Identity and Access Management across SAP and Google
SAP Cloud Platform offers services for Identity and Access Management (IAM) that make it possible for enterprises to offer their employees, customers, and partners single sign-on to any business software they need to use. Besides SAP business applications, this includes G Suite, Google Cloud Platform, and a variety of services from other vendors. The SAP Cloud Platform Identity Authentication service (formerly known as SAP Cloud Identity) enables secure access and single sign-on, whereas the SAP Cloud Platform Identity Provisioning service allows for the central management of identities by granting or revoking the appropriate user privileges.
The integration with Google allows customers to choose the best combination of tools to run better. They can easily and securely connect SAP with Google’s productivity suite G Suite or Google Cloud Platform, and grant their users access to any application, from any device, at any time. Also see the related blog by Bernd Leukert.
To demonstrate the integration, let me explain to you what it would mean for a fictional company BestRun Co. to connect and give access for their employees to G Suite.
As an SAP customer, BestRun has already adopted SAP S/4HANA, SAP SuccessFactors, and SAP Hybris Cloud for Customer. They use also the SAP Cloud Platform Identity Authentication service for single sign-on to all applications. Identity Authentication allows employees to use their Microsoft Active Directory credentials to reach those cloud applications without the need to remember yet another password. In case they access the application from the corporate network, they can even sign-in automatically without specifying any credentials. BestRun is about to enable G Suite to increase the productivity of its employees. They will keep Identity Authentication as their primary identity provider and use it to connect to G Suite. They can do this by following three simple steps:
Step 1: Configure G Suite as an application in SAP Cloud Platform Identity Authentication
- In the Administration Console of Identity Authentication, go to Applications, press the Add button and enter Google as an application name.
- Under Trust, go to SAML 2.0 Configuration and fill-in Name and Assertion Consumer Service Endpoints. Replace com to match your Google account domain name:
- Go to Name ID Attribute, choose E-Mail and Save.
- Optionally, go to Branding and Layout -> Logo and upload a logo to be displayed to users. Turn off Display Application Name
Step 2: Configure SAP Cloud Platform Identity Authentication as a trusted identity provider in G Suite
- In the Administration Console of Identity Authentication, go to Tenant Settings –> SAML 2.0 Configuration.
- Note the Single Sign-On Endpoint The URL is the same for both HTTP-Post and HTTP-Redirect SAML bindings.
- Make sure you have the signing certificate file of your Identity Authentication tenant.
- In the Google Admin Console go to Security –> Set up single sign-on (SSO) and select the checkbox Setup SSO with third party identity provider. Upload the certificate file first, as the URLs may be lost when you upload the certificate.
- Enter the Single Sign-On Endpoint URL as a Sign-in page URL.
- Enter the domain of your Identity Authentication tenant as a Sign-Out page URL. That will redirect users to their profile page instead of logging them out automatically. The Single Logout Endpoint URL of Identity Authentication cannot be used as Google does not send a SAML logout request.
- Select the checkbox “Use a domain specific issuer” and Save
Step 3: Configure SAP Cloud Platform Identity Provisioning to create Google accounts
Once you have set up SSO, every user that has already been created in G Suite will be able to authenticate against Identity Authentication.
You can use SAP Cloud Platform Identity Provisioning to set up automated user provisioning to create or remove Google accounts and authorize them to access G Suite. To connect to Google, Identity Provisioning needs a service account with the permission to manage Google accounts.
- Connect to the Google Developer Console and click on Projects –> Create Project.
- Enter a project name, e.g. User Provisioning, and click on Create.
- Go to IAM & Admin –> Service accounts and click on Create Service Account.
- Enter a service account name, e.g. identityprovisioning, select Furnish a new private key, select Enable G Suite Domain-wide Delegation and click on Create:
- Using a text editor, open the JSON file that is automatically downloaded and note the client ID and private key.
- In case you want to create a Google account for your employees in SAP SuccessFactors, follow the steps here to create a source system of type SuccessFactors in Identity Provisioning.
- Alternatively, you can also use SAP Cloud Platform Identity Authentication as a source for identities. Follow the steps here to create a source system of type SAP Cloud Platform Identity Authentication in Identity Provisioning.
- Follow the steps here to create a target system of type G Suite in Identity Provisioning
- Open the source system and click on Jobs –> Read Job –> Run Now
- Click on Job Execution Logs and make sure the job is complete successfully
Step 4: Test access to G Suite
Open https://mail.google.com/a/bestrun.com. You will be redirected to SAP Cloud Platform Identity Authentication to log in. In case you don’t have an active session, you will see a login window:
Enter the credentials of a test user and you would be able to login to G Mail:
SAP Cloud Platform Identity Authentication
SAP Cloud Platform Identity Provisioning
Hi – thanks for a very intriguing post. Am I right in thinking that right now the SAP Cloud Platform Identity Authentication service is still not available in trial? Thanks. DJ
Hi, you are correct, it's not available in the SAP Cloud Platform trial account.
Hi, this is a helpful post. However, what I am trying to do is the other way around. Use Google as our IDP and then login to SAP Jam and IBP via SCP. Can you help provide pointers on how to do this?
We are getting an "app not configured for user" error after we login to Google.
In Google you need to add SAP Cloud Platform Identity Authentication from the list of available SAML apps (follow the on-screen wizard). In SAP CP Identity Authentication you need to add Google as a Corporate IdP (download Google IdP metadata and upload it in Identity Authentication) and then select Google as the IdP for SAP Jam an IBP applications.
After this is done SAP CP Identity Authentication would forward any authentication request to Google. Depending on the userIDs that are used, you might need to turn on Identity Federation in Identity Authentication service for the Google corporateIDP
Thank you very much for the pointers! Will try the identity federation later on, just to confirm though because we wanted to try it out with SAP Jam first, there's no configuration or changes that needs to be done in SAP Jam as Admin right?
this is very helpful post.
do you know about Single Logout Endpoint URL for G Suit?
I set G Suit -> IAS -> SFSF.
Login is OK. but Logout is fail , 400(bad request). because slo is https://akay03zrk.accounts.ondemand.com/saml2/idp/slo (default)
so could you please any advise?