Professional Documents
Culture Documents
Ali Chalhoub Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business
Objects products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of Business Objects Software
Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and
other Sybase products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Sybase Inc.
Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered
trademarks of Crossgate AG in Germany and other countries. Crossgate is an
SAP company.
All other product and service names mentioned are the trademarks of their
respective companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are
provided by SAP AG and its affiliated companies ("SAP Group") for
informational purposes only, without representation or warranty of any
kind, and SAP Group shall not be liable for errors or omissions with respect
Document History
2
How to Setup a Fiori Tile Step-by-Step Using Web IDE
www.sap.com
TABLE OF CONTENTS
4
Abstract
Chapter 1 - Configuring SAP Service Provider
1.1. Overview of the Architecture
1.2. Configuring Scenario -1- Service Provider
1.3. Configuring Scenario -1- Identity Provider
1.4. Downloading Identity Provider Metadata
1.5. Importing Identity Provider Certificate into Service Provider
Chapter 5 – Troubleshooting
5.1. Error 1 - Signature verification of metadata was not successful
5.2. No RelaySate mapping found for RelayState value ….
5.3. HTTPS Status 400 – Service Provider SLO endpoint has not received SAML2 message
5
Chapter 1
Configuring SAP Service Provider
Welcome to How to Configure Fiori Launchpad and Web Dispatcher to Support SAML2 Using SAP Cloud Platform
Identity Authentication Provider Step-by-Step. In this e-book you will find all the details are needed to let you
configure a Web Dispatcher with Fiori launchpad on on-premise SAP NetWeaver Gateway system. In this eBook
we will discuss and show the user how to configure:
• SAP Cloud Platform Identity Provider
• Fiori launchpad on on-premise system running NetWeaver 7.50 or higher with Web Dispatcher in the
front
1. To make the process simple, the steps provided in this book are done against a
Note single NetWeaver Gateway system no ERP involved.
Before we can start our configuration, we need to look at the Architecture that this book will address. This
eBook will cover two scenarios:
1. SAP Cloud Platform Identity Provider with SAP Fiori launchpad running on on-premise NetWeaver
system
2. SAP Cloud Platform Identity Provider with Web Dispatcher and SAP Fiori launchpad running on on-
premise NetWeaver system
6
2. The architecture below covers scenario number 1
Figure 2 SAP Cloud Platform Identity Provider with SAP Web Dispatcher
7
1. A web client makes a request to SAP Web Dispatcher
2. SAP Web Dispatcher redirect the client to SAP Cloud Platform Identity Provider
3. Client is asked to authenticate with SAP Cloud Platform Identity Provider
4. After the client is authenticated successfully, a SAML XML assertion is generated which contains all the
information needed about the client such as user id, first name, last name and all this sent to the client
5. The client makes a post request to Web Dispatcher where the XML assertion is validated at the Web
Dispatcher level
6. Finally, a session is created, and the client is granted access to Web Dispatcher and Fiori launchpad
In this scenario we will be configuring SAP Fiori launchpad on-premise to with SAP Cloud Platform Identity
Provider without Web Dispatcher.
4. Connecting to SAP Service Provider. In our configuration that would be our NetWeaver Gateway System
8
6. Now enter a name that represent the Local Provider Configuration. Recommendation would be
<INSTANCEID>_SAML2
Figure 6 Miscellaneous
9. Under Identity Provider Discovery: Common Domain Cookie (CDC), make sure selection Mode is set
to Automatic as shown below:
9
Figure 7 Setting selection Mode
Note Selection Mode Automatic means the user will not need to select the
default authentication provider. It will be selected automatically.
12. Next, we need to download the Metadata of our Local Provider, so it can be imported into the
Identity Provider. Click on Metadata as shown below:
10
Figure 9 Accessing Metadata information
13. Click on Download Metadata
11
Configuring Scenario -1- Identity Provider
5. Connecting to SAP Cloud Platform Identity Provider to configure it if it is not already configured
This section is not needed if your administrator provided you already with
Note a user id and password to login to the system. You can skip the creation
user section.
