How to Configure Fiori Launchpad and Web Dispatcher to ...
Transcript of How to Configure Fiori Launchpad and Web Dispatcher to ...
© 2016 SAP AG. All rights reserved.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products
and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and other
countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal
Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business
Objects products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of Business Objects Software
Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and
other Sybase products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Sybase Inc.
Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered
trademarks of Crossgate AG in Germany and other countries. Crossgate is an
SAP company.
All other product and service names mentioned are the trademarks of their
respective companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are
provided by SAP AG and its affiliated companies ("SAP Group") for
informational purposes only, without representation or warranty of any
kind, and SAP Group shall not be liable for errors or omissions with respect
to the materials. The only warranties for SAP Group products and services
How to Configure Fiori Launchpad and Web Dispatcher to Support SAML2 Using SAP Identity Provider Step-by-Step SAP NetWeaver or S4H – Gateway
Ali Chalhoub
2
Document History
Document Version Authored By Description Date Created
1.0 Ali Chalhoub First release of this whitepaper July 18, 2018
Document Version Reviewer Description
Kiran Kola Global CoE July 26, 2018
How to Setup a Fiori Tile Step-by-Step Using Web IDE
www.sap.com
TABLE OF CONTENTS
Document History ...................................................................................................................................................... 2
ABSTRACT .....................................................................................................................................................5
Chapter 1 - Configuring SAP Service Provider ........................................................................................................... 5
Chapter 2 - Configuring Fiori Launchpad to Support SAML2 ..................................................................................... 5
Chapter 3 - Accessing Fiori Launchpad Using HTTPS with SAML2 ............................................................................. 5
Chapter 4 – Configuring Web Dispatcher with SAML2 .............................................................................................. 5
Chapter 5 – Troubleshooting ..................................................................................................................................... 5
CHAPTER 1 CONFIGURING SAP SERVICE PROVIDER ........................................................................................6
Overview of the Architecture .................................................................................................................................... 6
Configuring Scenario -1- Local Provider..................................................................................................................... 8
Configuring Scenario -1- Identity Provider .............................................................................................................. 12
Downloading Identity Provider Metadata ............................................................................................................... 19
Importing Identity Provider Certificate into Service Provider ................................................................................. 22
CHAPTER 2 CONFIGURING FIORI LAUNCHPAD TO SUPPORT SAML2 ............................................................. 41
Configuring Fiori Launchpad .................................................................................................................................... 41
Configuring IDP to support Login Name .................................................................................................................. 47
Testing SAML Using Fiori launchpad ........................................................................................................................ 50
Configuring Single Logout Endpoint ........................................................................................................................ 51
Configuring Fiori Launchpad Designer ..................................................................................................................... 53
CHAPTER 3 .................................................................................................................................................. 54
ACCESSING FIORI LAUNCHPAD USING HTTPS WITH SAML2 ........................................................................... 54
How to access Fiori Launchpad Using SAML2 HTTPS .............................................................................................. 54
Configuring SAML2 to enable accessing Fiori Launchpad using HTTPS ................................................................... 54
CHAPTER 4 CONFIGURING WEB DISPATCHER WITH SAML2 ........................................................................... 58
