AWS IAM Identity Center (successor to AWS SSO) Integration Guide for SAP Fiori ABAP

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for SAP Fiori ABAP using SAML.

Topics

Prerequisites

You’ll need the following to set up SSO access to SAP Fiori ABAP:

Setup instructions

  1. On the Configure page, in the Details section, fill in the Display name and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

Note

The instructions shared in this example is setting up in SAP Fiori ABAP.

  1. Login to your SAP ABAP as an administrator.

  2. In the command box, go to transaction rz10 by typing in rz10. Then open the DEFAULT profile.

  3. Select Extended maintenance, then choose Change.

  4. Add the following parameters :

Parameter Name Parameter Value
login/create_sso2_ticket 2
login/accept_sso2_ticket 1
login/ticketcache_entries_max 1000
login/ticketcache_off 0
login/ticket_only_by_https 1
icf/set_HTTPonly_flag_on_cookies 0
icf/user_recheck 1
http/security_session_timeout 1800
http/security_context_cache_size 2500
rdisp/plugin_auto_logout 1800
rdisp/autothtime 60
  1. In the command box, go to transaction smicm by typing in smicm. Ensure the HTTPS protocol is in an active state.

  2. In the command box, go to transaction sicf by typing in sicf. Activate the two required services by, right clicking on SAML2 and cdc_ext_service then choose Activate Service.

  3. Next, In the command box, go to transaction SAML2 by typing in SAML2.

  4. Login to the SAML2 page with your administrator account.

  5. Select Enable SAML 2.0 Support, then choose Create SAML 2.0 Local Provider.

  6. Enter the Provider Name, example AWSSSO, then choose Next.

  7. For the Miscellaneous, choose Next.

  8. For the Service Provider Settings, choose Finish.

  9. Download the metadata, by clicking on Metadata, then choose Download Metadata.

  10. Download the IAM Identity Center Metadata file from the URL below:

  1. Click on the Trusted Providers tab, choose Add, then upload IAM Identity Center metadata file downloaded in previous step. Choose Next.

  2. Add Alias example AWSSSO, then choose Next, then Next again.

  3. For Single Sign-On Endpoints choose HTTP-POST, choose Next.

  4. For Single Log-Out Endpoints choose HTTP-Redirect, choose Next.

  5. For Artifact endpoints, choose Next, then choose Finish.

  6. Choose the Trusted Providers tab, click Edit, add Unspecified, then choose Ok.

  7. Then under Details of NameID Format "Unspecified", Next to User ID Mapping Mode, choose Email. Then Save and Enable.

  8. Go back to the IAM Identity Center console page where you are configuring the Application.

  9. Under Application Properties, enter the SAP Fiori ABAP URL in the Application start URL field:

Field Value
Application start URL SAP Fiori ABAP URL
  1. Under Application metadata, choose Browse and select the Metadata downloaded in step 14.

  2. Choose Save Changes.

  3. Assign a user to the application in IAM Identity Center.

  4. Login to SAP ABAP as an administrator, in the command box, go to transaction su01.

  5. Next, create a new or edit an existing user. In the properties of the user, fill in the E-mail Address field. Ensure the E-mail Address entered matches the email address of the user assigned to the SAP application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Verifying SSO from IAM Identity Center

  1. Access the AWS access portal using the credentials of a user assigned to the SAP Fiori ABAP application.

  2. In the list of applications, choose SAP Fiori ABAP to initiate a login to SAP Fiori ABAP.

  3. Click on Continue.

  4. If login was successful you will be signed-in to the SAP Fiori ABAP account.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error Issue Solution
Other When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' field (if they are present) from the connected directory to populate the 'Email' in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields. Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of: