Technical Articles
Single Sign-On (SSO) with SAP Business ByDesign
SAP Business ByDesign (ByD) supports service provider initiated as well as identity provider initiated Single Sign-On (SSO) and Single Log-Out (SLO). In this post I would like to address some frequently asked questions with regards to SSO and SLO.
Where to get information how to configure SSO?
Embedded in ByD, Single Sign-On (SSO) can be configured in work center Application and User Management >> Common Tasks >> Configure Single Sign-On. All technical data required to configure the Identity provider are available on this UI and can be downloaded into a “SP Metadata” file.
Furthermore ByD supports OAuth 2.0 SAML Bearer authentication for principal propagation using ByD OData services.
The ByD documentation or the ByD Help Center (Side Car im ByD UI) provides detailed information under the key words: “Front-End Single Sign-On”, “Configure Your Solution for Single Sign-On”, “Configure Microsoft® Active Directory Federation Services 2.0” and “Configure Okta”.
The SAP Enterprise Support Academy provides the recorded Meet The Expert Session “Web-based SSO in SAP Cloud Products” in its replay library: SAP Enterprise Support Academy.
Some Identity Provider (IdP) published guidelines or tutorials for SSO configuration with ByD as well; for example MS Azure AD:
Which Identity Providers are supported by ByD?
ByD can be used with any SSO Identity Provider (IdP) that supports SAML 2.0. For example SAP Cloud Platform Identity Authentication, Microsoft Azure AD, OKTA, iWelcome, Microsoft ADFS (Active Directory Federation Service), SAP Cloud Identity Provider and many more.
ByD supports SAML 2.0 and OAuth 2.0 SAML Bearer authentication.
User provisioning in ByD
The ByD user lifecycle is tightly coupled with the ByD Employee lifecycle.
In ByD business users and key users are always assigned to employees or service agents (we call this concept “named user”). This means you have to create (hire) the employee or service agent first; then you can decide if the employee/service agent gets access to the system and you can assign access rights to the employee/service agent.
Assigning the access rights, changing user ID, password or e-mail has to be done in ByD.
However you can easily extract the access rights per user (the list of authorizations assigned to users) using the ByD OData for Analytics API, for example in order to perform a Segregation of Duty (SOD) scanning in external systems (for example SAP GRC).
Please note, ByD comes with an embedded Segregation of Duty (SOD) functionality as part of the ByD user and access management process incl. standard SOD checks and possibilities to enhance these.
You can setup ByD security policies such that no password logon is possible and users are forced to logon via SSO and some central IdP.
In this case, if an employee resigns, you can lock the user in the central IdP and hence the user cannot logon to ByD anymore because authentication is possible via IdP only. If needed you can even enforce a logout in all systems using single-log out (SLO).
Which Name ID formats are supported by ByD?
Per default ByD uses the NameID format “unspecified” for user mapping. ByD maps the NameID of SAML-assertions on the ByD User Alias.
Additionally ByD support the name ID format “emailAddress“. In this case ByD maps the NameID of the SAM-assertion on the ByD user e-mail address of the ByD employee contact data.
Using multiple Identity Provider and ByD tenants with SSO
Each ByD-Tenant represents a single Service Provider, which can be “connected” to one or more Identity Provider. For each Service Provider SAML-based SSO is configured separately. Therefore SSO can be used for all your ByD Tenants in parallel and you can use multiple identity provider.
Does ByD support LDAP?
LDAP is basically a storage and requires direct TCP/IP connections without Proxy/Reverseproxy. For that reason you can’t use LDAP in the Cloud.
If LDAP is required to manage some customer on-premise systems, you may connect LDAP to your IdP, but you can’t connect LDAP to ByD directly.
Does ByD support user propagation/OAuth?
Yes, ByD OData supports OAuth. You find an example and more details in my blog post Configure OAuth 2.0 for SAP ByDesign OData Services.
Thanks Knut.