Enabling Web Dispatcher to support SAML2 Scenario -2 ........................................................................................ 58
4
Downloading Service Provider Metadata ................................................................................................................ 59
Uploading Metadata into the Identity Provider ...................................................................................................... 60
Testing Fiori Launchpad using Web Dispatcher and SAML2 .................................................................................... 61
CHAPTER 5 TROUBLESHOOTING ................................................................................................................... 63
Error 1 - Signature verification of metadata was not successful ............................................................................. 63
Error 2 – No RelaySate mapping found for RelayState value …. ............................................................................. 64
Error 3 – HTTPS Status 400 – Service Provider SLO endpoint has not received SAML2 message ........................... 64
5
Abstract
Chapter 1 - Configuring SAP Service Provider 1.1. Overview of the Architecture
1.2. Configuring Scenario -1- Service Provider
1.3. Configuring Scenario -1- Identity Provider
1.4. Downloading Identity Provider Metadata
1.5. Importing Identity Provider Certificate into Service Provider
Chapter 2 - Configuring Fiori Launchpad to Support SAML2 2.1. Configuring Fiori Launchpad
2.2. Configuring IDP to support Login Name
2.3. Testing SAML Using Fiori launchpad
2.4. Configuring Single Logout Endpoint
2.5. Configuring Fiori Launchpad Designer
Chapter 3 - Accessing Fiori Launchpad Using HTTPS with SAML2
3.1. How to access Fiori Launchpad Using SAML2 HTTPS
3.2. Configuring SAML2 to enable accessing Fiori Launchpad using HTTPS
Chapter 4 – Configuring Web Dispatcher with SAML2 4.1. Enabling Web Dispatcher to support SAML2 Scenario -2
4.2. Downloading Service Provider Metadata
4.3. Uploading Metadata into the Identity Provider
4.4. Testing Fiori Launchpad using Web Dispatcher and SAML2
Chapter 5 – Troubleshooting 5.1. Error 1 - Signature verification of metadata was not successful
5.2. No RelaySate mapping found for RelayState value ….
5.3. HTTPS Status 400 – Service Provider SLO endpoint has not received SAML2 message
6
Chapter 1 Configuring SAP Service Provider
Welcome to How to Configure Fiori Launchpad and Web Dispatcher to Support SAML2 Using SAP Cloud Platform
Identity Authentication Provider Step-by-Step. In this e-book you will find all the details are needed to let you
configure a Web Dispatcher with Fiori launchpad on on-premise SAP NetWeaver Gateway system. In this eBook
we will discuss and show the user how to configure:
• SAP Cloud Platform Identity Provider
• Fiori launchpad on on-premise system running NetWeaver 7.50 or higher with Web Dispatcher in the
front
Note
1. To make the process simple, the steps provided in this book are done against a
single NetWeaver Gateway system no ERP involved.
1. Requirement
2. NetWeaver 7.5 or higher
3. SAP Web Dispatcher with SSL already configured
4. Fiori launchpad already configured and working with SSL support
Overview of the Architecture
Before we can start our configuration, we need to look at the Architecture that this book will address. This
eBook will cover two scenarios:
1. SAP Cloud Platform Identity Provider with SAP Fiori launchpad running on on-premise NetWeaver
system
2. SAP Cloud Platform Identity Provider with Web Dispatcher and SAP Fiori launchpad running on on-
premise NetWeaver system
7
2. The architecture below covers scenario number 1
Figure 1 SAP Cloud Platform Identity Provider with Fiori launchpad
1. A web client makes a request to SAP Fiori launchpad
2. SAP Fiori launchpad redirects the client to SAP Cloud Platform Identity Provider
3. Client is asked to authenticate with SAP Cloud Platform Identity Provider
4. After the client is authenticated successfully, a SAML XML assertion is generated which contains all
the information needed about the client such as user id, first name, last name and all this sent to
the client
5. The client makes a post request to SAP Fiori launchpad where the XML assertion is validated
NetWeaver level and a session is created and the client is granted access to Fiori launchpad
3. The architecture below covers scenario number 2.
Figure 2 SAP Cloud Platform Identity Provider with SAP Web Dispatcher
8
1. A web client makes a request to SAP Web Dispatcher
2. SAP Web Dispatcher redirect the client to SAP Cloud Platform Identity Provider
3. Client is asked to authenticate with SAP Cloud Platform Identity Provider
4. After the client is authenticated successfully, a SAML XML assertion is generated which contains all the
information needed about the client such as user id, first name, last name and all this sent to the client
5. The client makes a post request to Web Dispatcher where the XML assertion is validated at the Web
Dispatcher level
6. Finally, a session is created, and the client is granted access to Web Dispatcher and Fiori launchpad
Configuring Scenario -1- Local Provider
In this scenario we will be configuring SAP Fiori launchpad on-premise to with SAP Cloud Platform Identity
Provider without Web Dispatcher.
