09-23-2015 8:43 PM
We have implemented SAML 2.0 Web SSO between a NetWeaver system and Microsoft ADFS. ADFS acts as the identity provider. Web SSO is based on a redirect with a POST binding.
We thought everything was working great. All of our SAP-hosted web pages come up without requiring anyone to enter a user name and password. However, now that we are trying to work with SAPUI5, JavaScript, and OData-based web services, we are encountering a problem. Our calls to the OData-based web services do not appear to be authenticated - Basic Authentication prompts are appearing.
If we run the same function without Web SSO, everything works as expected. The initial web server 'hit' generates Basic Authentication prompts. And, once authenticated, the downstream web service call does not generate any authentication prompts.
Comparing the two scenarios using Fiddler, the difference appears to be the MYSAPSSO2 cookie. Basic Authentication to the web page creates the MYSAPSSO2 cookie which satisfies the authentication needs of the web service call. SAML 2.0 Web SSO to the web page does not create the MYSAPSSO2 cookie so the web service requests additional authentication.
Am I misunderstanding something about Web SSO? Is there something I can do to get the Web SSO to generate the MYSAPSSO2 cookie? Is this an authentication handler issue?
10-08-2015 9:06 PM
The short answer to this problem was that we went into SICF for the web service, went to the Logon Data tab, selected Alternate Logon Procedure, and re-ordered the Logon Procedure List and moved SAML Logon to the top of the list (before Basic Authentication). This fixed the problem.
Now, why did this work? First thing is we needed to understand was the difference between the MYSAPSSO2 cookie and a SAP_SESSIONID_<sid>_<client> cookie. Seems that both of these cookies can indicate that a web user has already been authenticated by the SAP system. The Basic Authentication logon procedure both sets and accepts the MYSAPSSO2 cookie. The SAML Logon procedure both sets and accepts the SAP_SESSIONID cookie. I'm not sure why the Basic Authentication logon procedure doesn't accept the SAP_SESSIONID cookie, and I'm also not sure why the SAML Logon procedure is below the Basic Authentication procedure in the list (thus ensuring that it never get executed?).
09-28-2015 9:20 PM
10-08-2015 9:06 PM
The short answer to this problem was that we went into SICF for the web service, went to the Logon Data tab, selected Alternate Logon Procedure, and re-ordered the Logon Procedure List and moved SAML Logon to the top of the list (before Basic Authentication). This fixed the problem.
Now, why did this work? First thing is we needed to understand was the difference between the MYSAPSSO2 cookie and a SAP_SESSIONID_<sid>_<client> cookie. Seems that both of these cookies can indicate that a web user has already been authenticated by the SAP system. The Basic Authentication logon procedure both sets and accepts the MYSAPSSO2 cookie. The SAML Logon procedure both sets and accepts the SAP_SESSIONID cookie. I'm not sure why the Basic Authentication logon procedure doesn't accept the SAP_SESSIONID cookie, and I'm also not sure why the SAML Logon procedure is below the Basic Authentication procedure in the list (thus ensuring that it never get executed?).
11-07-2015 10:54 PM
Hi Steven,
We are having the same issue... We have SAML enable on SAP system but when we try to hit Fiori Launchpad... it is prompting for the SAP ID and password...
In which SICF we have to change the setting to Alternate logon Procedure...
Can you please provide me the SICF path...
Can you pls also send me details of your dispatcher... you can change the hostname for your web dispatcher...
Regards,
Kalpesh Mehta
08-19-2016 11:36 AM
Hello,
We have same issue ...
1. When an user visit launchpad URL, URL will redirect user to identity provider (IDP) for SAML authentication.
2. Then IDP authenticate with SAML2.0 token back to gateway.
3. Gateway accept the SAML2.0 token and issue SSO2 logon ticket.
4. Use logon ticket to back-end SAP BO system
Now the first step above is OK as SAML token can be authenticated back to gateway. however we have now authentication pop-up for user credential on both back-endSAP BO
However, when we disabled SAML SSO works perfectly fine to SAP BO system
Can you please let me know what in whiich SICF service, we need to change ?
Regards,
Kunal Salunkhe
08-23-2016 2:37 PM
First, make sure that your SAML2 service provider is configured to issue logon tickets.
1.Start the SAML 2.0 configuration application (transaction SAML2).
2.On the Local Provider tab, choose the Service Provider Settings tab.
3.Choose the Edit pushbutton.
4.Under Miscellaneous, enter On in the Legacy Systems Support (Issue Logon Ticket) field.
5.Save your entries.
Then you can make sure the logon procedures are in the correct order as described above. For the Fiori Launchpad I think that is something like default host/sap/bc/ui5_ui5/ui2/ushell/shells/abap/.