cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDP URL for SAP Fiori App on mobile

Go to solution
Former Member

on ‎06-27-2016 4:34 AM

0 Kudos

Hi,

I am confused on the URL to use on the mobile device for my Fiori App. My mobile device is using SAP authenticator and this has already

been enabled. Going through this amazing document (http://sapassets.edgesuite.net/sapcom/docs/2015/07/b22e5088-5b7c-0010-82c7-eda71af511fa.pdf) I have configured it so far. Now, I am confused with the IDP URL to use. (attached pic)

http://FIORISERVER:8000/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=001&sam...IDPNAME&idplogonurl= ????? I am not able to do the rest. Can anyone explain the rest of the URL to be used, and where I can get it (eg: /nwa?). Also what does it mean by URL encoded twice?

Thanks

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member182254
Active Participant
‎06-27-2016 1:36 PM
0 Kudos

Hi Jim,

Parameter "idplogonurl" shall contain an URL that you normally use to trigger IDP-initiated SSO, for example:

https://IDPSERVER:50001/saml2/idp/sso?saml2sp=gw_fiori_sp&RelayState=fiori

Details how this URL is constructed can be found here: Performing Identity Provider-Initiated Single Sign-On - Identity Provider for SAP Single Sign-On and...

Once you have the value then you shall URL encode it twice, for example:

1. Original URL: https://IDPSERVER:50001/saml2/idp/sso?saml2sp=gw_fiori_sp&RelayState=fiori

2. Encoded once: https%3a%2f%2fIDPSERVER%3a50001%2fsaml2%2fidp%2fsso%3fsaml2sp%3dgw_fiori_sp%26RelayState%3dfiori

3. Encoded twice: https%253a%252f%252fIDPSERVER%253a50001%252fsaml2%252fidp%252fsso%253fsaml2sp%253dgw_fiori_sp%2526RelayState%253dfiori

Normally I use this public site to URL encode strings: URL Encoder

Regards,

Dimitar

Show replies
Show replies
Former Member
‎06-27-2016 8:54 PM
0 Kudos

Thanks again for clarifying. Just one quick question - When you use the IDP initiated URL, does it do an SSO to the SP? When I try my IDP initiated URL, it goes to the SP (Fiori Launchpad URL), and asks me to login there again. Is this normal, or is my SSO broken? Or does the SSO only work for the SAP Authenticator? Many thanks!!!

former_member182254
Active Participant
‎06-28-2016 7:14 AM
0 Kudos

Hi Jim,

Yes, you should have SSO to the SP. If instead you get a logon screen from the Fiori system then the SAML2 setup is not correct. You can do initial troubleshooting by collecting SAML2 traces as described here: Diagnosing SAML 2.0 Problems with the Security Diagnostic Tool f - User Authentication and Single Si.... Check the collected traces and there shall be a hint what is going wrong. If there are no traces then SAML2 is not enabled for the FLP and you should do this in SICF.

Regards,


Dimitar

Former Member
‎07-03-2016 12:24 AM
0 Kudos

Thanks Dimitar for your help.

I have followed the guide, and have recreated the IDP and SP config and I am still getting the user prompt of my SP, when I goto my IDP initiated URL. Can you please verify my URL is correct? - http:IDPHOST:PORT/saml2/idp/sso?saml2sp=SERVICEPROVIDER&RelayState=RELAYSTATE

I am getting the error - SAML20 CX_SAML20_CORE: No entity in with ID SERVICEPROVIDER in client 001 found.

Any help is appreciated. Many thanks

former_member182254
Active Participant
‎07-05-2016 9:33 AM
0 Kudos

Hi Jim,

The error means that the name of the service provider you have configured as trusted in the IDP does not match the SP name in the ABAP/Fiori system. Please make sure that those are in sync. If you cannot fix this then I would recommend to open a support ticket in BC-SEC-LGN-SML.

Regards,

Dimitar

Answers (0)

Ask a Question