3725124, 803 AM. ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity SAP Community > Products and Technology > Technology > Technology Blogs by Members > SAP on Azure: Single Sign On Configuration using S. Technology Blogs by Members Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix! Allcommunity ¥ What are you looking for today? SAP on Azure: Single Sign On Configuration using SAML and Azure Active Directory for Public and Internal URLs é dennispadia Se Active Contributor Purpose [o) 12-10-2020 5:54 AM Setup for Internet facing SAP Fi In the first segment of this blog series, we had discussed in detail about Application Gateway overview and technical steps to configure Application Gateway WAF v2 for internet facing SAP Fiori apps. Now in this blog we will be extending the use case further, where we will configure Single Sign-On (SSO) using SAML and Azure Active Directory (AAD) for both Public and Internal communication method. SSO using SAML & Azure Active Directory: Overview In first part of the blog, we discussed technical configuration of Application Gateway WAF hitps:communiy sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-cofiguration-using-sam\-and-azure-actvelba-p/13464602 1/48an, 803AM ‘SAP on Azur: Single Sign On Configuration using S..- SAP Community for internet facing SAP Fiori apps. Now the customer wants to offload the user authentication on to an identity provider for both internal and public URLs. The identity provider enables you to federate identities across domains for single sign-on (SSO). Public URL: htty In this example, we will configure SSO with the use of SAML by enabling SAP AS ABAP system as service provider and configuring Azure Active Directory as an identify provider. But before that itis crucial to understand the architecture and flow of request before we perform the configuration. 2 Before you proceed reading following section, it will be beneficial if you read Using Proxies wiki from SAP. Also check the first part of this blog SAP on Azure: Application Gateway Web Application Firewall (WAF) v2 Setup for Internet facing SAP Fi... that describes SAP Web Dispatcher parameters. Pre-requisites on SSO Configuration for Public URL 1. When user enters https://s4hanatesting,eastus2, cloudapp.azure.com/sap/bc/ui2/flp_ in web browser, the request is sent to application gateway with HTTP host header s4hanatesting.eastus2.cloudapp.azure.com. Based on the rule defined in HTTP settings, request will be sent to the backend host. hitps:communiy sap.comvsechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sami-and-azure-actvelba-p/13464602 2148,3125124, 803 AM. ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity 2. As mentioned in previous blog, to use an HTTP setting with a trusted root certificate you must override incoming HTTP host header (teference link). In our example, we have selected Pick host name from backend target. So, application gateway will decrypt the request and encrypt it again by overriding the HTTP host header from s4hanatesting.eastus2.cloudapp.azure.com to sleswd1L internal.cloudapp.net Add a HTTP setting tts cr eee eet eee tated Coe eet od pes res carseat eet 3. Now the request is passed to Web Dispatcher in backend pool with host header as sleswd1.internal.clouapp.net. To identify which HTTP host header Web Dispatcher receives from Application Gateway, we will perform proxy testing using below URL. https://s4hanatesting eastus2.cloudapp.azure.comisap/bc/bsp/sap/system test/test —proxy.htm NOTE: You might need to activate SYSTEM_TEST service in SICF on ABAP System. hitps:community sap.comechnology-blogs-by-members/sap-or-azure-single-sgn-on-configuation-sing-sam\-and-azure-actvelba-p/134846023125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Commurity Test of Reverse Proxy Configuration arte ist le a APN 0 epi Pa’ ‘Test #1: Preservation of Host Header ‘Test #2: HTTP Header ClientProtocal ‘Test #3: HTTP Header X-SAP-WebDisp-AP (Access Points) Test 4: HTTPURLLOC Test #5: HTTPURLLOC Client 000 ‘As you can see, the host from URL is s4hanatesting.eastus2.cloudapp.azure.com but the host header is sleswd1.internal.cloudapp.net. If we forward the request with HTTP host header sleswd1.internal.cloudapp.net for SSO user authentication in Azure Active Directory, the reply Assertion Consumer Service (ACS) URL maintained in AAD will not match with host URL and will result into error. NOTE: The issue arises only when