Part 1: SAP Cloud Platform Authentication setup using IAS with on-premise corporate Active Directory and MS ADFS
————–Begin Update – 05/02/2019: Following updates are made—————
- Removed trusted identity provider between Cloud Platform and MS ADFS. This step is not required because Corporate Identity Provider is added in IAS and the trust is established between IAS & MSADFS.
- Added link to Murali Shanmugham blog for his 5- part series of Integrating Identity Authenticationservice & Azure Active Directory in SAP Cloud Platform
In this blog series, I would like to share my experience in enablement of SAP Cloud Platform in 3 part series and share some of the tips and tricks for rapid cloud adoption. When customer decided to adopt SAP Cloud Portal or Fiori Cloud in Cloud Platform (SCP), following set of activities are required.
SAP Cloud Platform Identity Authentication service is a cloud service for secure authentication and user management in SAP cloud and on-premise applications. It provides services for authentication, single sign-on, and user management.
One of the use cases is to allow users to authenticate on SCP from Microsoft Active Directory and ADFS. The scenario is depicted in the picture below.
IAS connect to the Corporate AD via Cloud Connector where IAS is acting like a proxy. Once the user is authenticated, a user is created in IAS tenant, subsequent logins always get authenticated against the corporate Active Directory. Perform the following steps to establish the authentication setup
Connection to Corporate Active Directory
Prerequisite: Cloud connector is installed and connected to SCP subaccount
Change default trust management to custom
- Login to SAP Cloud Platform with S or I account, make sure your ID has admin access to perform this operation
- Navigate to Security > Trust > Local Service Provider: select Edit and change configuration type from default to custom and download the metadata file
3. Select Application Identity Provider, click on Add Identity Authentication tenant and select tenant
4. Click on the tenant to map the assertion attributes to AD attribute as shown below
Create OAuth Client of type sci/proxy in SAP Cloud Platform
- Create OAuth client of a type of sci/proxy as shown below
- Remember the client id and secret key this will be used in connection to the corporate user store in IAS tenant settings
Upload Metadata file into IAS applications
- Login to IAS tenant, launch tenant from Trust under Application Identity Provider or frame the URL using Http://<tenant>/accounts.ondemand.com/admin
- Under Applications & Resources, select the application same as tenant name. A custom application gets created upon selecting the custom under Trust done in step #1 above. Note, if you don’t find application, you can create one by selecting plus (+) icon at the bottom of the page
- Select SAML 2.0 Configuration and upload the metadata file downloaded in step #1 above
4. You can also change Name ID Attribute and add additional assertion attributes if required
Configure the connection to corporate user store in IAS tenant settings
- Under Applications & Resources, select Tenant Settings > Corporate User Store, enter the following details
- Select data center for subaccount, technical name= account name, paste client id and secret key from step#2 above
Maintain LDAP connection details in Cloud Connector
- Make sure cloud connector is connected and resource status is set to available
- Log in to Cloud Connector, select Configuration > Cloud, enter Active Directory details under Cloud User Store section
- Make sure secure checkbox is checked and SSL port is opened in the firewall
- Launch Cloud portal for testing, enter Active directory credential to log in the application
- A request will be redirected to IAS
Enter Active directory domain username (no email) for the first time and in subsequent logins, you enter an email address or username.
Connection to Microsoft ADFS using Conditional Authentication
Conditional authentication is one of the features of IAS. Tenant administrator can define rules for authenticating identity provider according to the e-mail domain, user type, user group, and IP range (specified in CIDR notation). Based on the configured rules, IAS forward the request to the respective identity provider. For more information about Conditional Authentication refer to sap help.
Follow the steps below to configure the conditional authentication rule to redirect a user to Microsoft ADFS login page based on email.
Follow the steps mentioned in the blog to configure MS ADFS as an Identity provider
- Login to IAS tenant, under Identity Providers, select Corporate Identity Providers and click on Add link to add the identity provider. Enter Corporate IdP name, click Save
2. . Select SAML 2.0 Configuration and upload the MS ADFS metadata file and save the changes
3. Select Identity Provider Type as Microsoft ADFS / Azure AD
4. Navigate back to Applications & Resources menu and select Applications. Select Conditional Authentication link and add the rule as shown in the screenshots below
5. Select Default Identity Provider as IAS
6. Test the cloud portal URL, you will notice that IAS login page is displayed asking for email, based on the email provides, IAS forward the request to ADFS or used AD to authenticate the user
This concludes the part 1. In part 2, we will see how to do Principal Propagation between Cloud application and backend system.
If you want to Integrate IAS with Azure AD, please refer to my colleague Murali Shanmughan 5- part series of Integrating Identity Authenticationservice & Azure Active Directory in SAP Cloud Platform.