Note
In this section there is an assumption, that Fiori launchpad is configured in
NetWeaver system and Fiori launchpad can be accessed using HTTPS. As
well the user does have access to SAP Cloud Platform Identity Provider.
4. Connecting to SAP Service Provider. In our configuration that would be our NetWeaver Gateway System
1. Login to SAP NetWeaver system
2. Execute tCode saml2
3. Click on Enable SAML 2.0 Support if no SAML has been configured in the system
4. We should see the following screen below
Figure 4 Enabling SAML2 in NetWeaver
5. Select Create SAML 2.0 Local Provider
9
6. Now enter a name that represent the Local Provider Configuration. Recommendation would be
<INSTANCEID>_SAML2
Figure 5 Providing name to the Local Provider Service Provider
7. Click Next
8. On this screen below do not do anything, click Next as well
Figure 6 Miscellaneous
9. Under Identity Provider Discovery: Common Domain Cookie (CDC), make sure selection Mode is set
to Automatic as shown below:
10
Figure 7 Setting selection Mode
Note
Selection Mode Automatic means the user will not need to select the
default authentication provider. It will be selected automatically.
10. Click Finish
11. We should see the following screen below:
Figure 8 Creating Local Provider Configuration
12. Next, we need to download the Metadata of our Local Provider, so it can be imported into the
Identity Provider. Click on Metadata as shown below:
11
Figure 9 Accessing Metadata information
13. Click on Download Metadata
Figure 10 Downloading Metadata xml information
14. Save the XML file to your local machine because it will be required in the next step when we
configure the Identity Provider
12
Configuring Scenario -1- Identity Provider
5. Connecting to SAP Cloud Platform Identity Provider to configure it if it is not already configured
1. Open your Web browser
2. Enter the URL of the SAP Cloud Platform Identity Provider. For example:
IDP Host: https://xxxx.accountsxxxx.ondemand.com/admin/#
3. Once logged in the screen may look like the one below:
Figure 11 SAP Cloud Platform Identity Authentication Administration Console
Note
This section is not needed if your administrator provided you already with
a user id and password to login to the system. You can skip the creation
user section.
13
4. Once logged in, click on Applications under Applications & Resources
Figure 12 Accessing Applications section
14
5. Click on the Add sign to create a new application which is will be the application to handle our
authentication to Fiori launchpad
Figure 13 Adding new application to our Fiori launchpad
15
6. Give it a name and click save, any name for example three characters of the service provider you are
dealing with. But again, that name can be anything you like
Figure 14 Creating application
16
7. After the application is created, the following screen should be displayed
Figure 15 Configuration screen of the application
8. Click on SAML 2.0 Configuration
Figure 16 Accessing SAML2 configuration
17
9. Click on Browse to import the Metadata. Select the Metadata we downloaded from step 13 under
Configurating Scenario -1- Service Provider
10. After the import, the screen should now contain the address of your NetWeaver as shown below. This
information is provided to the Identity Provider by the Metadata that we have imported
Figure 17 Importing Service Provider Metadata
18
11. Scroll down on the screen until you see the Single Logout Endpoint section
Figure 18 Single Logout Endpoint
Note
Notice the certificate of the Service Provider is already here. The reason
for this is because it is part of the Metadata that we imported.