your Application Gateway URL is different than your Web Dispatcher URL. But in case if your Application Gateway URL is same as Web Dispatcher, Test#1 status in proxy testing will be successful. . To address above concern, follow below points: - If your Application Gateway URL is different than your Web Dispatcher URL, then you must make sure that you preserve the host header s4hanatesting.eastus2.cloudapp.azure.com in Web Dispatcher when the request is sent through application gateway. To preserve the host header in web dispatcher, we need to manipulate header fields in application gateway. ~ To activate the modification of HTTP requests, you first need to set icm/HTTP/mod_ parameter. In this example, below parameter is maintained in Web Dispatcher profile running on Linux. icm/HTTP/mod_0 = PREFIX=/, FILE=$(DIR_PROFILE)/redirect.txt hitps:communiy sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sami-and-azure-actvelba-p/13464602 4483125124, 803 AM. ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Ee Tae Tee ete er om mee eer Cae aie fiaae SST eevee . Cerra redirect.txt is the file where we will be defining the expression to handle header fields, NOTE: If you want to enable this parameter in Web Dispatcher running on windows, set the file path in the parameter accordingly- Create redirect.txt and insert below lines. Restart web dispatcher. # Preserver Application Gateway Host header if %{HEADER:X-ORIGINAL-HOST} = s4hanatesting.eastus2.cloudapp.azure.co begin SetHeader HOST s4hanatesting.eastus2.cloudapp.azure.com end eee PreerreTet! Piatra ran te us2.cloudapp. azur eee i i ‘When incoming X-ORIGINAL-HOST is s4hanatesting.eastus2.cloudapp.azure.com, it will set the host header as s4hanatesting.eastus2.cloudapp.azure.com 5, After performing above step, perform proxy test again —proxy.htm, hitps:communiy sap.comvstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-sing-sam\-and-azure-atvelba-p/13464602 51483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Test of Reverse Proxy Configuration ‘Tes #2: HTTP Header ClentProtocol ‘Test a3: HTTP Header XSAP.WebDisp-AP (Acces Plats) ‘Test: HTTPURLLOC Test #: HTTPURLLOC Client 000 As you can now see, Application Gateway HTTP host header is preserved in Web Dispatcher. So now the question arises, whether to maintain HTTPURLLOC in AS ABAP sy: stem or not? The HTTPURLLOC table must be configured if no Web Dispatcher Access Points are used, or in all cases if the start URL must be generated from the AS ABAP system. In our example, Web Dispatcher Access points are being used because we maintained wdisp/handle_webdisp_ap_header = 1 parameter in Web Dispatcher (as mentioned in earlier blog). :AP-Web! Test 43: HTTP Header 3 p-AP (Access Points) Access Points: hip=80 baips=3 Stams: Passed! Now for ABAP system to start BSP application like transaction code SAML2, SOAMANAGER etc., there is no incoming HTTP request available, and thus, no information is available about the proxy. If such a scenario is to be supported, the relevant info must be configured in HTTPURLLOC then MANDT|SORT_KEY [PROTOCOL [APPL [HOST PORT. 200] ajeTres —_[*__[S4HANATESTING.EASTUS2.CLOUDAPP.AZURE.COM | 443] 109] QjxTes [= _|SLESWDL.INTERNAL CLOUDAPP.NET 2a3| NOTE: The sort sequence is of importance when a start URL is to be generate this case, the first entry in sort sequence is used to generate the URL. So, if th start URLs are always to be generated to be via the proxy, place these entries hitps:community sap.comechnology-blogs-by-members/sap-or-azure-single-sgn-on-configuation-sing-sam\-and-azure-actvelba-p/13484602 d. In e first. ise32524, 8.03 AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Community For example, in our case when we enter SOAMANAGER transaction in ABAP. system, it will always open application using s4hanatesting host and port. Run the proxy test again. We can now see all reverse proxy configuration test got passed. Test of Reverse Proxy Configuration Header XSAP-WebDisp-AP (Access Pol) Tet #4: HITPURLLOC ramen Te han esa tocar z Configuring AS ABAP as a Service Provider This section provides an overview of the steps to take to configure SAP Netweaver Application Server (AS) ABAP as a Security Assertion Markup Language (SAML) 2.0 service provider. As a service provider, the AS ABAP enables you to off-load the authentication of users onto an identity provider. The identity provider enables you to federate identities across domains