Sap Single Sign On Certificate
2021年7月13日Download here: http://gg.gg/ve3ik
As part this blog, we would like to explain how to configure ” SAML2 enable for SAP FIORI Applications”. This will cover Single Sign-On (SAML2) setup for FIORI Launchpad using Microsoft Azure (IDP).
*Sap Single Sign-on With X.509 Certificates
*Single Sign On Sap
SAP Basis team will co-ordinate with ADFS team to perform all required IDP related activities. Below are the high level activities that needs to performed.
To use client certificates for authentication, the AS ABAP system must be enabled to use Secure Network Communications (SNC). SNC provides a Generic Security Services API (GSS API) to use SAP NetWeaver Single Sign-On or an external security product to perform the authentication between the communication partners, for example between the SAP GUI for Windows and the AS ABAP.
*Single Sign-On tickets (SSO tickets): This login type is not supported in SAP Packs; X.509 Certificate: Login with X.509 is based on SNC encryption only. This is supported in Packs and you need to provide a valid X.509 certificate. Currently Packs supports certificate with.crt file extension only. Single Sign ON (SSO): Login only with SAP user.
*SAP Single Sign-On 2.0 – What’s New in Support Package 03. Two-Factor Authentication with SAP Authenticator. SSO for SAP GUI for Java on Mac OS X. RFID-Based User Identification. Hardware Security Module Support.S.No Description Owner of the Activity1Service Provider Configuration (SAP FIORI)SAP BASIS1.1Activate the SAML2 SICF Services.SAP BASIS1.2Enable SAML 2.0 Local Provider Settings.SAP BASIS1.3Download Service Provider Metadata fileSAP BASIS1.4Export SAML2 Certificate (STRUST) in Service Provider (SP).SAP BASIS2Identity Provider (Microsoft Azure) Configuration.ADFS Team2.1Uploaded the IDP Metadata XML and IDP Certificate into Service Provider.SAP BASIS2.2Setup the User attributes and Claim rules.SAP BASIS2.3Download the Federation Metadata XML and IdP Certificate.SAP BASIS2.4Upload the Federation Metadata XML and IDP Certificate into Service Provider.SAP BASIS3Testing SAML Authentication Using SAP Fiori launchpad.SAP BASISSap Single Sign-on With X.509 Certificates
Before proceeding with the configuration part, we need to look at the architecture and understand the scenario.
Below are the environment details on which we implemented.
Service Provider (SP) – NetWeaver 7.40 SP19 (SAP FIORI Application).
Application details – SAP FIORI Launchpad will be accessed using browsers (IE, Chrome etc) via internet and also supports Mobile devices.
Identity Provider (IDP) – Microsoft Azure.
1.Service Provider Configuration (SAP FIORI).
1.1 Activate the SAML2 SICF Services.
Logon to the SAP System — > Go to SICF Services and Enable all SAML2 Related Services.
/sap/public/bc
/sap/public/bc/ur
/sap/bc/webdynpro/sap/saml2
1.2 Enable SAML 2.0 Local Provider Settings.
Once the service has been activated, execute the t-code: SAML2.
we would see the following screen as below.
Select Create SAML 2.0 Local Provider.
Now enter a name that represent the Local Provider Configuration.
We recommend the provider name syntax as below.
https://<sid><client> so that we can easily identify when we setup multiple SAP FIORI Applications in Azure AD.
Click on next.
keep the values as default and proceed with the next steps.
Go to Identity Provider Discovery: Common Domain cookie (CDC)
Chose Selection mode as Manual.
By Selecting Mode “Automatic”, user will not be asked to select the
default authentication provider. It will be selected automatically.
Click on Finish button and proceed with the next steps.
After finishing the setup SAML2 status is disabled by default, so we should enable it.
1.3 Download Service Provider Metadata file.
After download the metadata file a Go to Local Provider à Click on Metadata file and Save it into local machine.
This metadata file must be imported into Identity provider (IDP) server (Azure AD)
1.4Export SAML2 Certificate (STRUST) in Service Provider (SP).
Export the SAML2 Service Provider certificate in T-code: STRUST
Go to SSF SAML2 Service Provider – Export the certificate.
2.Identity Provider (Microsoft Azure) Configuration.
Go to Azure Portal
Select Azure Active Directory.
Go to Enterprise Application.
Create a new Application (e.g SAP FIORI).
Here we have to choose SAML.
2.1 Importing Service Provider (SP) Metadata file into IDP.
In the Setup Single Sign-On with SAML page, select edit to open the Basic SAML Configuration page.
In the Basic SAML Configuration section, we have to complete the below steps.
Select Upload metadata file option and upload the metadata file which we downloaded from the Service Provider (SAP FIORI).
When the metadata file is successfully uploaded, the Identifier and Reply URL values are
automatically populated in the Basic SAML Configuration pane.
In the Signon URL box, enter the below FIORI PRD Alias URL.
2.2 Setup the User attributes and Claim rules.
The SAP Fiori application expects the SAML assertions to be in a specific format. Configure the following claims for this application. To manage these attribute values, in the Setup Single SignOn with SAML page, select Edit.
In the below Screen.
Set the Name Identifier Format is Unspecified.
Source Attribute is User.onpremisessamaccountname
2.3 Download the Federation Metadata XML and IdP Certificate.
In the Setup Single Sign-On with SAML page, goto SAML Signing Certificate section,
select the Federation Metadata XML and Certificate (Base 64).
This Metadata file and Certificate can be used for import into Service Provider.
2.4Upload the Federation Metadata XML and IDP Certificate into Service Provider.
Go Back to Service Provider and Open SAML2 page.
Click on Trusted Providers and upload IDP Metadata file.
Enter the next page, we have to upload IDP certificate.
Here we can enter IDP Name.
In the below screen, we kept all the options as default.
Click on continue and put all the options as default and finish.
In the below screen we have to choose the Comparison method as Better.
Go to next step, we have to choose NameID Formats as Unspecified.
In the below screen, User ID Mapping mode is Logon ID in Identity Federation.
After done all the settings and we enabled Azure IDP in the Trusted Provider
3.0Testing SAML Authentication Using SAP Fiori launchpad.
Open the browser and enter below FIORI launchpad URL.
http://hostname:port//sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html ?sap-client=&sap-language=EN FioriLaunchpad
You should be logged on to the FIORI Portal without having to enter the password.
Troubleshooting steps.
In order to trace SAML2 related issues, activate security Diagnostic tool in ABAP system and access by using following URL:
http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX> in a browserSingle Sign On Sap
https://FQDN/sap/bc/webdynpro/sap/sec_diag_tool
Download here: http://gg.gg/ve3ik
https://diarynote-jp.indered.space
As part this blog, we would like to explain how to configure ” SAML2 enable for SAP FIORI Applications”. This will cover Single Sign-On (SAML2) setup for FIORI Launchpad using Microsoft Azure (IDP).
*Sap Single Sign-on With X.509 Certificates
*Single Sign On Sap
SAP Basis team will co-ordinate with ADFS team to perform all required IDP related activities. Below are the high level activities that needs to performed.
To use client certificates for authentication, the AS ABAP system must be enabled to use Secure Network Communications (SNC). SNC provides a Generic Security Services API (GSS API) to use SAP NetWeaver Single Sign-On or an external security product to perform the authentication between the communication partners, for example between the SAP GUI for Windows and the AS ABAP.
*Single Sign-On tickets (SSO tickets): This login type is not supported in SAP Packs; X.509 Certificate: Login with X.509 is based on SNC encryption only. This is supported in Packs and you need to provide a valid X.509 certificate. Currently Packs supports certificate with.crt file extension only. Single Sign ON (SSO): Login only with SAP user.
*SAP Single Sign-On 2.0 – What’s New in Support Package 03. Two-Factor Authentication with SAP Authenticator. SSO for SAP GUI for Java on Mac OS X. RFID-Based User Identification. Hardware Security Module Support.S.No Description Owner of the Activity1Service Provider Configuration (SAP FIORI)SAP BASIS1.1Activate the SAML2 SICF Services.SAP BASIS1.2Enable SAML 2.0 Local Provider Settings.SAP BASIS1.3Download Service Provider Metadata fileSAP BASIS1.4Export SAML2 Certificate (STRUST) in Service Provider (SP).SAP BASIS2Identity Provider (Microsoft Azure) Configuration.ADFS Team2.1Uploaded the IDP Metadata XML and IDP Certificate into Service Provider.SAP BASIS2.2Setup the User attributes and Claim rules.SAP BASIS2.3Download the Federation Metadata XML and IdP Certificate.SAP BASIS2.4Upload the Federation Metadata XML and IDP Certificate into Service Provider.SAP BASIS3Testing SAML Authentication Using SAP Fiori launchpad.SAP BASISSap Single Sign-on With X.509 Certificates
Before proceeding with the configuration part, we need to look at the architecture and understand the scenario.
