Contact usDemo App

Single Sign On

PreBilt is a standalone SAPUI5 application which can be deployed to SAP to leverage the existing Single Sign-On (SSO) infrastructure configured in SAP for web applications. This guide explains how PreBilt utilizes SAP's web application SSO to provide seamless authentication.

Prerequisites

UI5 and System Setup

  • UI5 add-on installed

  • Sufficient authorisation to execute /UI5/UI5_REPOSITORY_LOAD

  • Transport creation authorisation (transactions SE09 and SE10)

  • SICF administration authorisation (needed for activating services including SSO-related endpoints such as sap/bc/ui2/login, sap/public/myssocert, etc.)

SSO product and authentication infrastructure

  • SAP SSO (Secure Logon Server, Logon Client)

  • Authentication methods used:

    • X.509 certificates

    • Kerberos

    • SAML 2.0

    • SAP Logon Tickets

Identity Providers and Trust Setup

  • If using SAML-based SSO, you need an identity provider (e.g., SAP Identity Authentication, Entra ID)

  • Configuration in SAP is needed

  • Must work with chosen authentication method (SNC, SAML, SPNEGO)

  • User mapping – Users in SAP must match users in the identity provider

  • Certificates required in SAP to establish trust between SAP and the IDP or Secure Logon Server

  • Parameters required for SNC, SAML, HTTPS, etc.

Frontend changes

PreBilt is designed to authenticate via SAP username and password by default. To enable SSO, some minor changes to the frontend application can be made.

Changes to tctm_settings.js

As the frontend application will be deployed to the SAP system you can set the path in the tctm_settings.js file to be a relative URL. This means the URL will be correct throughout the SAP landscape.

Changes to index.html

Remove this section of code from index.html as per the screenshot.

// If NOT Movilizer, then show the login immediately
if (tctm_settings.platform !== "Movilizer") {
    // Hide menu, Show login
    document.getElementById("content").style.display = "none";
    document.getElementById("content_login").style.display = "";
    document.getElementById("login_username").focus();

Add a call to doLogin(). This will load the main menu immediately as the user has been logged in via Single Sign On by this point.

Changes to tctm_apps.js

Logging out of the application should be handled in the logout function in tctm_apps.js. This can vary based on the Single Sign On provider. As an example, when using Microsoft Entra, a redirect to the Entra sign out page can be used. This URL should contain the actual tenant id.

ICF service changes

The tctm_wm ICF service is configured by default to use “Alternative Logon Proceedure”. This should be changed to “Standard” to enable Single Sign On. This is typically done by copying the node to the your namespace. The path in tctm_settings.js should be changed to point to this new ICF node.

Deployment

Access the upload program

  • Log into SAP GUI

  • Navigate to transaction SE38

  • Enter program name: /UI5/UI5_REPOSITORY_LOAD

  • Click 'Execute' (F8)

Configure upload parameters

On the selection screen, enter:

  • Name of the BSP Application: Your application name, ZTCTM_WM_UI

  • Description: Brief description of your application

  • Package: The transport package, usually ZTCTM_WM

  • Workbench Request: Your transport request number

  • External Codepage: Blank or UTF-8 (typically)

  • Folder with Application Data: Browse to your local TCTM_WM_UI folder

Execute the upload

Review all the parameters and press 'Execute' (F8). The program will:

  • Create the BSP application if it doesn't exist

  • Upload all files from your local folder

  • Register the application in the SAP repository

Verify the upload

  • Go to transaction SE80

  • Select "BSP Application" from the dropdown

  • Enter your BSP application name

  • Check that all files are uploaded correctly

Test your application

  • Navigate to transaction SICF

  • Find your service under: sap/bc/ui5_ui5/sap/ztctm_wm_ui

  • Right-click and select "Test Service"

  • Your Fiori app should open in a browser

Testing & troubleshooting

PreBilt uses the existing Single Sign On settings configured in SAP for web applications. The existing setup can be tested and inspected by running an existing web application such as Fiori Launchpad. Single Sign On is a broad term that covers many technologies and as such can vary from customer to customer.

Checking system specific settings in SICF

Accessing Fiori Launchpad Configuration

1

Navigate to transaction SICF

  1. Enter transaction SICF

  2. This opens the HTTP Service Hierarchy Maintenance

2

Locate the Fiori Launchpad Service

  1. Navigate to /sap/bc/ui2/flp or search using Ctrl+F for "flp"

  2. The main Fiori Launchpad service node

3

Check service configuration

  1. Right-click on the service node

  2. Select "Display Service"

  3. Review the configuration tabs

Key configuration areas to check

Logon Data tab

This tab reveals the authentication method.

  • Procedure: Shows active authentication method

    • Standard SAP Logon

    • Alternative Logon Procedure

    • SSO Authentication

  • Security Requirement: SSL requirements

  • Logon Procedure List: Priority of authentication methods

Security requirements

  • SSL: Whether HTTPS is mandatory

  • Client Certificate: Certificate requirements

  • Standard/Service User: Default user configurations

Error pages tab

  • Custom error pages for authentication failures

  • Redirect URLs for SSO scenarios

  • Customer-specific messaging

Handler List tab

Check for custom handlers:

  • CL_HTTP_EXT_SAML2 - SAML authentication

  • CL_HTTP_EXT_KERBEROS - Kerberos/SPNEGO

  • Custom handler classes - Customer-specific implementations

Identifying system specific configurations

System-wide settings

Check these transactions for global SSO configuration:

  1. SAML2 - SAML 2.0 Configuration

    1. Local Provider settings

    2. Trusted Providers

    3. Identity Provider connections

  2. STRUST - Trust Manager

    1. SSL certificates

    2. Certificate-based authentication

    3. PSE management

  3. SICF_SESSIONS - Session Management

    1. Session timeout settings

    2. Cookie configurations

    3. Security session parameters

  4. SSO2 - Generate SAP Logon Ticket

    1. Ticket validity

    2. System PSE

    3. Access control lists

Common Customer Variations

  1. Multi-Factor Authentication

    1. Additional authentication steps

    2. Integration with MFA providers

    3. Custom challenge handlers

  2. Session Management

    1. Timeout variations

    2. Re-authentication requirements

    3. Session persistence settings

  3. URL Parameters

    1. Custom URL parameters for SSO

    2. Deep linking configurations

    3. Target system parameters

  4. Browser Requirements

    1. Specific browser configurations

    2. Cookie settings

    3. JavaScript requirements

Troubleshooting Tips

Check Authentication Flow

  1. Enable HTTP trace in transaction SICF

  2. Review ICM logs (transaction SMICM)

  3. Check security audit log (transaction SM20)

  4. Review system log (transaction SM21)

Testing Authentication

  1. Use SICF "Test Service" with different browsers

  2. Check with and without existing sessions

  3. Test from different network zones

  4. Validate with various user types

Remember that each implementation can be unique based on security requirements, existing infrastructure, and compliance needs. Always document findings and coordinate with your security team when making changes to authentication configurations.

PreviousSupported UI5 versionsNextHardware

Last updated

Was this helpful?