cancel
Showing results for 
Search instead for 
Did you mean: 

Enable Azure Active Directory driven Single Sign On on SAP GUI and Fiori launchpad

SBC
Explorer
0 Kudos
9,004

Hello,

One of our client has a requirement to allow Single Sign On for SAP using Azure Active Directory.

Azure documentation clearly lays out process for SAML and OAuth based SSO for 'web access'. So, we're certain on how to accomplish this for Fiori launchpad and app.

However, how do we setup Kerberos based SSO authentication for SAP GUI access in this scenario? S/4HANA app servers are on Linux just like SAP HANA. Needless to say, we need an easy on the wallet solution but of course remaining compliant with yearly licensing audits.

Please help.

Thanks, S

Accepted Solutions (0)

Answers (4)

Answers (4)

SBC
Explorer

Thank you so much guys. Appreciate your input!

Best, Shantanu

patelyogesh
Active Contributor
0 Kudos

Hello Shantanu Bansal

Hope you get chance to read one of blog on SSO for Fiori with Azure AD

Below documentation have step-by-step instruction on how to achieve this

https://blogs.sap.com/2017/02/20/your-s4hana-environment-part-7-fiori-launchpad-saml-single-sing-on-...

Thank you

Yogesh

SBC
Explorer
0 Kudos

Thanks Yogesh.

Appreciate the input however Bartosz's blog again talks about just SAML for Fiori.

Thanks, Shantanu

Colt
Active Contributor
0 Kudos

Interesting. Yes, using Azure's SAML and OAuth capabilities will help to integrate all web-based SAP applications. As far as I know, the "Seamless SSO" mentioned by Tim still requires a User/Device to be On-Premise-AD joined and is based on the good old Kerberos flow. From my experience, I learned that many organizations are more focused on pure Azure AD environments and last time I got a similar requirement to solve where an Azure-joined PC and cloud-only user had to be able using SAP GUI SSO based on Azure AD pre-authentication. In such a scenario there is no KDC available and you can't make use of ADAL Token or SAML/OAuth for SAP GUI as SNC only supports X.509 and Kerberos.

With the product SAP SSO 3.0, you can make use of a scenario where you trigger a SAML authentication flow via the client browser against the Azure IDP to receive a short-term X.509 certificate for SAP GUI SSO. That is a valid approach but also has its disadvantages, because you have to build extra infrastructure components and operate them highly available etc.

Here is an older blog about that.

Cheers Colt

tim_alsop
Active Contributor
0 Kudos

I would use a Kerberos SNC library for SAP GUI (Preferably a commercially available and supported library) and then enable Seamless SSO with Azure AD - see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

Thanks

Tim