19
12. Click on Save so the configuration is saved
Figure 19 Saving Identity Provider Application configuration
Downloading Identity Provider Metadata
1. Now that the configuration is done, we need to download the Metadata of the Identity Provider so we
can import it into our Service Provider. In our example our service provider is our NetWeaver Gateway
system. Click on Home as shown below:
Figure 20 Accessing Identity Provider Home page
20
2. Scroll down to the Application & Resources section
3. Click on Tenant Settings as shown below
Figure 21 Accessing Tenant settings
4. Click on SAML 2.0 Configuration
Figure 22 Accessing SAML 2.0 configuration
21
5. Click on Download Metadata file. This file as we mentioned, we need to import it into our Service
Provider which is our NetWeaver Gateway system
Figure 23 Downloading Metadata File of Identity Provider
Note
This section shows you how to download and access the Metadata of the
Identity Provider. In our configuration, we will not be using the Metadata,
instead we will be configuring the Service Provider manually.
22
Importing Identity Provider Certificate into Service Provider
1. From the Identity Provider Tenant Settings section and scroll down the Signing Certificate section as
shown below:
Figure 24 Signing Certificate section
2. Copy all the content in “Insert as Text” in the box
3. Open Notepad or a text editor and paste the content in it
4. Save the file as sapidp.cer or whatever you like
Figure 25 Creating IDP public certificate
23
5. Copy the name of the Identity Provider basically, the host name of the identity provider under the
Signing Certificate, where the Subject DN: CN= and before the O=, copy the hostname
Figure 26 Identifying the hostname of the Identity Provider
6. Now that the Metadata has been downloaded and the public certificate of the IDP has been created,
but because there is an issue with the NetWeaver Gateway where importing the Metadata of the
Identity Provider does not work, we need todo the configuration manually.
7. Go back to the Service Provider and access your SAML2 configuration screen as shown below by either
using tCode saml2 or access the SAML2 configuration by using the URL. Example:
http(s)://<HOST-NAME>:<PORT>/sap/bc/webdynpro/sap/saml2?sap-client=<CLIENT-ID>
Figure 27 SAML 2 Service Provider configuration screen
24
8. Click on Trusted Provider tab
Figure 28 Accessing Trusted Providers
9. Click on Add to select Manually
Figure 29 Adding the Identity Provider name manually
25
10. Enter the name of the IDP or Identity Provider by pasting the name we copied from the previous step
Figure 30 Entering the name of the IDP manually
11. Screen should look like this
Figure 31 IDP domain name
26
12. Click Next
13. Now provide the Primary Signing Certificate. Basically, it is the public certificate of our IDP that we
created in step 4 where we created the file sapidp.cer or whatever the file it was called by clicking on
browse as shown below
Figure 32 Providing the public certificate of the IDP
14. Select Upload from File
Figure 33 Uploading the public certificate of the IDP
27
15. Make sure under Artifact Profile, Sign and Require Signature, are set to Never
Figure 34 Setting Artifact Profile
16. Click Next
17. Under Single Sign-On Endpoints click on Add. Note: The Sign-On Endpoints is located under the IDP.
Therefore; this step require you to go back to the IDP to copy the HTTP-Redirect
Figure 35 Adding Sign-On Endpoints
28
18. Go back now to the IDP Tenant Settings and copy the full URL of HTTP-Redirect under Single Sign-On
Endpoint as shown below
Figure 36 Copying the HTTP-Redirect
19. Go back to the Service Provider and Paste the HTTP Redirect as shown below:
Figure 37 Adding the HTTP-Redirect in the NetWeaver Gateway System
29
20. Click OK and click again on Add to add the HTTP-POST
Figure 38 Adding HTTP-POST
21. Select from the Binding Dropdown list HTTP POST
Figure 39 Selecting HTTP POST
22. Go back to the Identity Provider ( IDP ) and copy HTTP-POST URL under the Tenant Settings as shown
below:
Figure 40 HTTP-POST URL under the Single Sign-On Endpoint IDP
30
23. Paste the HTTP-POST under the Binding section in the Service Provider
Figure 41 Pasting HTTP-POST URL from the IDP
24. Click OK
25. Click on Next
26. Now we need to configure Single Logout Endpoints, click on Add
