Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider

Overview

SAP Cloud Platform (formerly SAP HANA Cloud Platform) supports Identity Federation and Single Sign-on with external Identity Providers (i.e. SAP SSO, SAP Cloud Platform Identity Authentication, Active Directory Federation Services etc.). By default SCP is connected to SAP ID Service(accounts.sap.com)

In the example below, I demonstrate how to configure your SCP account to support SAML SSO with SSOCircle IdP.

Scenario Description

Below illustration shows how a user is authenticated, when she/he wants to access SAP Cloud Platform. Authentication part is handled by Identity Provider.

Flow is not different, if you use any other IdP(i.e. ADFS). Scenario can be enriched by adding Two-factor authentication which is supported by SAP SSO.

Prerequisities

In order to test SAML authentication, I’ve developed a small application which is a simple “Hello World” app that extracts and displays UserID part of SAML token. Details of how to develop a similar application can be found in “Create a basic Java app in SAP Cloud Platform” Tutorial Part 1, Part 2, and Part 3.

Then I’ve deployed this application to SCP via Eclipse. You can export your project from Eclipse and deploy it to SCP using .war file as well.

Configuration

1- Configure SCP as a Service Provider

First of all, SAP Cloud Platform (SCP) must be enabled to act as a ServiceProvider.

Login to SCP Cockpit, Go to  Security –>  Trust and click on Edit

Configuration Type can be set to 3 different values:

• Default: SAML authentication is active and SAP ID Service is used as IdP
• Custom: SAML authentication is active and Custom IdP will be used
• None: There won’t be any trust between Service Provider and any Identity Provider.

Change Configuration Type to Custom

Local Provider Name is populated automatically, if not, use a URI as the local provider name.
Then click on Generate Key Pair

Signing Key and Signing Certificate will be generated automatically. These certificates are self signed and valid for 10 years.If you want to generate your own certificates, please follow Guidelines for Using External Key and Certificate.

Set Principal Propagaion to Enabled and Force Authentication to Disabled. Detailed information for these settings can be found at SAP Help Portal.

Then click on Save and click on Get Metadata to export Service Provider metadata.xml

Save this file which will be used to establish trust between SP and IdP.

2- Configure IdP and Establish Trust

For the scenario, we need an Identity Provider. SAP SSO can provide this functionality and supports many more scenarios such as Kerberos support,  X.509 Client Certificates, Two-factor and Risk-based authentication.

In this example I will use SSOCircle, which is a public IdP that provides free limited usage and integration to your service providers. It’s very easy to configure and use. Additional features like tracing, unlimited logins can be used with premium accounts. Details of integration can be found at SSOCircle How-To.

I skip creating new user part in this example. You can follow this link, to create an account.

After logging in to SSOCircle, go to Service Provider Import Page

• Enter FQDN of the Service Provider, which is samlssoi068593trial.hanatrial.ondemand.com in my case.
• Choose attributes which you want to add in SAML token. I’ve selected all of them. With SAP SSO or ADFS, you can include much more specific attributes in the token, such as phone number, group memberships, security settings etc.
• Copy and paste metadata file, which is downloaded at the end of service provider configuration

Then click on Submit

You will get a success message after submitting SP details, if not please check your metadata file.

Then go to https://idp.ssocircle.com/ and save its content as an XML file. This is SSOCircle IdP metadata file.

Now go back to SCP Cockpit –> Security –> Trust and click on Application Identity Provider tab and then click on Add Trusted Identity Provider

New window will be opened and click on Browse then select IdP Metadata you saved couple steps before.

Input boxes are filled, but we need to make some changes

• Change Assertion Consumer Service from Application Root to Assertion Consumer Service. SSOCircle and ADFS do not send the SAML assertion to unknown URLs to them, hence we have to set it to Assertion Consumer Service.
• Change Signature Algorithm from SHA-1 to SHA-256 to harden security
• Change User ID Source from subject to attribute and set Source Value to EmailAddress.
  IdP’s send different values as NameID source. You can configure whatever NameID or attributes you want in SAML token. This configuration is done in IdP.
  For SSOCircle NameID value is a string and it’s not legible. Therefore I set User ID source to e-mail address.

Save the changes

Select SSOCircle as Default Identity Provider

Restart Java Application

3- Test SAML SSO

Paste your application URL in the browser and click on Enter.

You will be redirected to SSOCircle webpage for authentication. Enter your username and password and click on Log In

After successfull authentication, you will receive a SAML assertion and be redirected back to your app.

As you can see below screenshot, My e-mail address is extracted from SAML assertion and displayed on the screen.

Further Information on SAML assertion

You can check the details of SAML token in any browser using Developer Tools. I prefer to use Mozilla Firefox and its SAML Tracer add-on which is very easy to use.

Below is the part of the SAML assertion, I received from SSOCircle IdP. As I mentioned above, NameID part is not a logical value, if you do not change the configuration in SSOCircle. NameID part can be set to different values in SAP SSO or ADFS.

Moreover, first name, last name and e-mail values are added to respective attributes in the SAML message.

In the screesnshot below, You can see these attributes.

More Information

• SCP Identity and Access Management
• ID Federation with the Corporate Identity Provider
• SSOCircle How-to