhere in the document.
Please advice on this.
Regards,
Abu Sandeep
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.