Our Centrify SSO is re-directing to https://myxxxxx.sapbydesign.com which seems to route to the Silverlight version. Is there any way of modifying the URL so it re-directs to the HTML5 UI?
Lee
Hello
what about the following link? this is the link we use to log on ByD HTML5 UI (Not the RUI)
https://myxxxxxx.sapbydesign.com/sap/public/ap/ui/repository/SAP_UI/HTMLOBERON5/client.html?client_type=html&app.component=/SAP_UI_CT/Main/root.uiccwoc&rootWindow=X&redirectUrl=/sap/public/byd/runtime#
Regards
Emmanuel
Hi Lee,
currently the Silverlight version is still the default. The default UI is planed to be changed to HTML5 as soon as HTML5 UI has been completed and our customers got some time to get used to the new visual design.
Please check the blog post https://blogs.sap.com/2017/05/09/productive-use-of-the-bydesign-html5-ui-with-1705/ for more details. The blog post describes how to access the HTML5 UI already now as well.
Best regards,
Knut
Hi Lee,
I have been able to link to the HTML5 UI by using https://myXXXXXX-sso.sapbydesign.com/sap/byd/runtime?client_type=html
See attached screenshot for the configuration I used at the SSO Identity Provider side (in our case Okta).
Cheers,
Manuel
Hi Manuel Peschke Knut Heusermann
Is there any documentation to configure between SAP Business ByDesign and OKTA?
I configured with ByD. In Okta, If I click Application Icon, it is showing “Signing into Application” and redirect to SSO “https://myXXXXXX-sso.sapbydesign.com/sap/byd/runtime”. It is repeating again and again.
Can you please help me on this topic?
Regards,
Sankaran A
Hi Sankaran,
Since the 1708 release you can change the default UI to HTML5, as described in the “How to access the HTML5 client” section of Stefanie’s blog post.
Means that you can now use the standard SSO URL (https://myXXXXXX-sso.sapbydesign.com) in Okta. Please try with that.
Other items to check:
If you still having problems you can send me screenshots of your Okta and ByD configuration and I can compare it to my setup.
Regards,
Manuel
Dear Manuel Peschke
Thanks for your support.
3. Assign User (My ByD Username is “Sankaran”. So I have edited here)
4. Once setup was done, I have downloaded a metadata file from Okta.
5. uploaded the metafile in ByD
6. ByD – Identity Provider (View 2)
7. ByD – MySystem View
8. Once If I click the icon from Okta application panel, It is showing Signing in and redirects to Okta URL and ByD’s SSO URL. It is repeating the process.
Please guide me if I miss any steps here.
Regards,
Sankaran A
Hi Sankaran,
I could reproduce the issue on my side when I used https://myXXXXXX-sso.sapbydesign.com as SSO URL.
When I compared it with my current configuration I noticed that we are using this SSO URL: https://myXXXXXX-sso.sapbydesign.com/sap/saml2/sp/acs
I was successfully able to login after I added /sap/saml2/sp/acs to the SSO URL in Okta and re-created the Identity Provider with the updated metadata in ByD. Here are the SAML Settings I'm using:
I hope changing the SSO URL fixes your problem. If not, please let me know.
Regards,
Manuel
Dear Manuel Peschke
Thanks for your great support. It is working once I changed a URL.
Regards,
Sankaran A
Hi Both,
After configuring as suggested above, I get the following error, any ideas?
Regards,
Karolina
Hi Karolina,
Can you double check if you defined the ByD URL as "Audience URI" in Okta?
Regards,
Manuel
Hi Manuel,
Yes I have, see below:
Regards,
Karolina
Hi Karolina,
Looks like you used the pre-configured "SAP Cloud for Customer" app in Okta. I'm not sure if that is compatible with SAP ByD.
I recommend to create an app from the scratch for ByD using the steps and settings posted by Sankaran above.
Let me know how it turns out.
