Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
The SSO for S/4HANA Rise system for various connections can be a daunting task in the initial phase of a project.  The best practices for SSO in S/4HANA Rise environment can be found in this blog post  ,which describes various SSO approaches available for S/4HANA Rise (Private Edition )

In this blog we have consolidated various SAP knowledge resources and lesson learnt for connection of S/4HANA (Rise Private edition) with Okta using SAP IAS as Proxy.

1        System Considerations:

  • Backend is S/4HANA Rise Private Edition

  • SAP Cloud Identity Services ( SAP IAS/IPS)

  • SAP BTP ( In case auto provision of users is required from S/4HANA to SAP IAS)

  • Okta

2        Scenario

  • The below use case is IdP Initiated SSO for SAP Fiori using Okta

3        Process to Integrate S/4HANA to SAP IAS

The whitepaper for the process is mentioned in

Few considerations while performing the setups are

  • While creating the application in IAS, please upload the meta data of S/4HANA using web dispatcher /LB URL if they are in place as per architecture.

  • Add Fiori URL as one of the Assertion Consumer Service Endpoints in IAS tenant (This will be used in okta configuration as index number)

Example : https://<Load Balancer URL>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=<Client Number>&sap-language=EN


  • The Subject Name Identifier in IAS for the S/4HANA application should be set to email in case using the same in Okta for user identification

  • We can upload IAS meta data in S/4HANA instead of manually creating the trusted providers

  • Few parameters to make sure are present in S/4HANA SAML2 Config are

In Local Provider --> Service Provider Setting


In Trusted providers --> Identity Federation

User ID Mapping Mode is set to email in case okta is using email to verify the identity of the user



In Trusted provider -->  Signature and Encryption


  • In case of using any alias for Fiori URL, please change the login method for the alias also in sicf : In our case we were using /sap/bc/ui5_ui5/ui2/ushell/shells/abap as alias for /default_host/sap/bc/ui2/flp

  • For the sicf services, SAML should be the preferred method under Logon Procedure List as well

4        Connect Okta to Identity Authentication

Blog which can be followed to perform the initial setups is

  • As our use case is IDP initiated the following URL can be used at Okta end

Single Sign on URL : https://<XXXXXX><XXXXXX><ProviderName...

Request able SSO URLs : https://<XXXXXX><XXXXXX>

Recipient URL and Destination URL:


Audience Restriction  :  https://<XXXXXX>


https://<XXXXXX>  :Tenent URL for SAP IAS ( Can be found under tenant setting -->  Identity provider setting --> Name )

sp=<ProviderName> :  This is the provider name in SAML2 config in S/4HANA which reflect under the application in IAS as well

index=1 : This index number is derived from the index number of Fiori UI in the Assertion Consumer Service Endpoints section of application in IAS


5        Make Okta as Corporate IdP for S/4HANA in IAS

  • Go to SAP IAS -->  Application --> Click on Application Name --> Conditional Authentication

With these setup, you should be able to create tile in okta which will provide SSO functionality to S/4HANA web based URL such as Fiori .

In a upcoming blog post, we can share how to auto provision users from S/4HANA to SAP Cloud Identity services .


Additional resources:

2689013: How to configure SAML2 with SAP Fiori Launchpad and Web Dispatcher

2943651: How to configure Okta as corporate identity provider with Identity Authentication

2693814: Service Provider does not match specified audience in the SAML2Assertion

2332686: SAML2.0 No RelayState mapping found for RelayState value





Labels in this area