for single sign-on (SSO). Once logged on, SAML 2.0 enables single logout (SLO). Activating HTTP Security Session Management on SAP NetWeaver AS for ABAP To configure SAP Fiori as service provider, you need to configure HTTP security sessions management for the client on which you need to configure SAML. With an existing security session, users can then start applications that require a user logon without logging on again. When a security session is ended, the system also ends all applications that are linked to this security session. In this example, we are configuring HTTP security hitps:communiy sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sami-and-azure-actvelba-p/13464602 7/483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S... SAP Community sessions management for QAS client 100. Login to QASCLNT100. Start HTTP Session Management (transaction SICF_SESSIONS). TiO sane BO 8 0 we ae a Current Values of Relevant Profile Parameters: i Select the relevant line and choose Activate. hitps:ifeommuntysap.comStechnology-blogs-by-membersisap-o-azure-singl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 8483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using 5... SAP Commurity esos NOTE: Adjust the parameters based on your organization requirements. The above parameters are given only as an example. For more information on each of this parameters, see Activating HTTP Security Session Management on AS ABAP. Enable SAML 2.0 Support Start the SAML 2.0 configuration application (transaction SAML2) hitps:communiy sap.comsechnology-blogs-by-membersisap-or-azure-single-sign-on-coniguration-using-sami-and-azure-actvelba-p/13464602 91483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community SAML 2.0 Configuration Cent 100" nt configured to support SAML 2.0 If you have never configured your system for SAML 2.0, the system will display above message. Choose the Enable SAML 2.0 Support pushbutton. SAML 2.0 Configuration Client "100" is not configured to support SAML 2.0 Enter a name for the provider. hntps:ilcommunty.sap.comShechnology-blogs-by-membersisap-or-azure-singl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 101483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity ‘SAML 2.0 Local Provider Configuration Continue through the configuration wizard and enter data as desired. This procedure only covers enabling SAML 2.0. Once enabled, you can configure the bindings supported by the service provider, trust an identity provider, configure identity federation, and protect resources with SAML. The configuration creates two Secure Store and Forward (SSF) applications and associates Personal Security Environment (PSE) files with them. The PSE files contain the signing and encryption key pairs of the service provider. ‘SAML. 2.0 Local Provider Configuration hitps:community sap.comechnology-blogs-by-members/sap-or-azure-single-sgn-on-configuation-sing-sam\-and-azure-actvelba-p/13484602 118set ats {Pon Sle Sgn On Caton sing 8. SAP Carty ‘SAML 2.0 Local Provider Configuration —9—o——_e— Smee eenty Prove Oscovery:Commen Domein Cookie (OC) _—_—Asseion CensumerSendce Mcetaneous Sing Logout Service tot Reston Service Smee Change Selection Mode to Automatic ‘SAML 2.0 Configuration of ABAP System: QAS/100 oe a) ae) Cereoeeren) (Eonar) State and Encryption Activate below services in SICF transaction /default_host/sap/public/bc/sec/saml2 /default_host/sap/public/bc/sec/cdc_ext_service hntps:ileommunty.sap.comShechnology-blogs-by-membersisap-or-azure-singl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 121483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community Be “AP RAUESPAC. SAP 1 ORUGED NOT TO BRANNAN > SEED SERVICES AUALABLE Onee Pu senvces on aT (a Feta) 3 7 5S (Ba ners, non 3 3 Be Dio Bion a» 3 a. rm 3 Bocepen Pagan Bee 7 Cleaet sence Comer Doman Csi tera nen 3. Sue sin 20 Poe To download the metadata, make sure SAML 2.0 configuration UI is accessed directly via application gateway URL. https://s4hanatesting.eastus?.cloudapp.azure.com/sap/bc/iwebdynpro/sap/sam|2?sap- client=100 Accessing the SAML 2.0 configuration UI using application gateway will ensure that service provider metadata contains the correct endpoint URLs (URLs which are accessible by Identity Provider). For more information, see SAP Note 2326063 - SAML2: How to configure when using proxy/web dispatcher hntps:ifeommunty.sap.comShechnology-blogs-by-membersisap-or-azure-singl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 131483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity On clicking “Download Metadata’ if you are getting 503 Service Not Available error message, refer to SAP Note 2767055. It happens when you are trying to download metadata by using SAP Web Dispatcher/Proxy host. Open metadata.xml, you will see that all service endpoint contains application gateway URL. Configuring Azure Active Directory as an Identity Provider Register Enterprise Application in Azure AD Sign in to the Azure portal using your credential. Select Azure Active Directory services. Navigate to Enterprise applications 133 Enterprise applications | All applications Click on New application. Search for SAP Fiori hitps:community sap.comvsechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-actvelba-p/13464602 14/483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community a a as = Click on Create. hittps:ifeommunty.sap.comShechnology-blogs-by-membersisap-or-azure-sngl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 151483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community Select SAML single sign on method ntps:foommunty.sap.comiechnology-blogs-by-membersisap-or-azure-sngle-sign-or-coniguration-using-sami-and-azure-acvelba-p/13464602 16/483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community Click on Upload metadata file ‘QASI00 | SAMI based Sign-on { t metadata.xml file will populate all the fields in Basic SAML Configuration beside Sign on URL. So fill up that field with respective Sign on URL. hitps:ifcommunty.sap.comShechnology-blogs-by-membersisap-or-azure-sngl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 17/483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community Basic SAML Configuration Bs dentifier (Entity 1D)* © The cede il be te stene of ie SAM espa for Inte $50 i sion 7 fee Pate tp/eurssPFoR a ° Reply URL (Assertion Consumer Service URI)* © he ein ely UL wi be he eon ne AN rego for OD tated $50 below ‘ethanatesting east cloudape azure com/spysami2/sp/9C8/100 ~J)go @ CE Params: Meg /PeuSAOF CARs /amp/3 100 Sign on URL* © Pate: Np /NeorsonR Relay Sate © (eee > x Logout ud © (Reesipatonsesing emsacoucappaneconhapsanianpieneo——SSSCSSCSCS~YdS Click save ntps:fcommunty.sap.comitSechnology-blogs-by-membersisap-or-azure-sngle-sign-or-coniguration-using-sami-and-azure-scvelba-p/13464602 181883725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Commurity Identity federation provides the means to share identity information between partners (SAP System and Azure AD). To share information about a user, partners must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier. Once the name ID has been established, the user is said to have a federated identity. The service provider (ABAP System) receives the SAML subject identifier with the specified assertion subject name ID or assertion attributes from the identity provider (assertion attributes can be used as a user ID source only for Unspecified, Transient, and Email formats). The setting of the User ID Source field defines where this SAML subject identifier is obtained. The service provider (ABAP System) uses the assertion subject name ID or another assertion attribute to get the user identifier. The service provider then checks the User ID Mapping Mode to determine how to find the user in the ABAP system. When the service provider finds the local user, it authenticates the user. In this illustration, we will configure user authentication using email ID that is maintained in SUO1 of the user. The SAP Fiori application expects the SAML assertions to be in a specific format. Configure the following claims for this application. To manage these attribute values, in the Set up Single Sign-On with SAML pane, select Edit. hitps:community sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-actvelba-p/13464602 19/483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community User Attributes & Claims 2 en ‘ivenname usergivenname sumame usersumame ‘emailaddress usermail name seruserprincipalname Unique User identifier useruserprincipalname Click on Unique User Identifier (Name ID) User Attributes & Claims + kesranin + saa geupcin = comme Requited dim go Ue neat) seaserecipame rome, Addonal caine be nnese scorns meas =] ragsamasance en SS agree visgheeane aay enemsesmicas egestas sseanenespaae becnesienergn/ 8h da/nanane ene a aera eee ae eee! a aed a = https :ileommunty.sap.comShechnology-blogs-by-membersisap-or-azure-singl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 201483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity ‘Manage dim Delete user.mail, user.givenname and user.surname in additional claims. User Attributes & Claims notepad, it will be used when we specify the identity federation in service provider (ABAP System) User Attributes & Claims 2 eit Unique User identifier ecuserprincipalname ractMallrefix (user userprincipalname) In SAML Signing Certificate, you need to add certificate. Click on Add a certificate Add a certificate is applic Enter the relevant email address on which you want to receive all notification. hitps:community sap.comsechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-atvelba-p/13464602 21/483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community SAML Signing Certificate x - psa sak ‘arden Bi save + NewCertifcate F import Certificate oe topeten bm ‘tony see Tear neat RMON RENORCI os Sang onton Sng Aton ston ul hn ‘testuser@contoso com] js [ } Click save SAML Signing Ceriiate _ sous setve Thunb rossisoric 226i ssrecsrseasresss0ecrce4 Boraton teyez023, 101017 aM Nobteaton Ema testuserOcortosacom ‘App Federation Metadata Url ihttps/floginmicrosoftonline com/87db249e-3234... © Cerificate sees Downiced Cerifete aw) Soma Feaerson eae XM, Download Download Certificate (Base64) and Federation Metadata XML ntps:fcommunty.sap.comitechnology-blogs-by-membersisap-or-azure-sngle-sign-or-coniguration-using-sami-and-azure-scvelba-p/13464602 221483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Commurity . ° ° ° ° ° = Assign Azure AD user In this section, we will enable testuser to use Azure single sign-on by granting access to SAP Fiori. Click on Users and Groups in QAS100 enterprise application BSW ion andy Click on Add user hitps:community sap.comvstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-atvelba-p/13464602 23483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity ‘Add Assignment Select the Users and click on Assign ro) sown Trusting an Identity Provider After configuring identify provider in Azure, we will use this procedure to identify an identity provider for your service provider to trust. The service provider requests identity information from the identity provider, which you configure the service provider to trust, for applications the service provider is protecting, Start the SAML 2.0 configuration application (transaction SAML2). hitps:communiy sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-actvelba-p/13464602 241483725/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community SSAML 2.0 Configu ton of ABAP System: QAS/100 Click on Add pushbutton and select Upload Metadata File New Trusted Identity Provider Browse the Federation Metadata XML file which you have downloaded in above section. hntps:ifeommunty.sap.comShechnology-blogs-by-membersisap-on-azure-single-sign-or-configuration-using-sami-and-azure-actvelba-p/13464602 251883125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S... SAP Community ‘New Trusted Identity Provider Metadata sie with he folowing cern: CN ew Tasted erty Provider Click Next https:ileommunty.sap.comShechnology-blogs-by-membersisap-or-azure-sngl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 261483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community New Trae derety Prowse New Trae det Proves Under Single Sign-On Endpoints, select HTTP POST hitps:ifeommunty.sap.comStechnology-blogs-by-membersisap-or-azure-sngl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 27/483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community New Taste erty Powder Click Finish hittps:ifeommunty.sap.comShechnology-blogs-by-membersisap-or-azure-sngl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 281483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community (@..