Background :
I came across the situation where I need to implement SSO for Fiori launchpad. First thing came in my mind was to do through SAP NW portal since you can very easily achieve this by doing SSO between portal and Fiori. You need to configure SPNEGO on portal to make this entire thing work.
User open portal URL which redirected to Fiori launchpad. Issue with this you will have an additional portal page open which you don't want any other users to see if you have published Fiori launchpad through your company portal or some other web page.
What tools required?
ADFS system in your organization
Fiori Gateway system
Certificate Signing Authority
How to achieve SSO through SAML?
First thing you need to login to SAP ABAP system/Gateway system where your Fiori Launchpad is opening from.
Go to transaction SICF and Activate SAML2 web service
Once you have this Service activated you will able to run SAP TCode: SAML2
HTTPS configuration on ABAP system
Before we run in to configuration make sure you have HTTPs enabled for your gateway systemand certificates are signed as below.
Create profile parameter for HTTPS as below
icm/server_port_X PROT=HTTPS,PORT=1443,TIMEOUT=600,PROCTIMEOUT=3600
Restart ICM and check you see HTTPS is enable for your system in SMICM Tcode
SAML configuration on ABAP/Gateway system
Local Provider
Simply run TCode : SAML2 and you will see screen below on your browser, what you need to do is --> Enable SAML 2.0 Support -->Create SAML 2.0 Local Provider.
Add Provider name and click next
Note: I prefer to put FQHN as provider name
Continue with default option on General settings screen
Press Finish on Service Provider Setting
Final Configuration of your service provider will be looking like this
Trusted Provider
First download Metadata file from your ADFS
Link is :
https://fqdn of ADFS/FederationMetadata/2007-06/FederationMetadata.xml
Note: ADFS server always access through HTTPS:// and NOT HTTP://
Go to Trusted Providers TAB and upload Metadata File
Click Next on screen
Provide signing certificate and click next
Note getting certificate.
Click Next and provide Alias name
Click Next on this screen
Click Next
Click Next
Click Next
Select
Comparison Method: Better and click Finish
You have trusted provider setup almost ready as below
Click edit and add Supported NameID Formats
I have selected option as below
Final Screens of Trusted Providers are as below
Now Save changes and enable configuration
Click OK
Configuration is enabled now
Configure ADFS
Go to TAB Local Provider and download MetaData
Select All option and download
Save the file.
Login to your ADFS server through remote desktop session and copy metadata.xml to desktop of server
Open AD FS Management tool from - Control Panel\System and Security\Administrative Tools
Navigate to Trusted Relationship >> Relying Party Trusts
and
Add Relying Party Trust
Click Start
Provide metadata file
Click OK
Provide name
Note: I prefer SAP SID name
For now I am going with defaults on next screen and you can select accordingly
Permit all users
Click Next
Check TABs inside you have information below
Click Close
Note: Make sure you have checkbox selected
Add Rule
Click Next
Provide information what you previously selected under "Supported NameID formats"
Click Apply and OK
Edit newly created Relying Party Trust prperties
Go to Advanced TAB and change Secure hash algorithm to SHA-1
Note: Match this with what you selected on your ABAP system
Testing
Open URL of your SAP WEBGUI
https://HOST:PORT/sap/bc/gui/sap/its/webgui/
Note: If you want to disable SAML2 on your URL please append URL with
saml2=disabled
Error as below
Apply SAP Note :
2447142 - Error in ST program DECOMPRESS_TEXT
Test URL again and you will able to login without password.
Thank you for reading.
Yogesh