Sorry for the late reply. Can you check out this blog blogs.sap.com/2018/08/03/your-sap-on-azure-part-8-single-sign-on-using-azure-ad-domain-services/ which talks about leveraging Azure Active Directory Domain Services with SAP GUI

Hi M H, as long as the browser of the user has access to the Internal System and Azure in the Internet this will also work as the integration point is only the browser of the user. The trust between Azure AD and the SAP ABAP System is created by importing the SAML2 Metadata file which contains the Certificates of Azure AD used for signing the SAML assertions. Best regards Gregor

Hi, unfortunately this does not work with SAP GUI. My colleauge just released a blog post that might help, community.sap.com/t5/technology-blogs-by-members/sap-gui-mfa-with-sap-secure-login-service-and-microsoft-entra-id/ba-p/13605383 - Holger.

Hi Alex, do you want to have SSO using Kerberos to FLP? For this you might want to check out these great videos / blog posts: blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/ - Holger.

The video shows how to configure SSO with Azure Active Directory. Are you looking for "only" Active Directory and ABAP? Have you looked at using Kerberos? Potentially with the NetWeaver SSO Product, e.g. help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-US/c7/b12d71977e4b0682e327b4ecf81e9b/content.htm These videos here also explain this in great detail, blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/ - Holger.

I have not worked with the SAP Enterprise Portal in a long time. I think it is still based on the Java stack. The steps outlined here explain the ABAP stack. However, for you should be able to do the same for the Java stack. Maybe this help.sap.com/viewer/e815bb97839a4d83be6c4fca48ee5777/7.5.6/en-US/bc3385f2311a4181bddf0faa2e3e8a9a.html can help. - Holger.

@@SAPonAzure Yaah its still based on Java. Let me check the link

Hi, sorry for the delay. Yes, you can specify almost any field. It just has to be unique between AAD and your SAP system -- so that the mapping can actually happen. - Holger.

Thank you very much for your feedback Holger !@@SAPonAzure Do you have by any chance any other video on KZbin or Blog explaing how to do it ?

In order to setup other URLs, depending on the base-URL you might need to add different redirect URLs in your app, or register and create new apps in AAD. For users that are not part of the AAD you need to setup other authorization steps in the URL and then fall-back to them. You can also use the Query parameter saml2=disabled (e.g. sap/opu/odata/sap/EPM_REF_APPS_PROD_MAN_SRV/Products?saml2=disabled) to skip this authentication method. Holger.

For this you should take the URL which is used to access the SAP WebDispatcher. - Holger.

@@SAPonAzure Thank you for reply. We have maintained Web Dispatcher URL in Azure AD as below Sign on URL: Fiori launch pad URL via Web dispatcher URL Reply URL : Same URL as Sign on URL But still when we use Web Dispatcher URL it will ask FIORI username and password .

You could take a look at blogs.sap.com/2020/07/17/principal-propagation-in-a-multi-cloud-solution-between-microsoft-azure-and-sap-cloud-platform-scp/ or also check out the videos that we recorded with Martin, kzbin.info/www/bejne/p5zPnKd7bquDeas - Holger.

Yes, a similar setup would also work with Active Directory on-premises. Holger.

When calling the service on the SAP side customer can overwrite the SAML configuration using ?saml2=disabled. You might also look into SAP Note 2577263 - SAML2.0: How to disable SAML 2.0 authentication for a particular ICF service in AS ABAP

Yes, it should work with SAP WebGUI as well

Dear Egar, it's exactly the same configuration. What I would do differently though is that I would not create an Enterprise App with a specific URL. Instead I would download the SAML Metadata.xml from the ABAP Backend import that in the Azure AD Enterprise App and configure SSO that way for the whole ABAP Stack für HTTPS access. If you ask for the Windows SAP GUI fat client SSO that is a different story that I would be also interested to get a tutorial for. Best regards Gregor

@@GregorWolf Thank Gregor, Yes, I need SSO for all the ABAP stack, you have any tutorial for this?

@@ingedgarsaenz When you have your application servers running on windows there is a free solution when you follow this guide help.sap.com/doc/saphelp_snc_uiaddon_10/1.0/en-US/44/0ebf6c9b2b0d1ae10000000a114a6b/frameset.htm. In more complex scenarios you have to license SAP SSO and check out blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/

Hard to tell. Maybe a good point to start would be wiki.scn.sap.com/wiki/display/Security/Troubleshooting+SAML+2.0+Scenarios This might help you to get more information

Dear Bhavya, you have to check that the information that Azure AD puts in the SAML Assertion is matching an Attribute in the SU01 user record. To see what's in the assertion I recommend you to install the SAML Chrome Panel Chrome Extension. chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace Best regards Gregor

Nothing is easy with SAP. Just nothing.