-== {Bi 26 Conan ot 84 yer O80 = In Trusted Provider > Identity Federation. Select Edit. hntps:ifcommunty.sap.comShechnology-blogs-by-membersisap-or-azure-singl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 291483725/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community ‘SAIL 20 Canguaton of ABAP Stem: QAS/I00 = Click Add Select Unspecified hitps:ifcommunty.sap.comShechnology-blogs-by-membersisap-or-azure-sngl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 30483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Commurity A ABKP System QASI00 aa In Details of NamelD Format “Unspecified” User ID Source: Assertion Attribute User ID Mapping Mode: Email Assertion Attribute Name: Assertion Attribute Name is the namespace we copied in our earlier section while configuring User & Attribute for our QAS100 enterprise application in AAD. Click on save and Enable to enable the identity provider. hitps:community sap.comechnology-blogs-by-members/sap-or-azure-single-sgn-on-configuation-sing-sam\-and-azure-actvelba-p/13484602 311483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S...- SAP Community SAML 20 Conguaton of ABAP Stem: OAS/100 = Create user in SU01 In SU01, maintain the user email id same as that of the user in Azure AD. hnttps:ifeommunty.sap.comShechnology-blogs-by-membersisap-or-azure-singl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 $21483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S... SAP Community a . Test the application Public URL: https://s4hanatesting eastus2,cloudapp.azure.com/sap/bc/ui2/fip ©) OEE iercoemennaersTanem ————>6][seas 5] one'@ _nttps:licommunity.sap. com/tS/technology-blogs-by-members/sap-on-azure-single-sign-on-configuration-using-sami-and-azure-active/ba-p/13464602 33/483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity SSO Configuration for Internal URL In the architecture diagram shown in the earlier part of the blog, customer wants to access SAP Fiori launchpad using internal URL when they are inside their corporate network. The internal URL directly access SAP Web Dispatcher that dispatches traffic to SAP Fiori. So, in this section we will be extending our setup to configure SSO for internal URL as well. All the steps mentioned in the earlier section of the blog needs to be performed before you proceed further. Adjust Single Sign-On Setup with SAML in Azure AD To configure SSO for internal URL, we will need to update few things to make it work. Login to Azure Portal > Azure Active Directory > Enterprise Applications > QAS100 hitps:communiy sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-atvelba-p/13464602 341483125/24, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S... SAP Community aij Enterprise applications |All apoicaions Click on Single Sign On ‘GASIO0| SAL sed Sgn om Select Edit in Basic SAML Configuration. Maintain below URL in Reply URL (Assertion Consumer Service URL) hittps:ifeommunty.sap.comShechnology-blogs-by-membersisap-or-azure-sngl-sign-or-configuration-using-sami-and-azure-acvelba-p/13464602 351483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Basic SAML Configuration x Bi sve Detaut Petts 1 Service URI)* © Deut a oo 6 Sign on URL* ttre Logout Un Click on Save Adjust Authentication Requirement in SAML2 transaction After adding internal URL in Azure active directory enterprise application (QAS100), we need to make some changes in AS ABAP system. Start the SAML 2.0 configuration application (transaction SAML2).. Navigate to Trusted Providers > Authentication Requirements and click Edit hitps:communiy sap.comvsechnology-blogs-by-membersisap-or-azure-single-sign-on-coniguration-using-sam\-and-azure-atvelba-p/13464602 361483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Change Assertion Consumer Service to ACS URL and Binding to HTTP Post and click Save. Check IMPORTANT NOTE section below if you cannot ACS URL in drop down list Test the application hitps:communiy sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-actvelba-p/13468602 37/483725124, 803 AM. ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Important Note This entire configuration is performed on SAP Fiori Front End Server 2020 release and if you are performing this configuration in other Netweaver version, you might not see ACS URL in Assertion Consumer Service. Instead, you will only find two option, Default and Application URL in Assertion Consumer Service. In that case, you need to select Application URL in Assertion Consumer Service and HTTP Post in Binding, hitps:communty sap.comvstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-atvelba-p/13464602 381483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Along side changing Assertion Consumer Service to Application URL, you need to make some changes in Enterprise Application in Azure Active Directory as well. Basic SAML Configuration x Bi swe identifier (Entity 1D Default axsioo Patterns tp//ourSAPFURL Reply URL (Assertion Consumer Service URL) * The defo epy