AWS for SAP

AWS Single Sign-On integration with SAP Fiori in S/4HANA

April 2021 Update: We are excited to announce that AWS SSO now offers you built-in SSO integrations to SAP, and customer can now select a SAP template directly in step 4.2 of this blog post instead of the custom template. All other steps remain the same.

As part of Amazon Web Services (AWS) professional services in the SAP global specialty practice, I often assist customers in architecting and deploying SAP on AWS. SAP customers can take advantage of fully managed AWS services such as Amazon Elastic File System (Amazon EFS) and AWS Backup to unburden their teams from infrastructure operations and other undifferentiated heavy lifting.

In this blog post, I’ll show you how to use AWS Single Sign-On (AWS SSO) to enable your SAP users to access your SAP Fiori launchpad without having to log in and out each time. This approach will provide a better user experience for your SAP users and ensure the integrity of enterprise security. With just a few clicks, you can enable a highly available AWS SSO service without the upfront investment and on-going maintenance costs of operating your own SSO infrastructure. Moreover, there is no additional cost to enable AWS SSO.

Solution overview

The integration between AWS SSO and an SAP Fiori application is based on the industry standard: Security Assertion Markup Language (SAML) 2.0. It works by transferring the user’s identity from one place (AWS SSO) to the service provider (SAP Fiori) through an exchange of digitally signed XML documents.

To configure and test AWS SSO with SAP, you need to complete following steps:

  1. Activate the required SAP parameters and web services in the SAP system.
  2. Create the SAML 2.0 local provider in SAP transaction SAML2.
  3. Download the SAP local provider SAML 2.0 metadata file.
  4. Configure AWS SSO and exchange the SAML 2.0 metadata files.
  5. Configure the attribute mappings.
  6. Assign users to the application.
  7. Configure the trusted provider in SAP transaction SAML2.
  8. Enable the identity provider.
  9. Configure identity federation.
  10. Test your SSO.

Step 1. Activate the required SAP parameters and web services in the SAP system

  1. Log in to the business client of your SAP system. Validate the single sign-on parameters in the SAP S/4HANA system by using SAP transaction RZ10. Here are the profile parameters I used:
    login/create_sso2_ticket = 2    
    login/accept_sso2_ticket = 1    
    login/ticketcache_entries_max = 1000    
    login/ticketcache_off = 0    
    login/ticket_only_by_https = 1    
    icf/set_HTTPonly_flag_on_cookies = 0    
    icf/user_recheck = 1    
    http/security_session_timeout = 1800    
    http/security_context_cache_size = 2500    
    rdisp/plugin_auto_logout = 1800    
    rdisp/autothtime = 60    
    
  2. Ensure that the HTTPS services are active by using SAP transaction SMICM. In this example, the HTTPS port is 44300 with a keep alive time of 300 seconds and a processing timeout of 7200 seconds.
    icm monitor service display screen
  3. Use SAP transaction SICF to activate the following two Internet Communication Framework (ICF) services:
    • /default_host/sap/public/bc/sec/saml2
    • /default_host/sap/public/bc/sec/cdc_ext_service

Step 2. Create the SAML 2.0 local provider in SAP transaction SAML2

  1. In the business client of the SAP system, go to transaction code SAML2. It will open a user interface in a browser. In this example, the SAP business client is 100. For Enable SAML 2.0 Support, choose Create SAML 2.0 Local Provider.
    screen for enabling saml support
    You can select any provider name and keep the clock skew tolerance as the default 120 seconds.
  2. Choose Finish. When the wizard finishes, you will see the following screen.
    screen showing saml enabled

Step 3. Download the SAP local provider SAML 2.0 metadata

Choose the Metadata tab, and download the metadata.

