Enabling SAML Single Sign-On for SAP S/4 HANA and ...

cvsabhishek

Introduction

The SAP Cloud Identity Services (SCI) are the dedicated cloud services that provide functionalities for authentication & single sign-on and identity lifecycle across SAP solutions. SCI includes the Identity Authentication (IAS), Identity Provisioning (IPS), Identity Directory (IdDS) and soon also the Authorization Management services (AMS).
In this blog, we will be using the Authentication and SSO feature of the Cloud Identity Services to show how apps built across multiple platforms, e.g: SAP BTP and SAP S4 HANA, can use a single user to login and navigate seamlessly. Cloud Identity Services tenant will be used as an IDP(SAP Identity Provider).

Overview

Establish Trust between S4 HANA and Cloud Identity Services Tenant
Establish 'Trust' between the SAP BTP system and Cloud Identity Services Tenant
Testing the SAML Single Sign-On

Establish Trust between S4 HANA and Cloud Identity Services Tenant

Firstly we need to extract the SAML metadata from S4 HANA system. To achieve this, we go to Transaction:SAML2
Choose "Create SAML 2.0 Local Provider".
Give a provider name in the dialog box that appears.
In the Service Provider Settings, Choose selection mode: "Automatic", since we have only 1 Identity Provider connected and we do not want to choose an Identity Provider every time.
Once we are done configuring the Local Provider, we will extract the SAML2 metadata using the "Metadata" button. Store this file for later use in the Cloud Identity Services Tenant.

We will leave the S4 configuration for now and return later. We move to the Cloud Identity Services for the configurations.
Logon to the Cloud Identity Services tenant and extract the SAML configuration.
Get the 'Signing Certificate'

To extract the Signing Certificate, copy the 'Certificate Information' to a text file and save it as *.cer file. Then you can use a 'Keystore Explorer' app or something similar to create a proper certificate.Store this certificate in your local folder.
Incase of KeyStore Explorer, open KeyStore Explorer, then click on 'Examine Certificate'. Choose the .cer file created above and click on 'Examine'. Then Click 'Export'. This signing cretificate will be used later when configuring in the S4 system.
Now let's create an application in Cloud Identity Services for our S4 HANA system. The purpose of creating this application is to establish the Trust between Cloud Identity Services tenant and S4 HANA system.
Go to "Applications and Resources" tab in the Cloud Identity Services and choose "Applications". Then click on "Create Application".Give a Display Name; Type as "SAP on-premise Solution" and create.
Now under SAML 2.0 configuration, we upload the metadata.xml file which we retrieved from the S4 system in step 5.
Once we upload the metadata file, everything gets auto-populated.
Set all the switches to ON state.

In the section "Subject Name Identifier" please choose "Identity Directory" and value as "Email" because we will use Email for authentication.
Let's continue the SAML2 configuration in S4, by providing the metadata xml that we got from theCloud Identity Services system in step 6.
The process for that is we choose the 'Trusted Providers' tab and click on 'Add'-> 'Upload metadata File'
We go through a series of steps now.

Upload the metadata.xml file that we downloaded from Cloud Identity Services Tenant.

Upload the Signing Certificate that we created in step 7.

For better security choose SHA-256 instead of SHA-1 in Signature and Encryption.
Click on next and finish all the sections.
Now click on 'Edit', then 'Add' and then select the 'Unspecified' and save the settings.
Click on Enable to Active the Config.
Goto Transaction SICF , enter the service name or external alias example /sap/bc/ui2/flp and open the service.

Double-click on the service to open it.
Select Logon Data tab. Choose the Alternative Logon Procedure and set SAML Logon at 1 and Save.

We create the url for this service as follows https://<HOST>:<PORT>/sap/bc/ui2/flp?sap-client=<CLIENT>

Establish Trust between SAP BTP and Cloud Identity Services Tenant

Login to your SAP BTP sub-account.
Go to tab 'Trust Configuration'.

Download the SAML metadata for the BTP system and create new SAML configuration.
We create a new SAML Trust Configuration by uploading the SAML metadata of the Cloud Identity Services system. Click on save once the metadata is uploaded.

Once the trust is established on the BTP side, it will be shown as follows.
We now configure Trust on the Cloud Identity Services Tenant side. To achieve this we will be creating an application on the Cloud Identity Services system and uploading the SAML metadata file of the BTP sub-account downloaded in step 1.

In the SAML2.0 configuration, we upload the metadata file and save.

Enable all Signing options

For Subject Name Identifier, give 'Identity Directory' and 'Email', then 'Save'.

We are done with the Trust establishment of Cloud Identity Services and BTP.

Testing the SAML Single Sign-On

Now, it's time to check if our configurations work.

Let's open the browser in Incognito mode.
Enter the service url of the S4 HANA application that we retrieved from the Step 17 of S4 Trust establishing.
For our use case, we have chosen the flp app url.
On Enter, the url routes to our Cloud Identity Services login url, asking for credentials from our IDP.
Remember, the users should be maintained in the IDP prior to logging in.
Enter your credentials and click on 'Continue'.

And Voila! You are logged in using your Cloud Identity Services credentials.
Now to test the Single Sign-On spanning multiple environments, let's take an application from our BTP environment, which has Cloud Identity Services enabled.
We will open a new tab, beside the S4 app that we are already logged-on and open the BTP app as well. On Enter, we are routed to the login page, with 2 options, default IDP and Cloud Identity Services IDP. We will choose the Cloud Identity Services IDP for login.

Lo and Behold!! We are logged in, without entering any more credentials.