Cheers,
Manuel
Hi Manuel,
Thank you! Worked like a charm
Regarding Mobile and Tablet applications, will this work?
Awesome! Glad to hear it worked!
Yes, it also works well with SAP's mobile apps. If you use the "-sso" URL it will automatically redirect to Okta for authentication within the mobile app.
Cheers,
Manuel
Hi Manuel,
So I trying to configure this now for a different ByD instance and I am receiving the same error as before, I have created a completely new app and followed the same steps, any ideas what it could be?
Regards,
Karolina
Hi Karolina,
My guess would be that an URL (SSO URL or Audience Restriction URL) in the Okta configuration is wrong.
And please make sure to download the metadata from the new Okta app created for that instance into ByD.
If that doesn't help I recommend opening a ticket with SAP and/or Okta as they will be able to do an SSO trace.
Let me know the outcome.
Thanks,
Manuel
Anyone came across Azure AD error?
Hello Former Member,
I just got the same error.
I did raise an incident to SAP and to MS to see where is originating the issue.
Did you have any success in solving this?
@Knut Heusermann
As usual, super blog!!!
Thanks for sharing!
Hello,
we are facing the same issue with Microsoft Azure. We opened a ticket with Microsoft and it is under correction.
Here are the messages from Microsoft :
and last one :
I'll keep you updated when problem is resolved.
Best regards,
Olivier
Hello,
For your information, I had the same Azure AD error. But I delete the SAP ByDesign app in Azure and re-add it. Then, it is working now.
Also, you need to send incident to SAP changing Identifier from "HTTPS" to "https".
Regards,
Toom
Hi.
If you have an issue " AADSTS500115: The reply ur specified in the request is misssing or not a valid URL" , this is the solution:
To resolve the issue, I downloaded the SP Metadata from SAP ByD and loaded into AzureAD, this provided me with the correct Replay URL, It appears that the defaults which are associated with the AzureAD Marketplace app do not work as expected.
Cheers,
Ly
Hello Knut,
If you opt for single sign-on in the system, is it possible that this type of login does not apply to all system users? Is it possible to say that 2 users have the option of logging into the system with and without single sign-on All other users log in with their ID and password. Kind regards, MaidaHi Maida,
you can assign different security policies to users:
Assign a security policy that allows password logon for ByD and provide both system URLs:
Assign a security policy that allows password logon for ByD and provide the URL for user/password logon only. If those users are not available on the IDP, they cannot use SSO anyway.
Assign a security policy with disabled password logon for ByD.
Best regards,
Knut
Heya Knut,
Thanks for this really helpful blog.
Just wanted to note that there is a link that is no longer valid (takes you to a 404 Page not found):
Info Link: https://azure.microsoft.com/en-us/marketplace/partners/sap-se/sapbusinessbydesign/
Kind regards,
Matt
Hi Matt,
thanks for the hint - I removed the links.
Best regards, Knut
Hi Knut,
we are trying to activate SSO between ByDesign and Microsoft Active Directory. I've checked the documentation that you published above but it seems that is considering only Azure.
Have you got any additional link that could help us ?
regards
Roberto DE SALVO
Hallo Herr Heusermann,
wir setzen uns gerade mit dem Thema SSO und MFA in ByD auseinander.
Nun habe ich testweise SSO aktiviert und an Azure AD Online geknüpft. Allerdings verstehe ich nicht so ganz, welche Antwortadresse die richtige ist wenn wir ACS benutzt möchten.
In der SP-Metadatei aus Byd wird die Adresse „https://myXXXXXX-sso.sapbydesign.com/sap/saml2/sp/acs“ angegeben - diese funktioniert aber nur, wenn ACS deaktiviert ist.
Schalte ich ACS ein lautet die Antwortadresse in der Fehlermeldung „https://myXXXXXX-sso.sapbydesign.com/sap/byd/runtime“.
Was hat das für Einwirkungen auf die Sicherheit der SSO Verbindung?