Skip to Content

Overview

Most companies today strive to integrate the cloud into their environment. That way the company consumers can use the applications running in the cloud from any location and without any additional development. However, most companies do not want to expose all their user data in the cloud for security reasons. With the new functionality that we offer, users registered in the corporate user store are able to access cloud applications without the need for the identity information to be replicated. Furthermore, those users can log on with their corporate credentials.

For this scenario, we use SAP Cloud Platform Identity Authentication service (former SAP Cloud Identity service) for authentication and single sign-on to cloud applications. Identity Authentication can be configured to use information from the corporate user store.

In this blog, we use Microsoft Active Directory as a corporate user store, but this scenario is applicable for other user stores. For more information about the other scenarios, see Configure Connection to a Corporate User Store in Corporate User Store.

Prerequisites

  • You have an SAP Cloud Platform account on a productive landscape.
  • You have installed the SAP Cloud connector inside your corporate network.For more information, see Installing the Cloud Connector.Note: Make sure you have installed the right JVM that is referenced as a JAVA_HOME variable.

 

Configure SAP Cloud Platform

In this setup, the administrator’s name is Donna Moore with a user ID I000001. Donna’s SAP Cloud Platform account is named consumer_account. Donna is configuring connection to Microsoft Active Directory with servusr service user and the following user and group subtrees: DC=sec,DC=company,DC=boston. She is also accessing the active directory server with a samplehost:389 host. The service user is necessary for the Cloud connector to connect with the Microsoft Active Directory, and the subtree paths are needed for the system to know where to find the corporate users.

  1. In SAP Cloud Platform cockpit, choose Services in the navigation area, select the Identity Authentication Add-On tile, and choose Enable in the detailed view of the service.This will enable the extension service of Identity Authentication named proxy and provided by an SAP Cloud Platform account named sci.Note: If you don’t see the Identity Authentication Add-On tile in the cockpit, you need to create an Incident with a subject Enable Corporate User Store Feature on SAP Support Portal under the component BC-IAM-IDS. You have to provide information about your SAP Cloud Platform account name and data center.
  2. Go to OAuth –> Clients and register a client for the subscribed proxy application provided by the sci account.Client.pngFor more information about this procedure, see Registering an OAuth Client.Note: Since Identity Authentication will create the subscription to the proxy application, the Prerequisites section in the respective document is not relevant for the current scenario.
    • For Subscription, select sci/proxy.
    • For Authorization Grant, select Client Credentials.
  3. Connect the Cloud connector with your SAP Cloud Platform account.
    • If you haven’t used your cloud connector before, see Initial Configuration.
    • If you have used your cloud connector before, you can start the configuration from Set up Connection Parameters and HTTPS Proxy.Connector_Initial_Config.png
  4. Configure the connection between the Microsoft Active Directory user store and the cloud connector.Specify the settings described in Configuring User Store in the Cloud Connector.Note: The Prerequisites section in the document describing the configuration is already configured for the proxy application, and you should proceed with the configuration steps. The User Name field must be in the <service_user_name>@<domain> format. For the User Path and Group Path fields, specify the LDAP tree that contains the users and groups, respectively.User_Store_Connect.png
  5. Optionally you can change the default attributes or include additional attributes.For more information, see step 6 (optionally, change the default attributes or include additional attributes) in the section Configure SAP Cloud Platform When Connecting to an LDAP User Store.

 

Configure Identity Authentication Service

  1. If it is the first time you use Identity Authentication, open your activation email. Activate your Identity Authentication account and access the administration console.Note: After the account activation, you are automatically redirected to the administration console.The URL of the administration console has the https://<tenant ID>.accounts.ondemand.com/admin pattern. The tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID.
  2. Choose the Tenant Settings tile in the administration console.Admin_Console_Home.png
  3. Choose the Corporate User Store list item.Tenant_Settings_Page.png
  4. Select your SAP Cloud Platform account’s data center, enter your SAP Cloud Platform consumer account, and the OAuth client ID and secret.Note: The Client ID and Client Secret fields in the administration console for Identity Authentication service have to match the ID and secret registered on SAP Cloud Platform under the OAuth Settings tab for your consumer account.The Account field in the administration console for Identity Authentication service has to match your SAP Cloud Platform account name.Corporate_User_Store_Settings.png
  5. Save your settings.If the operation is successful, you receive the message Connection settings saved.
  6. Log on to an application using Identity Authentication service with a Microsoft Active Directory user and verify that the authentication is successful. Note: Make sure that this user does not exist in the user store of Identity Authentication, and the user has an email set in Microsoft Active Directory.
To report this post you need to login first.