URL wil ete destination ithe SAML responte for ID. ea $50 = > = a Sign on URL* ioe eshanatentng sae Paterna: tp/ourSAPRCGURL Relay St Logout Un Hp sahanatestng wast coudapp azure com/sap amis Change Reply URL in Enterprise application in AAD from /saplsaml2/splacs/100 to SAP Fiori Launchpad /sap/belui2/fip for both Public and Internal URL. Example, below References hitps:communiy sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-actvelba-p/13464602 39/483125124, 8:03 AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commrity Configuring AS ABAP as a Service Provider Using Proxies Tutorial: Azure Active Directory single si ‘egration with SAP Fiori B = 2 a Header Fields ge ingle Sign-On with SAML 2.0 Using SAML 2.0 Authentication to Access Fiori Apps from the Public Interne! Regards, Dennis Padia SAP Managed Tags: SAP Fiori, SAP Fiori for SAP S/4HANA, SAP Fiori front-end server, SAP NetWeaver, SAP NetWeaver Application Server for ABAP, SAP S/4HANA, SAP Fiori Launchpad Tags: azureactivedirectory —microsoftazure © SAML —saponazure SSO 10 Comments Ben Participant 9° 12-10-2020 8:13 AM 0 Kudos hitps:community sap.comsechnology-blogs-by-membersisap-or-azure-single-sgn-on-coniguration-sing-sam\-and-azure-actvelba-p/13464602 40/483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Hi dennis. padia Wow thanks for this detailed article. | also set up a Fiori (OnPrem) with MS Azure SSO and AppProxy and I know that the process is not trivial. Do you maybe also happen to experience some CORS issues having a similar setup like me? We have CORS issues after we leave the Fiori Launchpad (or other Fiori App) open until session timeout is reached, which happend after around 30min. Then the client sends a HTTP Request to https://login. microsoft.com... /oauth2/authorize?... and we get following error message: Access to XMLHttpRequest at hhttps:/Mlogin microsoft.com... /oauth2/authorize?... (redirected from ) from origin blocked by CORS policy: Response to preflight request doesn't pass access control check: No “Access-Control-Allow-Origin’ header is present on the requested resource. J opened a SAP ticket and Support believe error is no Microsoft Azure (AppProxy) side. Best regards, Ben dennispadia Active Contributor 2° 12-10-2020 4:43 PM 1 Kudo hitps:community sap.comvstechnology-blogs-by-membersisap-or-azure-single-sign-on-coniguration-using-sam\-and-azure-actvelba-p/13464602 41/483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Hello benkrencker Ihave not used Application Proxy as my entire system is hosted on Azure. Application proxy provides single sign-on (SSO) and secure remote access for web applications hosted on-premises, which is not my case. If you can check this article Understand and solve Azure Active Directory Application Proxy CORS issues which provides some options to resolve CORS issue. Option 5 in particular talks about the situation you are encountering. Option 5: Extend the lifetime of the access token ‘Some CORS issues can't be resolved, such as when your app redirects to login.microsoftontine.com to authenticate, and the access token expires. The CORS call then fails. A workaround for this scenario is to extend the lifetime of the access token, to prevent it from expiring during a user’s session. For more information about how to do this, see Configurable token lifetimes in Azure AD. Regards, Dennis Padia. Sy Rotandkramer Product and Topic Expert Qo 01-14-2021 12:55 PM 1 Kudo Hello Dennis See also the Document - SAP First Guidance — Implement SAP BW/4HANA in the Azure Cloud were | have covered some of these Topic's as well Best Regards Roland hitps:communiy sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-coniguration-sing-sam\-and-azure-actvelba-p/13464602 42/483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity A tormer_member7s4868 Discoverer ° 09-10-2021 8:44 AM 1 Kudo Hi Dennis, Very well written. | have used this article to configure SAML2 on a recently migrated system. Thanks Nitish oO 09-10-2021 8:44 PM 0 Kudos Hi Dannish The blog is very information and helpful to understand the SSO set-up. We have issue which is some what relevant to your guide. hitps:community sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-sing-sam\-and-azure-atvelba-p/13468602 43/489, 803aM ‘SAP on Azur: Single Sign On Configuration using S..