Skip to Content
Technical Articles
Author's profile photo Imran Mohammed

Part 1: SAP Cloud Platform Authentication setup using IAS with on-premise corporate Active Directory and MS ADFS

————–Begin Update – 05/02/2019: Following updates are made—————

  1. Removed trusted identity provider between Cloud Platform and MS ADFS. This step is not required because Corporate Identity Provider is added in IAS and the trust is established between IAS & MSADFS.
  2. Added link to Murali Shanmugham blog for his 5- part series of Integrating Identity Authenticationservice & Azure Active Directory in SAP Cloud Platform

—————End update——————————————————————————

In this blog series, I would like to share my experience in enablement of SAP Cloud Platform in 3 part series and share some of the tips and tricks for rapid cloud adoption. When customer decided to adopt SAP Cloud Portal or Fiori Cloud in Cloud Platform (SCP), following set of activities are required.

SAP Cloud Platform Identity Authentication service is a cloud service for secure authentication and user management in SAP cloud and on-premise applications. It provides services for authentication, single sign-on, and user management.

One of the use cases is to allow users to authenticate on SCP from Microsoft Active Directory and ADFS. The scenario is depicted in the picture below.

IAS connect to the Corporate AD via Cloud Connector where IAS is acting like a proxy. Once the user is authenticated, a user is created in IAS tenant, subsequent logins always get authenticated against the corporate Active Directory. Perform the following steps to establish the authentication setup

Connection to Corporate Active Directory

Prerequisite: Cloud connector is installed and connected to SCP subaccount

Change default trust management to custom

  1. Login to SAP Cloud Platform with S or I account, make sure your ID has admin access to perform this operation
  2. Navigate to Security > Trust > Local Service Provider: select Edit and change configuration type from default to custom and download the metadata file

3. Select Application Identity Provider, click on Add Identity Authentication tenant and select tenant

4. Click on the tenant to map the assertion attributes to AD attribute as shown below

Create OAuth Client of type sci/proxy in SAP Cloud Platform

  1. Create OAuth client of a type of sci/proxy as shown below
  2. Remember the client id and secret key this will be used in connection to the corporate user store in IAS tenant settings

Upload Metadata file into IAS applications

  1. Login to IAS tenant, launch tenant from Trust under Application Identity Provider or frame the URL using Http://<tenant>/
  2. Under Applications & Resources, select the application same as tenant name. A custom application gets created upon selecting the custom under Trust done in step #1 above. Note, if you don’t find application, you can create one by selecting plus (+) icon at the bottom of the page
  3. Select SAML 2.0 Configuration and upload the metadata file downloaded in step #1 above

4. You can also change Name ID Attribute and add additional assertion attributes if required

Configure the connection to corporate user store in IAS tenant settings

  1. Under Applications & Resources, select Tenant Settings > Corporate User Store, enter the following details
  2. Select data center for subaccount, technical name= account name, paste client id and secret key from step#2 above

Maintain LDAP connection details in Cloud Connector

  1. Make sure cloud connector is connected and resource status is set to available
  2. Log in to Cloud Connector, select Configuration > Cloud, enter Active Directory details under Cloud User Store section
  3. Make sure secure checkbox is checked and SSL port is opened in the firewall

Test authentication

  1. Launch Cloud portal for testing, enter Active directory credential to log in the application
  2. A request will be redirected to IAS

Enter Active directory domain username (no email)  for the first time and in  subsequent logins, you enter an email address or username.

Connection to Microsoft ADFS using Conditional Authentication

Conditional authentication is one of the features of IAS. Tenant administrator can define rules for authenticating identity provider according to the e-mail domain, user type, user group, and IP range (specified in CIDR notation). Based on the configured rules, IAS forward the request to the respective identity provider. For more information about Conditional Authentication refer to sap help.

Follow the steps below to configure the conditional authentication rule to redirect a user to Microsoft ADFS login page based on email.