Below are the environment details on which we implemented.
Service Provider (SP) – NetWeaver 7.40 SP19 (SAP FIORI Application).
Application details – SAP FIORI Launchpad will be accessed using browsers (IE, Chrome etc) via internet and also supports Mobile devices.
Identity Provider (IDP) – Microsoft Azure.
1.Service Provider Configuration (SAP FIORI).
1.1 Activate the SAML2 SICF Services.
Logon to the SAP System — > Go to SICF Services and Enable all SAML2 Related Services.
/sap/public/bc
/sap/public/bc/ur
/sap/bc/webdynpro/sap/saml2
1.2 Enable SAML 2.0 Local Provider Settings.
Once the service has been activated, execute the t-code: SAML2.
we would see the following screen as below.
Select Create SAML 2.0 Local Provider.
Now enter a name that represent the Local Provider Configuration.
We recommend the provider name syntax as below.
https://<sid><client> so that we can easily identify when we setup multiple SAP FIORI Applications in Azure AD.
Click on next.
keep the values as default and proceed with the next steps.
Go to Identity Provider Discovery: Common Domain cookie (CDC)
Chose Selection mode as Manual.
By Selecting Mode “Automatic”, user will not be asked to select the
default authentication provider. It will be selected automatically.
Click on Finish button and proceed with the next steps.
After finishing the setup SAML2 status is disabled by default, so we should enable it.
1.3 Download Service Provider Metadata file.
After download the metadata file a Go to Local Provider à Click on Metadata file and Save it into local machine.
This metadata file must be imported into Identity provider (IDP) server (Azure AD)
1.4Export SAML2 Certificate (STRUST) in Service Provider (SP).
Export the SAML2 Service Provider certificate in T-code: STRUST
Go to SSF SAML2 Service Provider – Export the certificate.
2.Identity Provider (Microsoft Azure) Configuration.
Go to Azure Portal
Select Azure Active Directory.
Go to Enterprise Application.
Create a new Application (e.g SAP FIORI).
Here we have to choose SAML.
2.1 Importing Service Provider (SP) Metadata file into IDP.
In the Setup Single Sign-On with SAML page, select edit to open the Basic SAML Configuration page.
In the Basic SAML Configuration section, we have to complete the below steps.
Select Upload metadata file option and upload the metadata file which we downloaded from the Service Provider (SAP FIORI).
When the metadata file is successfully uploaded, the Identifier and Reply URL values are
automatically populated in the Basic SAML Configuration pane.
In the Signon URL box, enter the below FIORI PRD Alias URL.
2.2 Setup the User attributes and Claim rules.
The SAP Fiori application expects the SAML assertions to be in a specific format. Configure the following claims for this application. To manage these attribute values, in the Setup Single SignOn with SAML page, select Edit.
In the below Screen.
Set the Name Identifier Format is Unspecified.
Source Attribute is User.onpremisessamaccountname
2.3 Download the Federation Metadata XML and IdP Certificate.
In the Setup Single Sign-On with SAML page, goto SAML Signing Certificate section,
select the Federation Metadata XML and Certificate (Base 64).
This Metadata file and Certificate can be used for import into Service Provider.
2.4Upload the Federation Metadata XML and IDP Certificate into Service Provider.
Go Back to Service Provider and Open SAML2 page.
Click on Trusted Providers and upload IDP Metadata file.
Enter the next page, we have to upload IDP certificate.
Here we can enter IDP Name.
In the below screen, we kept all the options as default.
Click on continue and put all the options as default and finish.
In the below screen we have to choose the Comparison method as Better.
Go to next step, we have to choose NameID Formats as Unspecified.
In the below screen, User ID Mapping mode is Logon ID in Identity Federation.
After done all the settings and we enabled Azure IDP in the Trusted Provider
3.0Testing SAML Authentication Using SAP Fiori launchpad.
Open the browser and enter below FIORI launchpad URL.
http://hostname:port//sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html ?sap-client=&sap-language=EN FioriLaunchpad
You should be logged on to the FIORI Portal without having to enter the password.
Troubleshooting steps.
In order to trace SAML2 related issues, activate security Diagnostic tool in ABAP system and access by using following URL:
http(s)://<host>:<port>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=<XXX> in a browserSingle Sign On Sap
https://FQDN/sap/bc/webdynpro/sap/sec_diag_tool
Download here: http://gg.gg/ve3ik
https://diarynote-jp.indered.space
コメント