There are lot of topics and blogs has been published already for SAML2 configuration with Azure AD and other IDP Providers but I found there is an difference between Okta and other IDP providers while setting up SAML2 Single Sign on. Okta doesn’t allow you to import the metadata file exported via SAML2 transaction but others do.

Let’s assume a below scenario for setup –

SAML2 Work Flow

Once you have setup successfully the local ABAP SAP SAML2 and performed prechecks, next step to download the metadata file to collect the correct information to share with Okta team –

1. If you are configuring SAML2 (Single Sign On) with local connection then download the metadata from local HTTPS URL and share the same to Okta Team.
2. If you are configuring SAML2 (Single Sign On) with web dispatcher URL then download the metadata from complete web dispatcher URL and share the same to Okta Team.

Creating an application manually in Okta will requires below information and this should be handy with you.

Okta App Screen

Shared the below configuration details to Okta Team for generating metadata file and certificate.

Single Sign-on URL – https://<webdispurl:port>/sap/saml2/sp/acs/100 (should be your ACS URL)

REMOVE TICK MARK

Recipient URL – https://<webdispurl:port>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html (Web Dispatcher Complete URL for end users)

Destination URL – https://<webdispurl:port>/sap/saml2/sp/acs/100 (should be your ACS URL)

Name ID Format – Unspecified

SP Entity ID – <Provider Name> (This should be the local Provider Name)

Local Provider

Navigate to Local Provider > Service Provider Settings >>

ACS Default Application Path should set to below –

/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

Add Relay as below also and save the configuration.

ACS and Relay Configuration

Once you have received metadata file from Okta team, import the same in Trusted Providers as we do for others IDP –

Okta Metadata import screen

Keep HTTP Redirect

Okta Import Configuration Screen

Next in further screens, we don’t have log off and other URL’s hence these settings keep same as Default.

Once metadata file imported successfully, add the supported NameID Format as below –

Supported NameID Format

User ID Mapping Mode – Email (As we have chosen Email as mapping, make sure SU01 (User Profile) your email ID should be same as your login email ID)

Click Save and enable the Trusted Provider.

Now Test the SSO Configuration –

https://<webdispurl:port>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html

Above URL should be redirected to Okta Screen, put your official email address, password and continue with Single Sign on.

Troubleshooting –

2443156 – SAML 2.0 SSO with AS ABAP – Guided Answers

References –

https://blogs.sap.com/2021/02/18/configure-sso-for-sap-s-4hana-fiori-launchpad-using-saml2-with-azure-ad/