Figure 42 Single Logout Endpoints
27. Select HTTP Redirect under Binding as shown below
Figure 43 Adding HTTP Redirect for Single Logout Endpoints
31
28. Go back to your IDP and copy the HTTP-Redirect Under the Single Logout Endpoint section as shown
below:
Figure 44 Copying the URL of HTTP-Redirect under Signle Logout Endpoint
29. Go back to your Service Provider, NetWeaver Gateway system, and paste it as shown below:
Figure 45 Pasting HTTP Redirect URL for Single Logout Endpoints
32
30. Click OK
31. Click on Add again
32. Select HTTP Post under Binding:
Figure 46 Selecting HTTP POST
33. Go back to your Tenant Settings under your IDP and copy the HTTP-POST URL under Single Logout
Endpoint Section as shown below:
Figure 47 Copying HTTP-POST for Single Logout Endpoint
33
34. Go back to your Service Provider and paste the HTTP-POST URL as shown below:
Figure 48 Adding HTT POST URL to the Service Provider
35. Click OK
36. Click on Next
37. We should see now the Artifact Endpoints screen
Figure 49 Artifact Endpoints configuration
38. Click on Add
Figure 50 Adding Assertion URL under Artifact configuration screen
34
39. Bo back to your IDP under the Tenant Settings and copy the Assertion Consumer Service Endpoint as
shown below:
Figure 51 Copying the Assertion Consumer Service Endpoint URL
40. Go back to your Service Provider and paste the URL HTTP-POST as shown below:
Figure 52 Adding Assertion Consumer Service Endpoint URL
35
41. Click OK
42. Click Next
43. Click Finish
44. We should have the following configuration, click on Edit
Figure 53 Trusted Providers configuration screen
36
45. Click on Add under Details of Identity Provider …
Figure 54 Adding details of Identity Provider Note: If Add is grayed out, click on the Edit button beside the Save button
46. Select Unspecified as shown below and click OK
Figure 55 Setting Supported NameID Formats
37
47. Finally click Save as shown below
Figure 56 Saving Trusted Providers configuration
38
48. Click on Enable to enable the configuration as shown below:
Figure 57 Enabling the configuration
49. Click on OK
Figure 58 Confirming the enablement of our SAML 2.0 configuration
50. Next, we need configure the relay state, click on Local Provider Tab
39
51. Click on Service Provider Settings
Figure 59 Adding Relay State
52. Click on Edit button
53. Scroll down until you see Relay State Mapping. Click on Add as shown below:
Figure 60 Adding Relay State for Fiori launchpad
40
54. Enter a Relay State name and the Fiori launchpad path as shown below:
Figure 61 Providing the Fiori launchpad path to the RelayState
RelaySate: fiori
Path: /sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
55. Click on OK
56. Next paste the same Fiori launchpad path to the Default Application Path as shown below:
Figure 62 Providing default application path
57. Click on Save
41
Chapter 2
Configuring Fiori Launchpad to Support SAML2
Configuring Fiori Launchpad
In this section Fiori launchpad needs to be configured to support SAML2. In this section, we will go through all
the steps needed to allow Fiori launchpad to support SAML2 authentication.
1. Login to the FrontEnd NetWeaver Gateway System
2. Execute tCode SICF
3. Under Service Name type USHELL
Figure 63 Accessing SICF
42
4. Press F8 to execute
5. Click on ushell under ui5_ui5/ui2 as shown below
Figure 64 Accessing USHELL Service Logon Data
43
6. Click on Logon Data tab
Figure 65 Accessing Logon Data
44
7. If you Procedure is set to Alternative Logon Procedure and SAML Configuration already set, then you
are done on this section. If not, then follow these steps below:
a. Click on Edit
Figure 66 Clicking on Edit to alter the Logon Data Procedure
45
b. Under Procedure drop down list change it from Standard to Alternative Logon Procedure
c. In the Logon Data section scroll down
d. Change the Logon Procedure List by scrolling all the way until 8 SAML Logon is shown
Figure 67 Changing the order of the Logon Procedure List
46
e. Change 8 to 1
Figure 68 Changing the order by selecting SAML Logon as 1
f. Press Enter
g. We should see the following result
Figure 69 SAML Logon is the second selection
Note
Even though we set the order to be 1, Logon Through HTTP Fields is
always 1 and then comes our SAML Logon based on the order we set.