screen for downloading saml metadata

Step 4. Configure AWS SSO

  1. In the AWS SSO console, in the left navigation pane, choose Applications. Then choose Add a new application.
    add a new application option
  2. In the AWS SSO Application Catalog, choose Add a custom SAML 2.0 application from the list.
    add a custom saml 2 point 0 application
  3. On the Configure Custom SAML 2.0 application page, under Details, type a Display name for the application. In this example, I am calling my application S/4HANA Sales Analytics.
    details section
  4. Under AWS SSO metadata, choose the Download button to download the AWS SSO SAML metadata file.
    aws sso metadata download screen
  5. Under Application properties, in the Application start URL box, enter the Fiori application URL. The standard Fiori launchpad URL is https://<hostname>:<https port>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=<client number>. I am using the default values for the Relay state and Session duration.
    application properties section
  6. Under Application metadata, upload the local provider metadata that you downloaded in step 3.
    section for uploading saml metadata file from s a p
  7. Choose Save changes.

Step 5. Configure the attribute mappings

In this example, the user mapping will be based on email.

  1. On the Attribute mappings tab, enter ${user:subject} and use the emailAddress format.
    attribute mappings screen
  2. Choose Save changes.

Step 6. Assign users to the application

On the Assigned users tab, assign any user who requires access to this application. In this example, I am using an existing user in AWS SSO. AWS SSO can be integrated with Microsoft Active Directory (AD) through AWS Directory Service, enabling users to sign in to the AWS SSO user portal by using their AD credentials.

assigned users tab

Step 7. Configure the trusted provider in SAP transaction SAML2

  1. Go to SAP transaction code SAML2 and choose the Trusted Providers tab.
    trusted providers screen
  2. Upload the AWS SSO SAML metadata file that you downloaded in step 4.
    screen for selecting metadata
  3. Choose Next for Metadata Verification and Select Providers.
  4. For Provider Name, enter any alias as the trusted identity provider.
    provider name screen
  5. For Signature and Encryption, change the Digest Algorithm to SHA-256 and keep the other configurations as default.
    screen for selecting encryption
    SHA-256 is one of the successor hash functions to SHA-1 and is one of the strongest hash functions available.
  6. For Single Sign-On Endpoints, choose HTTP POST.
    s s o endpoints screen
  7. For Single Sign-On Logout Endpoints, choose HTTP Redirect.
    s s o logout endpoints screen
  8. For Artifact Endpoints, keep the default.
    artifiact endpoints screen
  9. For Authentication Requirements, leave everything as default and choose Finish.
    authentication requirements

Step 8. Enable the identity provider

  1. Under List of Trusted Providers, choose the identity provider that you created in step 7.
  2. Choose Enable to enable the trusted provider.
    enable the trusted provider
  3. Confirm that the identity provider is active.
    screen showing trusted provider as active

Step 9. Configure identity federation

Identity federation provides the means to share identity information between partners. To share information about a user, AWS SSO and SAP must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier. In this example, I use the email address to establish a federated identity.

identity federation diagram

  1. Choose the identity provider that you enabled in step 8, and choose Edit.
    edit trusted provider information
  2. On the Identity Federation tab, under Supported NameID Formats, choose Add.
    add name i d formation details
  3. Select E-mail in the Supported Name ID Formats box.

    This automatically sets the User ID source to Assertion Subject Name ID and the User ID Mapping Mode to Email.
    name i d format details
  4. Choose Save.
  5. In your SAP application, use SAP transaction SU01 to confirm that the user email address matches the one in your AWS SSO directory.

Step 10. Test your SSO

At your AWS SSO start URL, you should see your application. In this example, this is S/4HANA Sales Analytics.

a w s s s o start u r l

Voilà! Choose the application to open your Fiori launchpad without entering a user name and password.

s a p fiori launchpad

Conclusion

The beauty of this solution is in its simplicity: The AWS SSO service authenticates you, enabling you to log in to your SAP Fiori applications without having to log in and out each time.

AWS SSO supports any SAML 2.0-compliant identity provider, which means that you can use it as a centralized access point for your enterprise applications. AWS SSO also includes built-in SSO integrations with many business applications, such as Salesforce, ServiceNow, and Office 365. This offers a great way to standardize your enterprise application single sign-on process and reduce total cost of ownership.

Patrick Leung is a Senior Consultant in the AWS SAP Global Specialty Practice.