Follow the steps mentioned in the blog to configure MS ADFS as an Identity provider


  1. Login to IAS tenant, under Identity Providers, select Corporate Identity Providers and click  on Add link to add the identity provider. Enter Corporate IdP name, click Save


2. . Select SAML 2.0 Configuration and upload the MS ADFS metadata file and save the changes                  

3. Select Identity Provider Type as Microsoft ADFS / Azure AD

4. Navigate back to Applications & Resources menu and select Applications. Select Conditional Authentication link and add the rule as shown in the screenshots below


5. Select Default Identity Provider as IAS

6. Test the cloud portal URL, you will notice that IAS login page is displayed asking for email, based on the email provides, IAS forward the request to ADFS or used AD to authenticate the user

This concludes the part 1. In part 2, we will see how to do Principal Propagation between Cloud application and backend system.

If you want to Integrate IAS with Azure AD, please refer to my colleague Murali Shanmughan 5- part series of Integrating Identity Authenticationservice & Azure Active Directory in SAP Cloud Platform.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Alexey Suslov
      Alexey Suslov

      Hello Mohammed.

      Thank you for this article.

      It is very helpful for me. But my applications are published on Cloud Foundry.

      Have you the experience with integration Cloud Foundry and local Windows LDAP?

      Did you meet this information?

      Best regards,

      Alexey Suslov

      Author's profile photo Anderson Jesus
      Anderson Jesus

      If you already found this solution share please .. i need the same !!

      Author's profile photo Frans Sundjaja
      Frans Sundjaja

      Great blog. Do we need to have the SCP's Identity Provisioning service for this?



      Author's profile photo Imran Mohammed
      Imran Mohammed
      Blog Post Author

      Hi Sundjaja,

      Normally IAS is already part of SCP license, if in case customer has not opted for it then they need IAS service to be enabled to use this feature. Hope this answer your question.

      Author's profile photo Frans Sundjaja
      Frans Sundjaja

      Thanks for your answer Imran. Actually I was asking whether the Identity Provisioning Service not the IAS. I believe those 2 services are different.


      Thanks again

      Author's profile photo Eugenio Giunta
      Eugenio Giunta

      Hello Mohammed.

      Thank you for your very useful article.

      I'm facing the same scenario as  your with an extra feature regarding groups. What I need is to get logged user group on SCP: if the user is registered on IAS there is no problem, but if the user log on with ADFS? The ADFS user's group is retrieved directly by SCP or I need something to map ADFS group to IAS group? I need addictional configuration on IAS and/or SCP?

      Do you know how achieve this (I need this because on SCP side I have a Fiori Portal with tiles profiled for the different users groups)?


      Thanks in advance

      Author's profile photo Raj Koushik
      Raj Koushik



      I followed SAP tutorials for setting Up Trust Between Identity Authentication and SAP Cloud Platform

      But I'm not able to create Corporate Identity provider as couldn't get how to get metadata file for it.
      Can you please answer how to get metadata file for creating corporate Identity provider?

      Author's profile photo Julius Pereira
      Julius Pereira

      Hi Imran,

      Thanks a ton for taking the time and sharing your experience with this authentication setup. This will definitely go a long way in helping others (like me) who fall under this use case. Appreciate it!

      I had one quick question. In the first diagram in your blog (the scenario diagram) you depicted 2 paths: One where IAS is pointing to a conditional authentication with ADFS and the second where IAS is pointing to Corporate AD via the cloud connector.

      My question is, are both of these needed for the authentication setup or can we choose either of the 2 paths for the user authentication?

      Thank you


      Author's profile photo Julius Pereira
      Julius Pereira

      Hi Imran,

      Referring to the section 'Connection to Microsoft ADFS using Conditional Authentication"

      in this blog, you mentioned a prerequisite was to follow the steps mentioned in the blog to configure MS ADFS as an Identity provider

      My question is assuming I have done the pre-requisite steps i.e. configured MS ADFS as an Identify provider, then what is the purpose of the "Connection to Microsoft ADFS using Conditional Authentication"

      In other words, how is 'Connection to Microsoft ADFS using Conditional Authentication' different from 'configuring MS ADFS as an Identity provider'. Is conditional authentication an alternative to 'configuring MS ADFS as an Identity provider" OR both the steps are necessary to talk to ADFS.

      Thank you