47
h. Click on Save
Figure 70 Saving the configuration of the USHELL
Configuring IDP to support Login Name
By default, when configuring SAML2 in NetWeaver, it uses Name ID attribute Login Name. Therefore, SAP
Identity Provider needs to be configured to support NameID. To do that, follow the following steps:
1. Go back to your SAP Identity Provider
2. Login
3. Click on Applications & Resources
4. Click on Applications
5. Click on Name ID Attribute as shown below:
Figure 71 Configuring Name ID Attribute
48
6. Select Login Name
Figure 72 Setting Login Name for Name ID Attribute
7. Click Save
8. Next since our NetWeaver uses Login Name ID, but our IDP uses different ID and naming
convention, we need to provide the Login ID of our NetWeaver system to the IDP in order todo the
mapping. To do that, do the following:
a) Click on Users & Authorizations
b) Click on User Management as shown below:
Figure 73 Accessing User Management
c) Click on your user
49
d) Click on Edit as shown below:
Figure 74 Editing IDP user information
e) Scroll down
f) Until you see Login Name
g) Type the Login ID of the NetWeaver Gateway system
Figure 75 Altering User information
h) Click on Save
50
Testing SAML Using Fiori launchpad
To test the configuration, we need to access Fiori launchpad
1. Open web browser, preferably Chrome
2. Enter the URL of your Fiori launchpad
http://<DOMAIN>:8443/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
Note
Because we configured our Service Provider by going to the following URL
http://<DOMAIN>/sap/bc/webdynpro/sap/saml2?sap-client=<CLIENT-
ID>&sap-language=EN#. WE MUST access Fiori launchpad using http and
not HTTPS. We will see how we can change this later.
3. If everything is configured correctly, the web browser will redirect the request to the IDP as shown
below:
Figure 76 Redirecting to SAP Identity Provider
51
4. Login with your IDP user ID and password. Fiori launchpad should log you in successfully
Figure 77 Fiori launchpad
Configuring Single Logout Endpoint
Now that we have Fiori Launchpad configured with SAML2 using HTTP. Next step is to configure the Logoff
button in Fiori Launchpad to redirect the request back to the SAML2 login screen.
In order to configure the logout button in Fiori Launchpad to redirect to SAML2 login screen, we need to do the
following:
1. Go back to your Identity Provider and login
2. Expand Applications & Resources
3. Click on Applications
4. Click on SAML 2.0 Configuration
5. Scroll down to the section Single Logout Endpoint
Figure 78 Single Logout Endpoint URL
6. Copy the URL of HTTP-Redirect
7. Once the URL is copied, go to the NetWeaver Front-End
8. Execute tCode /nSICF
52
9. Under service name type logoff
10. Click on Execute or press F8
11. Double click on the node sap/public/bc/icf/logoff
12. Click on Edit icon on the top left
13. Click on the Error Pages
14. Under Logon Errors paste the URL we copied from step 6 as shown below:
Figure 79 Configuring Logoff ICF node
15. Click on Logoff Page tab
16. Make sure under Redirect to URL the value is set to
/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html or whatever your Fiori Launchpad
relative URL is
Note: If you were asked to enter user ID and password, enter your NetWeaver or S4H user ID and
password
17. Save your configuration
18. Now when clicking on Logoff button in Fiori Launchpad, you are redirected to the login screen of the
Identity Provider
53
Configuring Fiori Launchpad Designer
In this section we will configure Fiori Launchpad Designer to support SAML2.
