Really informative. I have a requirement for establishing SSO between Azure AD and EC Payroll. Not sure if the application to be created in Azure will be Successfactors or Sap netweaver. Also can we add Azure as Local Service Provider, considering Successfactor is already configured
Hello, In the first minutes of your video, a SAP GUI is shown. Is there a way to also establish SSO with SAPGUI connections , something similar to what exists on Premise using SAP SSO 3.0 for example based on Kerberos ?
Sorry for the late reply. Can you check out this blog blogs.sap.com/2018/08/03/your-sap-on-azure-part-8-single-sign-on-using-azure-ad-domain-services/ which talks about leveraging Azure Active Directory Domain Services with SAP GUI
Very good video...I didnt hear any mention of internal and external URLs, most companies will have azure in the cloud and netweaver on prem, which requires different URLs.
Hi M H, as long as the browser of the user has access to the Internal System and Azure in the Internet this will also work as the integration point is only the browser of the user. The trust between Azure AD and the SAP ABAP System is created by importing the SAML2 Metadata file which contains the Certificates of Azure AD used for signing the SAML assertions. Best regards Gregor
Hi, unfortunately this does not work with SAP GUI. My colleauge just released a blog post that might help, community.sap.com/t5/technology-blogs-by-members/sap-gui-mfa-with-sap-secure-login-service-and-microsoft-entra-id/ba-p/13605383 - Holger.
The video shows how to configure SSO with Azure Active Directory. Are you looking for "only" Active Directory and ABAP? Have you looked at using Kerberos? Potentially with the NetWeaver SSO Product, e.g. help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/c7/b12d71977e4b0682e327b4ecf81e9b/content.htm These videos here also explain this in great detail, blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/ - Holger.
Hi Holger, Is there any way to use another field in SAP User Master Data that is not the email address, to perform the mapping between SAP and Azure ? Thank you very much in advance :)
Hi, sorry for the delay. Yes, you can specify almost any field. It just has to be unique between AAD and your SAP system -- so that the mapping can actually happen. - Holger.
I have not worked with the SAP Enterprise Portal in a long time. I think it is still based on the Java stack. The steps outlined here explain the ABAP stack. However, for you should be able to do the same for the Java stack. Maybe this help.sap.com/viewer/e815bb97839a4d83be6c4fca48ee5777/7.5.6/en-US/bc3385f2311a4181bddf0faa2e3e8a9a.html can help. - Holger.
can you please create a video for Using OAuth 2.0 from a Web Application with SAML Bearer Assertion Flow where NW ABAP API is secured by OAUTH and other application as OAUTH client can access that
Hello. It is posible to launch /UI2/FLP transaction with SSO? How to configure it? I need launch that transaction without input the SAP credentials again.
Hi Alex, do you want to have SSO using Kerberos to FLP? For this you might want to check out these great videos / blog posts: blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/ - Holger.
Hello, My requirment is SSO configuration using SAML2 via web dispatcher on Azure Active Dicertory. So on Azure Side configuration which Url need to mentained ?
@@SAPonAzure Thank you for reply. We have maintained Web Dispatcher URL in Azure AD as below Sign on URL: Fiori launch pad URL via Web dispatcher URL Reply URL : Same URL as Sign on URL But still when we use Web Dispatcher URL it will ask FIORI username and password .
You could take a look at blogs.sap.com/2020/07/17/principal-propagation-in-a-multi-cloud-solution-between-microsoft-azure-and-sap-cloud-platform-scp/ or also check out the videos that we recorded with Martin, th-cam.com/video/qklktE9FPCI/w-d-xo.html - Holger.
Hi I configured a SAP NW with AZURE IDP the same as the one you do in the video and it works but when trying to use another URL for example the webgui it does not work, also users who are not in the azure domain cannot connect since the SAML is the what a user asks them and not directly from SAP. What I can do?
In order to setup other URLs, depending on the base-URL you might need to add different redirect URLs in your app, or register and create new apps in AAD. For users that are not part of the AAD you need to setup other authorization steps in the URL and then fall-back to them. You can also use the Query parameter saml2=disabled (e.g. sap/opu/odata/sap/EPM_REF_APPS_PROD_MAN_SRV/Products?saml2=disabled) to skip this authentication method. Holger.
Hi , it is possible for the users , after the activation of SSO with azure ( with a SAP FIORI APP SERVER ) , to chose if do the logon without SSO ( directly to SAP ) , or wil be always automatically redirect to azure logon withowt the possibility to logon directly to SAP ?