- SAP Community ‘The SAP Application deployed on SCP is having login mechanism using app-router concept in SCP MTA project. This application is exposing services which need to be authenticated using SSO. SCP is configured with Microsoft Azure ADP as IDP in Trust configurations. All necessary configurations are done to establish trust on Azure ADP. When we try to call the service URL as REST Call (in WordPress Portal which is also using Microsoft Azure ADP as IDP)then its not able to authenticate and its failing to login to system and output the data. We have tried the below options: 1. Send the access token generated while logging into WordPress site and send the token for service URL 2. Put an iFrame with Source as Service URL and tried to login, but we could not display the iframe as we had restrictions of using Iframe in non SAP (WordPress website page) We tried to send the client ID and client credentials of SAP SCP Service Applications in Rest CALL, it did not worked. Not sure what else is required to achieve this. If you need to know more about the issue, happy to share our configuration document. Appreciate your input. Thanks Maddy guspattL Member 9° 02-07-2022 6:26 PM 0 Kudos hitps:communiy sap.comsechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sami-and-azure-actvelba-p/13464602 44/48,3725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Hi Dennis, nice blogs. | realise that this is over a year old now but | thought it still worth a comment. The only issue | have with this is that it relies on the Gateway server to trigger the authentication dialogue, this means that the first HTTP call from the internet reaches the gateway server without being authenticated. Itis possible to bypass SAML with the right URL and (unless this is explicitly blocked) then a bad actor can get access to the Fiori Launchpad login screen. This may be low risk but it feels like someone could get a long way into the application stack without being challenged. Some WAF appliances have the ability to offload SAML authentication as soon as they recognise the URL (something I've used in the past) but I'm not sure that there is anything native in Azure that can do this. I'd be happy if someone could tell me otherwise. Regards Gary PaulBuettner Participant Q 02-15-2022 10:25 AM 0 Kudos Hey Gary, you may block LogonScreen/Basic Auth whatever you don't like in the ICF nodes. Tab Logon Data > Choose Alternative Logon Procedure and dismiss all entries in the list at the very end besides SAML2 hitps:community sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-actvelba-p/13464602 451483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity BR; Paul former_member146669 Participant © 04-06-2022 7:35 AM 0 Kudos Hi Dennis, Thanks for your blog which is very comprehensive. By the way, the above solution fit for scenario of web-based (browser) SAP client only. And SAML is not work for SAPGUI with Azure AD SSO. How about SSO with Azure AD for SAPGUI (LogonPad) application? | could not find any other blog, page/documents mentioned about that... AIL can find is not appliciable for Azure AD but local windows AD only. I suppose SSO3.0 should support SAPGUI SSO with Azure AD, right? Regards, hitps:communty sap.comvstechnology-blogs-by-membersisap-or-azure-single-sign-on-configuration-using-sam\-and-azure-actvelba-p/13464602 461483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Gary Mofizur Contributor ° 01-09-2023 11:00 AM 0 Kudos Thank you for the great article. We have similar situation and the desktop is workign as epxected using thsi particular method. But is this scenario valid for App based Mobile applications? | thought SAML would require a browser and unfortunately our Mobile App is nto browser based. Any idea? Thanks, Mofizur marcelgerr Explorer Q 10-03-2023 7:43 AM 0 Kudos hitps:community sap.comstechnology-blogs-by-membersisap-or-azure-single-sign-on-coniguration-using-sam\-and-azure-actvelba-p/13464602 47/483725/24, 8:03AM ‘SAP on Azure: Single Sign On Configuration using S..- SAP Commurity Hello Dennis, Could this setup also be used for SAP B1? | am curious to know the application of SAML SSO since we are struggling to get this working seamless. Regards, Marcel @ You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in. Comment Labels In This Area Follow fyvyeo Privacy Terms of Use Copyright Legal Disclosure Trademark Newsletter Support Cookie Preferences hitps:communiy sap.comvstechnology-blogs-by-membersisap-or-azure-single-sign-on-cofiguration-using-sam\-and-azure-atvelba-p/13464602 48148