1. Login to the Front-End NetWeaver Gateway system
2. Execute tCode /nSAML2
3. Click on Local Provider
4. Click on Service Provider Settings
5. Click on Edit button on the top left
6. Under Relay State Mapping click on Add
7. Enter the following configuration:
RelayState: fioridesigner
Path: /sap/bc/ui5_ui5/sap/arsrvc_upb_admn/main.html
8. Click OK
9. Click Save
10. Configuration should look like this screen below:
Figure 80 Configuring Fiori Launchpad Designer Relay State
54
Chapter 3
Accessing Fiori Launchpad Using HTTPS with SAML2
How to access Fiori Launchpad Using SAML2 HTTPS
If SAML2 is configured to access Fiori Launchpad using HTTP, then continue reading this section to learn how to
configure SAML2 on NetWeaver while accessing Fiori Launchpad using HTTPS. If SAML2 is not configured at all in
the system, then go back chapter 1 to learn how to configure the system using HTTP.
Assumption:
An assumption is made in this section that the user has read chapter 1 already and
configured SAML2 to support Fiori Launchpad using HTTP protocol.
Configuring SAML2 to enable accessing Fiori Launchpad using HTTPS
1. Login into your NetWeaver Gateway system
2. Identify what is the secure port NetWeaver is using. This can be identified by:
a. Issue tCode /nSMICM on the Front-End
b. From the menu select Goto or press SHIFT + F1
c. Select Services
d. Under protocol HTTPS find out the port number
3. Now that we have the port number, we need to go to SAML2 configuration page
4. Execute tCode /nSAML2 from the Front-End
5. Once the configuration screen has opened, we need to do the following:
a. In the URL change the protocol from HTTP to HTTPS
b. Change the port to whatever the port of your HTTPS that we recorded from step 2.b
c. Press Enter
55
6. Click on Metadata as shown below
Figure 81 Accessing Metadata for HTTPS SAML2 configuration
7. Click on Download Metadata
Figure 82 Downloading Metadata for SAML2 HTTPS
8. Save it on your local disk
9. Now we need to go back to our Identity Provider
10. Once logged in into your Identity Provider, expand Application & Resources
11. Click on Applications
12. Make sure you are on your application that you already configured for SAML and select
SAML 2.0 Configuration as shown below:
56
Figure 83 SAML 2.0 Configuration Screen
13. Scroll up until you see Define from Metadata and click on Browse as shown below:
Figure 84 Uploading Service Provider Metadata
14. Provide the Metadata file of the service provider from the previous step
15. Verify that the URL has been updated to the HTTPS URL by scrolling down to the section
Assertion Consumer Service Endpoint, you should see the new URL got updated as shown below:
Figure 85 URL of the Assertion Consumer Service Endpoint
57
16. Save your changes
17. Test your new configuration by accessing Fiori Launchpad using HTTPS
18. The browser should direct you now to your Identity Provider
19. Login with your Identity Provider User ID and password
20. After successful login, Fiori Launchpad home page should be displayed
Figure 86 Fiori Launchpad using SAML2 with HTTPS
58
Chapter 4 Configuring Web Dispatcher with SAML2
In this section, we are going to learn how we can configure Web Dispatcher to support SAML2 when accessing
Fiori Launchpad using SAML2 authentication method.
Assumption
In this section we assume you have already configured SAML2 with
HTTP or HTTPS and you have a fully functional working system.
Fiori Launchpad can be accessed by the user and can login using
SAML2 successfully
Second assumption you have Web Dispatcher configured in your
system and Fiori Launchpad can be accessed using Web Dispatcher
Enabling Web Dispatcher to support SAML2 Scenario -2
Figure 87 Scenario 2 Web Dispatcher with SAML2
Because we are going to use a new hostname such as a Web Dispatcher, we need to download the Metadata of
the Service Provider one more time but this time, we need to access the SAML2 configuration of the service
provider using the Web Dispatcher. But if we try download the Metadata, we are going to get an error 503
Service not available and the reason for that is because the Web Dispatcher does not know anything about the
following path /sap/saml2/sp/metadata, therefore; we need to do some modification to the Web Dispatcher
configuration file.