When calling the service on the SAP side customer can overwrite the SAML configuration using ?saml2=disabled. You might also look into SAP Note 2577263 - SAML2.0: How to disable SAML 2.0 authentication for a particular ICF service in AS ABAP
Hard to tell. Maybe a good point to start would be wiki.scn.sap.com/wiki/display/Security/Troubleshooting+SAML+2.0+Scenarios This might help you to get more information
Dear Bhavya, you have to check that the information that Azure AD puts in the SAML Assertion is matching an Attribute in the SU01 user record. To see what's in the assertion I recommend you to install the SAML Chrome Panel Chrome Extension. chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace Best regards Gregor
Dear Egar, it's exactly the same configuration. What I would do differently though is that I would not create an Enterprise App with a specific URL. Instead I would download the SAML Metadata.xml from the ABAP Backend import that in the Azure AD Enterprise App and configure SSO that way for the whole ABAP Stack für HTTPS access. If you ask for the Windows SAP GUI fat client SSO that is a different story that I would be also interested to get a tutorial for. Best regards Gregor
@@ingedgarsaenz When you have your application servers running on windows there is a free solution when you follow this guide help.sap.com/doc/saphelp_snc_uiaddon_10/1.0/en-US/44/0ebf6c9b2b0d1ae10000000a114a6b/frameset.htm. In more complex scenarios you have to license SAP SSO and check out blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/
For a simple SSO this is far to complex. A Trust with e-mail mapping shouldn't i nvolve so many "next " click "next" step. Sure everyone can repeat such steps like a dummy instruction. But it should be more an intuitive way to Setup SSO
Really good video. Excellent demo on how to configure and then test!
This is exactly what I needed. Huge thanks!
Very good Video Thank you
Really informative.
I have a requirement for establishing SSO between Azure AD and EC Payroll. Not sure if the application to be created in Azure will be Successfactors or Sap netweaver.
Also can we add Azure as Local Service Provider, considering Successfactor is already configured
Hello, thanks for the descriptive video, how can one set this up for multiple clients on the same sap system?
Really nice
Thank you it was really helpful
Thanks ,very helpful
excellent video..thank you.
Hello, In the first minutes of your video, a SAP GUI is shown. Is there a way to also establish SSO with SAPGUI connections , something similar to what exists on Premise using SAP SSO 3.0 for example based on Kerberos ?
Sorry for the late reply. Can you check out this blog blogs.sap.com/2018/08/03/your-sap-on-azure-part-8-single-sign-on-using-azure-ad-domain-services/ which talks about leveraging Azure Active Directory Domain Services with SAP GUI
Very good video...I didnt hear any mention of internal and external URLs, most companies will have azure in the cloud and netweaver on prem, which requires different URLs.
Hi M H,
as long as the browser of the user has access to the Internal System and Azure in the Internet this will also work as the integration point is only the browser of the user. The trust between Azure AD and the SAP ABAP System is created by importing the SAML2 Metadata file which contains the Certificates of Azure AD used for signing the SAML assertions.
Best regards
Gregor
Hi is this also working for the SAP GUI? Or do we still need this SAP Secure Login Client for that?
Hi, unfortunately this does not work with SAP GUI. My colleauge just released a blog post that might help, community.sap.com/t5/technology-blogs-by-members/sap-gui-mfa-with-sap-secure-login-service-and-microsoft-entra-id/ba-p/13605383 - Holger.
hi, how to conigure the ABAP system with active directory? We only have ABAP and we need to enable single sing on. Thanks.
The video shows how to configure SSO with Azure Active Directory. Are you looking for "only" Active Directory and ABAP? Have you looked at using Kerberos? Potentially with the NetWeaver SSO Product, e.g. help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/c7/b12d71977e4b0682e327b4ecf81e9b/content.htm These videos here also explain this in great detail, blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/ - Holger.
hello..i want to integrate Biller Direct (SAP FSCM) with Azure SSO..any suggestions?
Hi Holger,
Is there any way to use another field in SAP User Master Data that is not the email address, to perform the mapping between SAP and Azure ?
Thank you very much in advance :)
Hi, sorry for the delay. Yes, you can specify almost any field. It just has to be unique between AAD and your SAP system -- so that the mapping can actually happen.
- Holger.
Thank you very much for your feedback Holger !@@SAPonAzure Do you have by any chance any other video on TH-cam or Blog explaing how to do it ?
Great Video. Will this work with SAP Enterprise Portal 7.5?
I have not worked with the SAP Enterprise Portal in a long time. I think it is still based on the Java stack. The steps outlined here explain the ABAP stack. However, for you should be able to do the same for the Java stack. Maybe this help.sap.com/viewer/e815bb97839a4d83be6c4fca48ee5777/7.5.6/en-US/bc3385f2311a4181bddf0faa2e3e8a9a.html can help. - Holger.
