We have seen several blogs or documentations from IDP providers which does not help us to understand SAML2 SSO setup using SAP Web-Dispatchers. In my recent case, I came across SAML2 SSO authentication with Okta Identity Provider using SAP Web-Dispatcher with Logon ID and not from AD.
SAP GUI Settings -
Below settings are important for launching Web-URLs using SAML2 SSO –
For using Microsoft Edge seamlessly, SAP recommends deploying WebView.
- Deployed WebView to enable Edge for proper functioning using below SAP notes or Microsoft URL.
- You will have to work with Client’s IT service desk to send this setting across all users. Otherwise, they will face challenge in Web-based URLS like BRF+, SAML2, NWBC, WebGUI, or any Z-SICF, etc.
2901278 - SAP GUI HTML Control based on Chromium Edge: Legacy HTML does not work (correctly) / present limitations
2796898 - New and changed features in SAP GUI for Windows 7.70
3043532 - Web Dynpro application opens always in Internet Explorer (IE11) when called from SAPGUI
https://learn.microsoft.com/en-us/microsoft-edge/webview2/
Below blog will help you with all the necessary information to setup SAML2 SSO authentication with Okta IDP using SAP Web-Dispatcher –
- Case-1: SAP Systems with one MANDT (or SAP Client) used.
1. Make sure you use only
one authentication method – SAML2 or SPNEGO. SAP strongly recommends using one authentication at the same time.
2. In Web-dispatcher, maintain backend systems and make sure to include mysapsso2 cookie because all Web-URLs / Okta tiles uses myssocntl sicf.
3. Go to Tx – SPNEGO and Disable/Deactivate spnego or remove complete settings.
4. Maintain web-dispatcher entries in table – HTTPURLLOC in Tx – SE16 within Customer MANDT/Client other than 000.
5. In Tx – SICF, go to service name – SAML2 and maintain Logon Procedure with Priority-1 for SAML2 LOGON.
6. Apply Okta related settings.
Validation Required |
Check Parameters |
* login/ticket_only_by_https = 1
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 2 or 3 |
Check Services |
* SYSTEMLOGINJS (activate the service) |
* saml2 (Change priority of SAML) |
* /default_host/sap/bc/webdynpro/sap
/sap/public/bc/icf/systemloginjs
/sap/public/bc/pictograms
/sap/public/bc/ur
/sap/public/bc/icons
/sap/public/bc/webdynpro
/sap/public/bc/webicons
/sap/public/icf_info/icr_groups
/sap/public/icf_info/icr_urlprefix
/sap/public/bc/ping
/sap/public/myssocntl
/sap/bc/bsp/sap/system_test
/sap/bc/webdynpro/sap/configure_application |
Check Tcodes |
* SPNEGO |
* SMLG |
* RZ12 |
* STRUST / SSO2 |
* SNC |
Check Tables from SE16 |
* HTTPURLLOC |
You may encounter an issue where SAML2 screen using web-dispatcher URL for backend system shows blank. Applied below SAP Note fix to get the next screen.
3037454 - ESI - "Logon is being prepared" when accessing SOAMANAGER
7. Ask your Okta administrator to maintain below endpoint URL in Okta Relay mapping as –
https://<Public-ALB>:<port>/sap/saml2/sp/acs/123
or
https://<Web-Dispatcher hostname>:<port>/sap/saml2/sp/acs/123
where 123 is an arbitrary Customer’s MANDT/Client for their backend SAP system.
- Case 2: SAP Systems with multiple MANDT (or SAP Clients) used.
Our customer faced an issue where SAML2 SSO works only for one client out of three clients. As a solution, apply Okta certificate in all three clients after every activation. Please follow below SAP Note for more details and fix -
3095581 - SAML2.0 ABAP: SAML authentication only works in one client despite SAML is configured in multiple clients
- Case 3: Within Hub/Embedded Fiori, first level authentication through SAML2 SSO works but when it points to another Fiori URL internally it asks for Username and password, and SSO does not works. Please follow below SAP Note for more details and fix -
2051210 - Fragments in HTTP URLS are not handled after SAML 2.0 authentication
Finally, SAML2 SSO setup is completed using Okta IDP with Web-dispatcher.
Best Regards,
Ashish Verma