We have setup web single sign-on between an AS ABAP system and a Microsoft ADFS system. ADFS is the Identity Provider (IP) and SAP is the Service Provider (SP). This is working great for opening up web content on the SAP system such as the Fiori Launchpad.
However, even though we have the profile parameters for SSO set (login/accept_sso2_ticket=1 and login/create_sso2_ticket=2), the MYSAPSSO2 cookie is not being created. This becomes a problem downstream when we try to run an OData services from JavaScript. The OData services wants to re-authenticate.
This behavior only happens when we invoke the web content directly from the Browser. If we start the Fiori Launchpad from the SAP GUI using the /uid/flp transactions, the logon ticket (MYSAPSSO2) gets created and the OData call works fine without re-authentication.
I can find in the Help documentation ( http://help.sap.com/saphelp_nw70ehp2/helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/content.htm?frameset=/en/bb/1bcf2122fd4a76948816b1342f20d7/frameset.htm¤t_toc=/en/1c/ad1640033ae569e10000000a155106/plain.htm
&node_id=22&show_children=false ) where it says...
"You can configure SAP NetWeaver Application Server (AS) ABAP as a SAML 2.0 service provider. SAP applications can take part in cross-domain SSO. The AS ABAP can also issue logon tickets while operating as a service provider, enabling you to integrate legacy systems in your landscape."
That is what I'm trying to figure out. Why is my AS ABAP system while operating as a service provider not issuing logon tickets?