1. Backup your Web Dispatcher configuration file sapwebdisp.pfl
2. Open sapwebdisp.pfl in your favorite text editor
59
3. Alter the SRCURL and add /sap/saml2 to it see below an example:
Figure 88 Updating Web Dispatcher configuration
4. Save your changes
5. Restart Web Dispatcher
Downloading Service Provider Metadata
1. Login to your NetWeaver Front-End
2. Execute tCode /nSAML2 from the Front-End
3. Once the configuration screen has opened, we need to do the following:
a. In the URL change the protocol that the Web Dispatcher is using
b. Change the port to whatever the port of your Web Dispatcher
c. Press Enter
d. Login to your NetWeaver system
4. Click on Metadata as shown below
Figure 89 Accessing Metadata for Web Dispatcher SAML2 configuration
60
5. Click on Download Metadata
Figure 90 Downloading Metadata for SAML2 for the Web Dispatcher
6. Save it on your local disk
Uploading Metadata into the Identity Provider
1. Go back to our Identity Provider
2. Once logged in into your Identity Provider, expand Application & Resources
3. Click on Applications
4. Make sure you are on your application that you already configured for SAML and select
SAML 2.0 Configuration as shown below:
Figure 91 SAML 2.0 Configuration Screen
61
5. Scroll up until you see Define from Metadata and click on Browse as shown below:
Figure 92 Uploading Service Provider Metadata
6. Provide the Metadata file of the service provider from the previous step
7. Verify that the URL has been updated to the Web Dispatcher URL by scrolling down to the section
Assertion Consumer Service Endpoint, you should see the new URL got updated as shown below:
Figure 93 URL of the Assertion Consumer Service Endpoint
8. Save your changes
Testing Fiori Launchpad using Web Dispatcher and SAML2
1. Test your new configuration by accessing Fiori Launchpad using Web Dispatcher URL
2. The browser should direct you now to your Identity Provider
3. Login with your Identity Provider User ID and password
62
4. After successful login, Fiori Launchpad home page should be displayed
Figure 94 Accessing Fiori Launchpad using Web Dispatcher with SAML2
63
Chapter 5 Troubleshooting
In this chapter, we will discuss all the issues that the administrator could face during the configuration process.
Error 1 - Signature verification of metadata was not successful
This issue occurred if you downloaded the metadata of the Identity Provider and you tried to upload it into the
service provider, you may see the error below:
Figure 95 Error 1 Signature verification issue
Solution:
Instead of uploading the metadata, select the option upload manually as discussed in the above section,
Importing Identity Provider Certificate into Service Provider, in Chapter 1
64
Error 2 – No RelaySate mapping found for RelayState value ….
Solution:
There are two possibilities for this error. We will start with the first one.
The user is trying to access Fiori Launchpad either by a URL that does not match the URL under the Assertion
Consumer Service Endpoint. To verify, do the following:
1. Login to your SAP Identity Provider
2. Click and expand Applications & Resources
3. Click on Applications
4. Click on SAML 2.0 Configuration
5. Scroll down to Assertion Consumer Service Endpoint
6. If the URL protocol and hostname does not match the URL protocol and hostname of the Fiori
Launchpad, then you need to either update the Assertion Consumer Service Endpoint of change the
Fiori Launchpad URL protocol and hostname to match the Assertion Consumer Service Endpoint
No RelayState has been created
To fix this issue, follow the step 55 under Chapter1 section “Importing Identity Provider Certificate
into Service Provider”
Error 3 – HTTPS Status 400 – Service Provider SLO endpoint has not received SAML2 message
The reason for this error is because the user configured the Logoff Page to redirect to the SAML2 Logout
Endpoint.
Solution:
To fix the issue, refer to Chapter 2 section Configure Single Logout Endpoint