Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider
Overview
SAP Cloud Platform (formerly SAP HANA Cloud Platform) supports Identity Federation and Single Sign-on with external Identity Providers (i.e. SAP SSO, SAP Cloud Platform Identity Authentication, Active Directory Federation Services etc.). By default SCP is connected to SAP ID Service(accounts.sap.com)
In the example below, I demonstrate how to configure your SCP account to support SAML SSO with SSOCircle IdP.
Scenario Description
Below illustration shows how a user is authenticated, when she/he wants to access SAP Cloud Platform. Authentication part is handled by Identity Provider.
Flow is not different, if you use any other IdP(i.e. ADFS). Scenario can be enriched by adding Two-factor authentication which is supported by SAP SSO.
Prerequisities
In order to test SAML authentication, I’ve developed a small application which is a simple “Hello World” app that extracts and displays UserID part of SAML token. Details of how to develop a similar application can be found in “Create a basic Java app in SAP Cloud Platform” Tutorial Part 1, Part 2, and Part 3.
Then I’ve deployed this application to SCP via Eclipse. You can export your project from Eclipse and deploy it to SCP using .war file as well.
Configuration
1- Configure SCP as a Service Provider
First of all, SAP Cloud Platform (SCP) must be enabled to act as a ServiceProvider.
Login to SCP Cockpit, Go to Security –> Trust and click on Edit
Configuration Type can be set to 3 different values:
- Default: SAML authentication is active and SAP ID Service is used as IdP
- Custom: SAML authentication is active and Custom IdP will be used
- None: There won’t be any trust between Service Provider and any Identity Provider.
Change Configuration Type to Custom
Local Provider Name is populated automatically, if not, use a URI as the local provider name.
Then click on Generate Key Pair
Signing Key and Signing Certificate will be generated automatically. These certificates are self signed and valid for 10 years.If you want to generate your own certificates, please follow Guidelines for Using External Key and Certificate.
Set Principal Propagaion to Enabled and Force Authentication to Disabled. Detailed information for these settings can be found at SAP Help Portal.
Then click on Save and click on Get Metadata to export Service Provider metadata.xml
Save this file which will be used to establish trust between SP and IdP.
2- Configure IdP and Establish Trust
For the scenario, we need an Identity Provider. SAP SSO can provide this functionality and supports many more scenarios such as Kerberos support, X.509 Client Certificates, Two-factor and Risk-based authentication.
In this example I will use SSOCircle, which is a public IdP that provides free limited usage and integration to your service providers. It’s very easy to configure and use. Additional features like tracing, unlimited logins can be used with premium accounts. Details of integration can be found at SSOCircle How-To.
I skip creating new user part in this example. You can follow this link, to create an account.
After logging in to SSOCircle, go to Service Provider Import Page
- Enter FQDN of the Service Provider, which is samlssoi068593trial.hanatrial.ondemand.com in my case.
- Choose attributes which you want to add in SAML token. I’ve selected all of them. With SAP SSO or ADFS, you can include much more specific attributes in the token, such as phone number, group memberships, security settings etc.
- Copy and paste metadata file, which is downloaded at the end of service provider configuration
Then click on Submit
You will get a success message after submitting SP details, if not please check your metadata file.
Then go to https://idp.ssocircle.com/ and save its content as an XML file. This is SSOCircle IdP metadata file.
Now go back to SCP Cockpit –> Security –> Trust and click on Application Identity Provider tab and then click on Add Trusted Identity Provider
New window will be opened and click on Browse then select IdP Metadata you saved couple steps before.
Input boxes are filled, but we need to make some changes
- Change Assertion Consumer Service from Application Root to Assertion Consumer Service. SSOCircle and ADFS do not send the SAML assertion to unknown URLs to them, hence we have to set it to Assertion Consumer Service.
- Change Signature Algorithm from SHA-1 to SHA-256 to harden security
- Change User ID Source from subject to attribute and set Source Value to EmailAddress.
IdP’s send different values as NameID source. You can configure whatever NameID or attributes you want in SAML token. This configuration is done in IdP.
For SSOCircle NameID value is a string and it’s not legible. Therefore I set User ID source to e-mail address.
Save the changes
Select SSOCircle as Default Identity Provider
Restart Java Application
3- Test SAML SSO
Paste your application URL in the browser and click on Enter.
You will be redirected to SSOCircle webpage for authentication. Enter your username and password and click on Log In
After successfull authentication, you will receive a SAML assertion and be redirected back to your app.
As you can see below screenshot, My e-mail address is extracted from SAML assertion and displayed on the screen.
Further Information on SAML assertion
You can check the details of SAML token in any browser using Developer Tools. I prefer to use Mozilla Firefox and its SAML Tracer add-on which is very easy to use.
Below is the part of the SAML assertion, I received from SSOCircle IdP. As I mentioned above, NameID part is not a logical value, if you do not change the configuration in SSOCircle. NameID part can be set to different values in SAP SSO or ADFS.
Moreover, first name, last name and e-mail values are added to respective attributes in the SAML message.
In the screesnshot below, You can see these attributes.
More Information
- SCP Identity and Access Management
- ID Federation with the Corporate Identity Provider
- SSOCircle How-to
Useful information..
Within the SAML token that is passed, is it ok to pass a different attribute other than email (for example a username) to SAP Cloud Platform and how does Cloud Platform know whether that username exists to check the token against?
Our SSO scenario is for a HANA trial account.
Thanks
Hi Alex,
Yes you can pass as much as attribute you want. These attributes should exist in your IdP. You can use UserID to differentiate users as well.
On SP part(SCP in this case), SAML token extraction is done on SP. SCP app itself should identfiy and authorize users from SAML token. In one of my projects, SCP is connected to an SAP backend system via SAP Cloud Connector. Users and attributes are pulled from this SAP system.
You can also use Active Directory as a user store in SCP.
Regards
Hi Alper
if we have issues with SAML SSO to SAP Cloud, which oss message component area do we open an incident under? Thanks
Thanks for sharing very good information on SAML configuration.
Can this SAML configuration be used to call S/4HANA cloud OData services to another 3rd Party application?
If not can you please advise right blog or help document to setup this communication?
Thanks
Hello,
How do I determine the correct FQDN in my case, when importing the Metadata in SSOCircle?
I have tried samlsso<user_id>trial.hanatrial.ondemand.com but I get an error when saving the metadata in SSOCircle: "An error occured. Reason: 0006"
Thanks
Hello Gerald!
I have the same question right now. Did you manage to solve this problem? What is the correct form of FQDN and how сan we find it?
Thanks
You should save the data that is generated from service provider, it's not the metadata from ID service provide here.
Hello,
I got the same error, and I could make it work, generating the metadata using this link:
https://www.ssocircle.com/en/idp-tips-tricks/build-your-own-metadata/
Also, I've changed the value of FQDN: Instead of samlsso<user-id>trial.hanatrial.ondemand.com, I entered https://authn.hanatrial.ondemand.com/saml2/sp/acs/<user-id>trial/<user-id>trial
The rest of the steps are ok.
Regards
Thanks for this tip. I got it working in my case as well.
Seems like tutorial is removed i am getting error "404 Page Oops… Since we cannot find what you are looking for, here's everything." Please some one help me to get this done.
Sophisticated describe the information. The information is real true. I am happy to go through your page. Keep Writing…
Thank you for sharing these tips. We will be using some of these in our upcoming projects as well. Looking forward to more of your content
Thank you for sharing these tips. We will be using some of these in our upcoming projects as well. Looking forward to more of your content