@@SAPonAzure Yaah its still based on Java. Let me check the link
can you please create a video for
Using OAuth 2.0 from a Web Application with SAML Bearer Assertion Flow where NW ABAP API is secured by OAUTH and other application as OAUTH client can access that
Hello. It is posible to launch /UI2/FLP transaction with SSO? How to configure it? I need launch that transaction without input the SAP credentials again.
Hi Alex, do you want to have SSO using Kerberos to FLP? For this you might want to check out these great videos / blog posts: blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/ - Holger.
Hello,
My requirment is SSO configuration using SAML2 via web dispatcher on Azure Active Dicertory. So on Azure Side configuration which Url need to mentained ?
For this you should take the URL which is used to access the SAP WebDispatcher. - Holger.
@@SAPonAzure Thank you for reply.
We have maintained Web Dispatcher URL in Azure AD as below
Sign on URL: Fiori launch pad URL via Web dispatcher URL
Reply URL : Same URL as Sign on URL
But still when we use Web Dispatcher URL it will ask FIORI username and password .
How do we do it with OAUTH2.0 instead of SAML? to consume ODATA services
You could take a look at blogs.sap.com/2020/07/17/principal-propagation-in-a-multi-cloud-solution-between-microsoft-azure-and-sap-cloud-platform-scp/ or also check out the videos that we recorded with Martin, th-cam.com/video/qklktE9FPCI/w-d-xo.html - Holger.
Hi I configured a SAP NW with AZURE IDP the same as the one you do in the video and it works but when trying to use another URL for example the webgui it does not work, also users who are not in the azure domain cannot connect since the SAML is the what a user asks them and not directly from SAP. What I can do?
In order to setup other URLs, depending on the base-URL you might need to add different redirect URLs in your app, or register and create new apps in AAD.
For users that are not part of the AAD you need to setup other authorization steps in the URL and then fall-back to them. You can also use the Query parameter saml2=disabled (e.g. sap/opu/odata/sap/EPM_REF_APPS_PROD_MAN_SRV/Products?saml2=disabled) to skip this authentication method.
Holger.
Hello, can you give a reply, does the same scheme use between ad and sap enable now ?
Yes, a similar setup would also work with Active Directory on-premises. Holger.
Hi , it is possible for the users , after the activation of SSO with azure ( with a SAP FIORI APP SERVER ) , to chose if do the logon without SSO ( directly to SAP ) , or wil be always automatically redirect to azure logon withowt the possibility to logon directly to SAP ?
When calling the service on the SAP side customer can overwrite the SAML configuration using ?saml2=disabled. You might also look into SAP Note 2577263 - SAML2.0: How to disable SAML 2.0 authentication for a particular ICF service in AS ABAP
IT's not working for me. It asks every time for SAP User name and password. Is there any specific reason?
Hard to tell. Maybe a good point to start would be wiki.scn.sap.com/wiki/display/Security/Troubleshooting+SAML+2.0+Scenarios This might help you to get more information
Dear Bhavya,
you have to check that the information that Azure AD puts in the SAML Assertion is matching an Attribute in the SU01 user record. To see what's in the assertion I recommend you to install the SAML Chrome Panel Chrome Extension. chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace
Best regards
Gregor
It's posible for SAP webGUI, ?
Yes, it should work with SAP WebGUI as well
Dear Egar,
it's exactly the same configuration. What I would do differently though is that I would not create an Enterprise App with a specific URL. Instead I would download the SAML Metadata.xml from the ABAP Backend import that in the Azure AD Enterprise App and configure SSO that way for the whole ABAP Stack für HTTPS access.
If you ask for the Windows SAP GUI fat client SSO that is a different story that I would be also interested to get a tutorial for.
Best regards
Gregor
@@GregorWolf Thank Gregor, Yes, I need SSO for all the ABAP stack, you have any tutorial for this?
@@ingedgarsaenz When you have your application servers running on windows there is a free solution when you follow this guide help.sap.com/doc/saphelp_snc_uiaddon_10/1.0/en-US/44/0ebf6c9b2b0d1ae10000000a114a6b/frameset.htm. In more complex scenarios you have to license SAP SSO and check out blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/
For a simple SSO this is far to complex. A Trust with e-mail mapping shouldn't i nvolve so many "next " click "next" step. Sure everyone can repeat such steps like a dummy instruction. But it should be more an intuitive way to Setup SSO
Nothing is easy with SAP. Just nothing.