cancel
Showing results for 
Search instead for 
Did you mean: 

SAP AD Integration with Net weaver 7.5

abusandeep
Explorer
0 Kudos

Dear All,

I am searching for a solution to Integrate our ABAP gateway (Net weaver 7.5 SP01) to integrate with Microsoft Active Directory. To synchronize user ID and  password from AD.

We have SSO, but this is a gateway server we are using for Fiori Launchpad only with ABAP Stack.

While using Fiori Launchpad from Mobile or tablet, user has to enter the Fiori user ID and password. We would like to avoid this and make the user ID same as the AD ID.

How can we achieve this? Which document to follow.

I found some configuration related to this in SPRO

SAP Netweaver --- > Application Sever --- > System Administration ---> Directory Integration

Configure LDAP Connector

Define LDAP Users

Configure LDAP Server

If we use SAP SSO, the AD Integration not required and the login procedure will be handled by SAP Secure login client. This is good if we use only laptop or Desktop. Will not work for Fiori Launchpad from Mobile devices.

Looking for a solution and guidelines to proceed further.

Thanks in advance.

Regards,

Abu Sandeep

Accepted Solutions (1)

Accepted Solutions (1)

donka_dimitrova
Contributor
0 Kudos

Hello ABU,

You can achieve this requirement using the SAP Single Sign-On product (license required). You can implement SAML authentication and you can configure MS AD authentication to the SAML Identity Provider. Using the SAP Single Sign-On product you can also implement "one login" and your users will authenticate first to the MS Domain in the morning and then they will have SSO to SAP Fiori and no additional authentication will be necessary. SAP Single Sign-On product offers also Mobile SSO solution based on time-based one-time passwords and this solution is also available for the native mobile application SAP Fiori Client.

Please, find also the step-by-step guide for implementing this scenario: Mobile Single Sign-On for SAP Fiori - Step-by-Step Guide

Regards,

Donka Dimitrova

Message was edited by: Donka Dimitrova (a link to the step-by-step guide included)

Answers (1)

Answers (1)

mnoe
Participant
0 Kudos

Hi

Maybe this helps you:

If you have an Microsoft ADFS running you could use this documentation

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d066cce7-b7b8-3010-428c-bcef3cf76...

We have also only Fiori Launchpad with SSO and with ADFS it works also from mobile devices.

On the Fiori Gateway try tcode SAML2  as described in the document.

Regards,

Marco

abusandeep
Explorer
0 Kudos

Dear Donka and Marco,

Thanks a lot for your reply.

We are planning to use SAP SSO and if we do not want to publish the Fiori Launchpad in the Internet, still do we need SAML technology?

Regards,

Abu Sandeep

donka_dimitrova
Contributor
0 Kudos

Hello Abu,

The Mobile SSO solution available with the SAP Single Sign-On product requires SAML Identity Provider for the authentication to the AS ABAP back-end of the SAP Fiori. This solution is available for both scenarios - when the user is accessing the system from inside corporate network and also when the user is accessing the system from outside corporate network.

It is up to your company to decide if you want to allow also external access but the SAML SSO is mandatory for both.

Regards,

Donka Dimitrova

abusandeep
Explorer
0 Kudos

Dear Marco Noe,

Thanks for the information about Tcode SAML2. We got the link and configuration steps in Gateway Server.

We have a  Secure Login Server Installed and would like to use certificate for Mobile SSO.

Secure Login Server with Netweaver 7.5 JAVA engine has option to enable SAML 2.0 support.

Do we need to enable SAML on both the servers? What is the difference doing in two servers ?

X.509 configuration requires Secure Login Server and Mobile SSO required SAML2.0, Let me know whether my statement is right.

Thanks in advance.

Regards,

Abu Sandeep

donka_dimitrova
Contributor
0 Kudos

Hello Abu,

I would like just to clarify for you the following:
As part of the SAP Single Sign-On product you get:

1) Secure Login Server for issuing X.509 Client Certificates

2) SAML Identity Provider for issuing SAML assertions.

Both solutions are deployed and running on SAP NW AS JAVA.

Secure Login Server could be configured to accept SAML assertions for authentication but you do not need the Secure Login Server when you implement Mobile SSO based on TOTP (see the guide provided by me above).


In order to implement Mobile SSO solution based on TOTP, you need to implement our SAML Identity Provider and to configure the trust between the SAML IDP and your AS ABAP system as SAML SP (this all is described in the guide, provided by me above). 


If you have any further questions just let me know.

Regards,

Donka


abusandeep
Explorer
0 Kudos

Dear Donka,

Thanks a lot for your all inputs.

We are in the middle of SAML configuration.

While uploading the metadata file from SAP Fiori server to IDP, it says the certificate is not trusted.

Do we need trusted certificate to configure this? 

Can we do sandbox with with self signed certificate ?

Do we need to connect IDP with AD ? In SAML configuration its redirecting the link to IDP and the user name password should be same as AD credentials right ?

Do you have guidelines to connect IDP with Active Directory ? We are using Netweaver 7.5 SAP JAVA server for IDP.

Regards,

Abu Sandeep

donka_dimitrova
Contributor
0 Kudos

Hello Abu,

Here are the details about certificates when you configure a trusted Service Provider for the SAML Identity Provider:

Adding Service Providers - Identity Provider for SAP NetWeaver Single Sign-On and SAP NetWeaver Iden...

When you import the metadata, you have to provide the self-signed certificate also.

The SAML IDP coming with the SAP Single Sign-On product is using the authentication stack of the AS JAVA. In order your users to be able to authenticate to the SAML IDP using their MS AD credentials, you have to configure MS AD as user store for AS JAVA UME.

Here is how to configure this:

LDAP Directory as Data Source - Identity Management - SAP Library

Regards,

Donka Dimitrova

abusandeep
Explorer
0 Kudos

Dear Donka,

Thanks a lot for your quick response.

I could manage to fix the trusted certificate issue. and JAVA UME also configured in IDP. Now, it started taking the AD credentials itself.

Now, while accessing Fiori launchpad link, its asking to select a IDP ( made automatic later ).

Then redirecting to below message.

SAML2 service not accessible

What has happened?

Calling of URL http://<hostname><port>/sap/saml2/sp/acs/900 was terminated during SAML2 processing

  

Note

No RelayState mapping found for RelayState value oucqqvqvwzyodzrroreewoydeeottzwcvducezy

HTTP 404 Not Found

© 2001-2016, SAP AG

As per the  Mobile single-sign-on fiori guide

29. Go to the tab “Service provider

Settings” > RelayState Mapping

and choose “Add” for a new

RelayState.

30. Provide the name for the

RelayState and provide the Path

to the RelayState. (In our case,

this is the path to the “SAP Fiori

Launchpad”.

Fiori launchpad link is same as per the document for us.

Default application path was empty and we dont know what to be entered there, its not mentioned anywhere in the document.

Please advice on this.

Regards,

Abu Sandeep