14 Comments

You must be Logged on to comment or reply to a post.

  1. Parag Jain

    As per the blog, we need to create a ticket on component BC-IAM-IDS to access this feature. When i try this via service market place, i need to select a system. Unfortunately, no system is listed for installation “HANA Cloud”. Please advice. 

    PS – We have a PartnerEdge HCP account.

    Regards,

    Parag.

    (0) 
      1. Parag Jain

        Do you get one with trial account ? Also, the challenge was that one is unable to create a ticket as it asks for a “system”. and there is no system for HCP.

        (0) 
  2. Luca Avalle

    I was looking for detailed technical information in order to connect SAP Workforce Performance Builder cloud with our Active Directory domain and ensure alignment of the users.

    All the info provided here are useful

    (0) 
  3. Jens Schwendemann

    Dear Nicola,

    you mention HANA Cloud Connector as mandatory in this configuration. However, wouldn’t it be possible to use an existing reverse proxy (e.g. a WebDispatcher) also?

    Many thanks and kind regards
    Jens

    (0) 
    1. Marko Sommer

       

      Hi Jens,
      compared to a reverse proxy solution the HANA Cloud Connector allows connectivity to an on-premise system without the need to open an inbound port.
      And SCC brings out-of-the box integration with corporate user store via the SCIM adapter – see https://help.hana.ondemand.com/help/frameset.htm?933034aeb00d489eaf21d50bbb12fed5.html for details.
      That’s why we offer SAP Cloud Identity corporate user store integration via the Cloud Connector.
      Best regards,
      Marko

      (0) 
      1. Jens Schwendemann

        ok, think I got this. But let’s assume we have MS Azure AD + AD-FS in our environment (not uncommon for Office365 customers). Am I right in the assumption that we could leverage that infrastructure to achieve quite the same we do with SCC and SCP I&A?

         

        (No offence meant, I’m a SAP Guy who happens to attend infrastructural / architectural meetings from time to time)

        (0) 
    1. Marko Sommer

       

      Hi Eduardo,

      in principle yes: you have to build your own logon screen and use the Cloud Connector in the same way to verify the user’s credentials.
      Beyond the verification of credentials Cloud Identity service establishs a session for the user (i.e. subsequent login requests from the Cloud are not routed to the corporate network). And with SCI you may enforce stronger means of authentication that some or all users need to provide a second factor.
      We recommend to connect a corporate user store via the Cloud Identity service also for easier administration purposes – esp. when many Cloud applications want to delegate authentication to the corporate user store.
      But if your scenario does not require the above, then it’s an option to configure it without SCI.
      Best regards, Marko

      (0) 
  4. Sahil Chhabra

    Is there a way to use ActiveDirectory / LDAP (Corporate User Store) for authentication to the HANA Cloud Platform itself…?

    This is a very helpful article on how to setup ActiveDirectory / LDAP authentication for the applications built on the Platform, but is there a way to use the same for the Platform itself as well…?

    Please advise.

    Thanks and Regards

    (0) 
  5. Madhusudan Kunder

    Hello Nikola,

     

    Thanks for such nice and simple article !!!!

    As per the blog we have setup our scenario.

    As per step 4)configure the connection between the Microsoft AD user store and cloud connector …
    here user name I am using the user whihc I created in Active Directory.
    Our Active Directory is not synch with mail so this user dont have assigned mail id to it.
    So please suggest how do i test this scenario.
    Do i need to logged in to SSO url using the user which is created in Active Directory.

    PLease let me know what is meaning of service user in active direcory (is only means user whoes password never expire ?) Thanks!!!!

     

    (0) 
  6. Arlei Duarte

    Hi Nikola,

    Thank you for sharing this article.

    I’ve done all the steps below, but I can’t enter with my AD User and my user isn’t be on IdP.

    Are there any hide steps?

    Best regards.

    Arlei Duarte Filho

     

     

     

    (0) 

Leave a Reply