SAP Business ByDesign (ByD) supports service provider initiated as well as identity provider initiated Single Sign-On (SSO) and Single Log-Out (SLO). In this post I would like to address some frequently asked questions with regards to SSO and SLO.

 

Where to get information how to configure SSO?

Embedded in ByD, Single Sign-On (SSO) can be configured in work center Application and User Management >> Common Tasks >> Configure Single Sign-On. All technical data required to configure the Identity provider are available on this UI and can be downloaded into a “SP Metadata” file.

The ByD documentation or the ByD Help Center (Side Car im ByD UI) provides detailed information under the key words: “Front-End Single Sign-On”, “Configure Your Solution for Single Sign-On”, “Configure Microsoft® Active Directory Federation Services 2.0” and “Configure Okta”.

The SAP Enterprise Support Academy provides the recorded Meet The Expert Session “Web-based SSO in SAP Cloud Products” in its replay library: SAP Enterprise Support Academy.

Some Identity Provider (IdP) published guidelines or tutorials for SSO configuration with ByD as well; for example MS Azure AD:

Which Identity Providers are supported by ByD?

ByD can be used with any SSO Identity Provider (IdP) that supports SAML 2.0. For example Microsoft Azure AD, OKTA, iWelcome, Microsoft ADFS (Active Directory Federation Service), SAP Cloud Identity Provider and many more.

ByD supports SAML 2.0 only.

User provisioning in ByD

The ByD user lifecycle is tightly coupled with the ByD Employee lifecycle.
In ByD business users and key users are always assigned to employees or service agents (we call this concept “named user”). This means you have to create (hire) the employee or service agent first; then you can decide if the employee/service agent gets access to the system and you can assign access rights to the employee/service agent.

Assigning the access rights, changing user ID, password or e-mail has to be done in ByD.
However you can easily extract the access rights per user (the list of authorizations assigned to users) using the ByD OData for Analytics API, for example in order to perform a Segregation of Duty (SOD) scanning in external systems (for example SAP GRC).
Please note, ByD comes with an embedded Segregation of Duty (SOD) functionality as part of the ByD user and access management process incl. standard SOD checks and possibilities to enhance these.

You can setup ByD security policies such that no password logon is possible and users are forced to logon via SSO and some central IdP.
In this case, if an employee resigns, you can lock the user in the central IdP and hence the user cannot logon to ByD anymore because authentication is possible via IdP only. If needed you can even enforce a logout in all systems using single-log out (SLO).

Which Name ID formats are supported by ByD?

Per default ByD uses the NameID format “unspecified” for user mapping. ByD maps the NameID of SAML-assertions on the ByD User Alias.

Using multiple Identity Provider and ByD tenants with SSO

Each ByD-Tenant represents a single Service Provider, which can be “connected” to one or more Identity Provider. For each Service Provider SAML-based SSO is configured separately. Therefore SSO can be used for all your ByD Tenants in parallel and you can use multiple identity provider.

Does ByD support LDAP?

LDAP is basically a storage and requires direct TCP/IP connections without Proxy/Reverseproxy. For that reason you can’t use LDAP in the Cloud.

If LDAP is required to manage some customer on-premise systems, you may connect LDAP to your IdP, but you can’t connect LDAP to ByD directly.

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

    1. Knut Heusermann Post author

      Hi Lee,

      currently the Silverlight version is still the default. The default UI is planed to be changed to HTML5 as soon as HTML5 UI has been completed and our customers got some time to get used to the new visual design.

      Please check the blog post https://blogs.sap.com/2017/05/09/productive-use-of-the-bydesign-html5-ui-with-1705/ for more details. The blog post describes how to access the HTML5 UI already now as well.

      Best regards,
      Knut

      (0) 
  1. Laco Vosika

    Anyone came across Azure AD error?

    Additional technical information:
    Correlation ID: e7591fc5-6abb-4bfc-9f15-3adb659d58f1
    Timestamp: 2017-06-08 02:53:39Z
    AADSTS70001: Application with identifier ‘HTTPS://myXXXXXX-sso.sapbydesign.com’ was not found in the directory TENANTID

     

    (0) 
      1. Olivier RIPERT

        Hello,

         

        we are facing the same issue with Microsoft Azure. We opened a ticket with Microsoft and it is under correction.

        Here are the messages from Microsoft :

        I´ve been investigating the application and indeed is not allowing to do it as the Service Principal is in direct relation with the Identifier. Right now, the application SAP by Design in Azure does not supports the HTTPS pattern for the Identifier field in our backend, and from there the issue. I am working with the Product Group to make this work and accept HTTPS links

        and last one :

        As you know we have identified the reason that the application does not work. The Application metadata needs to be updated to accept HTTPS:// urls.  That cannot happen yet due to an issue with Graph API that does not accept wildcards in the identifier URL.

        Product Group is working on it. Will send you another update on Friday.

        I’ll keep you updated when problem is resolved.

        Best regards,

        Olivier

         

        (0) 

Leave a Reply