12
4. Once logged in, click on Applications under Applications & Resources
13
5. Click on the Add sign to create a new application which is will be the application to handle our
authentication to Fiori launchpad
14
6. Give it a name and click save, any name for example three characters of the service provider you are
dealing with. But again, that name can be anything you like
15
7. After the application is created, the following screen should be displayed
16
9. Click on Browse to import the Metadata. Select the Metadata we downloaded from step 13 under
Configurating Scenario -1- Service Provider
10. After the import, the screen should now contain the address of your NetWeaver as shown below. This
information is provided to the Identity Provider by the Metadata that we have imported
17
11. Scroll down on the screen until you see the Single Logout Endpoint section
Note Notice the certificate of the Service Provider is already here. The reason
for this is because it is part of the Metadata that we imported.
18
12. Click on Save so the configuration is saved
1. Now that the configuration is done, we need to download the Metadata of the Identity Provider so we
can import it into our Service Provider. In our example our service provider is our NetWeaver Gateway
system. Click on Home as shown below:
19
2. Scroll down to the Application & Resources section
20
5. Click on Download Metadata file. This file as we mentioned, we need to import it into our Service
Provider which is our NetWeaver Gateway system
This section shows you how to download and access the Metadata of the
Note Identity Provider. In our configuration, we will not be using the Metadata,
instead we will be configuring the Service Provider manually.
21
Importing Identity Provider Certificate into Service Provider
1. From the Identity Provider Tenant Settings section and scroll down the Signing Certificate section as
shown below:
22
5. Copy the name of the Identity Provider basically, the host name of the identity provider under the
Signing Certificate, where the Subject DN: CN= and before the O=, copy the hostname
6. Now that the Metadata has been downloaded and the public certificate of the IDP has been created,
but because there is an issue with the NetWeaver Gateway where importing the Metadata of the
Identity Provider does not work, we need todo the configuration manually.
7. Go back to the Service Provider and access your SAML2 configuration screen as shown below by either
using tCode saml2 or access the SAML2 configuration by using the URL. Example:
http(s)://<HOST-NAME>:<PORT>/sap/bc/webdynpro/sap/saml2?sap-client=<CLIENT-ID>
23
8. Click on Trusted Provider tab
24
10. Enter the name of the IDP or Identity Provider by pasting the name we copied from the previous step
25
12. Click Next
13. Now provide the Primary Signing Certificate. Basically, it is the public certificate of our IDP that we
created in step 4 where we created the file sapidp.cer or whatever the file it was called by clicking on
browse as shown below
26
15. Make sure under Artifact Profile, Sign and Require Signature, are set to Never
27
18. Go back now to the IDP Tenant Settings and copy the full URL of HTTP-Redirect under Single Sign-On
Endpoint as shown below
28
20. Click OK and click again on Add to add the HTTP-POST
29
23. Paste the HTTP-POST under the Binding section in the Service Provider
30
28. Go back to your IDP and copy the HTTP-Redirect Under the Single Logout Endpoint section as shown
below:
29. Go back to your Service Provider, NetWeaver Gateway system, and paste it as shown below:
31
30. Click OK
31. Click on Add again
32. Select HTTP Post under Binding:
32
34. Go back to your Service Provider and paste the HTTP-POST URL as shown below:
33
39. Bo back to your IDP under the Tenant Settings and copy the Assertion Consumer Service Endpoint as
shown below:
34
41. Click OK
42. Click Next
43. Click Finish
44. We should have the following configuration, click on Edit
35
45. Click on Add under Details of Identity Provider …
Note: If Add is grayed out, click on the Edit button beside the Save button
36
47. Finally click Save as shown below
37
48. Click on Enable to enable the configuration as shown below:
50. Next, we need configure the relay state, click on Local Provider Tab
38
51. Click on Service Provider Settings
39
54. Enter a Relay State name and the Fiori launchpad path as shown below:
RelaySate: fiori
Path: /sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
55. Click on OK
56. Next paste the same Fiori launchpad path to the Default Application Path as shown below:
40
Chapter 2
In this section Fiori launchpad needs to be configured to support SAML2. In this section, we will go through all
the steps needed to allow Fiori launchpad to support SAML2 authentication.
41
4. Press F8 to execute
5. Click on ushell under ui5_ui5/ui2 as shown below
42
6. Click on Logon Data tab
43
7. If you Procedure is set to Alternative Logon Procedure and SAML Configuration already set, then you
are done on this section. If not, then follow these steps below:
a. Click on Edit
44
b. Under Procedure drop down list change it from Standard to Alternative Logon Procedure
c. In the Logon Data section scroll down
d. Change the Logon Procedure List by scrolling all the way until 8 SAML Logon is shown
45
e. Change 8 to 1
Note Even though we set the order to be 1, Logon Through HTTP Fields is
always 1 and then comes our SAML Logon based on the order we set.
46
h. Click on Save
By default, when configuring SAML2 in NetWeaver, it uses Name ID attribute Login Name. Therefore, SAP
Identity Provider needs to be configured to support NameID. To do that, follow the following steps:
1. Go back to your SAP Identity Provider
2. Login
3. Click on Applications & Resources
4. Click on Applications
5. Click on Name ID Attribute as shown below:
47
6. Select Login Name
48
d) Click on Edit as shown below:
49
Testing SAML Using Fiori launchpad
3. If everything is configured correctly, the web browser will redirect the request to the IDP as shown
below:
50
4. Login with your IDP user ID and password. Fiori launchpad should log you in successfully
Now that we have Fiori Launchpad configured with SAML2 using HTTP. Next step is to configure the Logoff
button in Fiori Launchpad to redirect the request back to the SAML2 login screen.
In order to configure the logout button in Fiori Launchpad to redirect to SAML2 login screen, we need to do the
following:
1. Go back to your Identity Provider and login
2. Expand Applications & Resources
3. Click on Applications
4. Click on SAML 2.0 Configuration
5. Scroll down to the section Single Logout Endpoint
52
Configuring Fiori Launchpad Designer
53
Chapter 3
If SAML2 is configured to access Fiori Launchpad using HTTP, then continue reading this section to learn how to
configure SAML2 on NetWeaver while accessing Fiori Launchpad using HTTPS. If SAML2 is not configured at all in
the system, then go back chapter 1 to learn how to configure the system using HTTP.
Assumption: An assumption is made in this section that the user has read chapter 1 already and
configured SAML2 to support Fiori Launchpad using HTTP protocol.
54
6. Click on Metadata as shown below
55
Figure 83 SAML 2.0 Configuration Screen
13. Scroll up until you see Define from Metadata and click on Browse as shown below:
14. Provide the Metadata file of the service provider from the previous step
15. Verify that the URL has been updated to the HTTPS URL by scrolling down to the section
Assertion Consumer Service Endpoint, you should see the new URL got updated as shown below:
57
Chapter 4
Configuring Web Dispatcher with SAML2
In this section, we are going to learn how we can configure Web Dispatcher to support SAML2 when accessing
Fiori Launchpad using SAML2 authentication method.
58
3. Alter the SRCURL and add /sap/saml2 to it see below an example:
59
5. Click on Download Metadata
60
5. Scroll up until you see Define from Metadata and click on Browse as shown below:
6. Provide the Metadata file of the service provider from the previous step
7. Verify that the URL has been updated to the Web Dispatcher URL by scrolling down to the section
Assertion Consumer Service Endpoint, you should see the new URL got updated as shown below:
1. Test your new configuration by accessing Fiori Launchpad using Web Dispatcher URL
2. The browser should direct you now to your Identity Provider
3. Login with your Identity Provider User ID and password
61
4. After successful login, Fiori Launchpad home page should be displayed
62
Chapter 5
Troubleshooting
In this chapter, we will discuss all the issues that the administrator could face during the configuration process.
This issue occurred if you downloaded the metadata of the Identity Provider and you tried to upload it into the
service provider, you may see the error below:
Solution:
Instead of uploading the metadata, select the option upload manually as discussed in the above section,
Importing Identity Provider Certificate into Service Provider, in Chapter 1
63
Error 2 – No RelaySate mapping found for RelayState value ….
Solution:
There are two possibilities for this error. We will start with the first one.
The user is trying to access Fiori Launchpad either by a URL that does not match the URL under the Assertion
Consumer Service Endpoint. To verify, do the following:
1. Login to your SAP Identity Provider
2. Click and expand Applications & Resources
3. Click on Applications
4. Click on SAML 2.0 Configuration
5. Scroll down to Assertion Consumer Service Endpoint
6. If the URL protocol and hostname does not match the URL protocol and hostname of the Fiori
Launchpad, then you need to either update the Assertion Consumer Service Endpoint of change the
Fiori Launchpad URL protocol and hostname to match the Assertion Consumer Service Endpoint
Error 3 – HTTPS Status 400 – Service Provider SLO endpoint has not received SAML2
message
The reason for this error is because the user configured the Logoff Page to redirect to the SAML2 Logout
Endpoint.
Solution:
To fix the issue, refer to Chapter 2 section Configure Single Logout Endpoint
64