How to configure Azure AD for Principal Propagation with SAP Cloud Connector
This blog aims to assist anyone that is trying to configure Principal Propagation scenario between SAP Cloud Platform and a backend system, but uses Azure as the Identity Provider.
The Principal Propagation method is very popular among customers and several times they use a custom IdP, like Azure.
When this happens, there are some adjustments that need to be made in order to properly send the attributes in the SAML that the SAP Cloud Connector will be able to recognize and use it to generate the X.509 certificate, used to authenticate the user in the backend.
What you will need:
- SAP Cloud Platform account
- (Optional) SAP Cloud Platform Identity Authentication tenant
- Microsoft Azure AD
- SAP Cloud Connector
- Backend system (in this case we are going to use an ABAP)
Before you start:
- Make sure that your SAP Cloud Platform account is configured to trust the Azure AD or the Identity Authentication tenant (that trusts the Azure AD)
- Make sure your SAP Cloud Connector is synchronized with your SAP Cloud Platform account and also is synchronized with the Azure AD.
Configure Trusted Entities in the Cloud Connector
- Add a new claim under User Attributes & Claims
- Test to see if the new parameter is now included on the SAML
- Follow the Principal Propagation configuration
1 – Add a new claim under User Attributes & Claims
As we can see in the help page (Configure a Subject Pattern for Principal Propagation), the SAP Cloud Connector expects four types of attributes when performing the Principal Propagation. They are the following:
So, when we are configuring a scenario like this, we need to make sure that at least one of the attributes above will be present in the SAML sent by the IDP.
In order to make the Azure include this attribute in the SAML, you need to do the following:
- In your Azure account, go to Azure Active Directory -> Enterprise Applications
- All Applications -> SAP Cloud Platform Identity Authentication OR SAP Cloud Platform (depending if you are using the IAS tenant or the SCP directly)
- Single sign-on -> User Attributes & Claims
- Click on Add new claim
- Set the Name with one of the four values that the SAP Cloud Connector accepts (name, mail, display_name and login_name) and set the Source Attribute accordingly, then press Save
2 – Test to see if the new parameter is now included on the SAML
- Open your SAP Cloud Platform account
- Go to Services -> Web IDE Full-Stack
- Open the developer tools of the Chrome (F12)
- Select the SAML tab
- Click on Go to Service
- You will be redirected to the Azure login page.
Login with your user and password from Azure
- You should be able to see the SAML traces recorded on the Chrome’s DevTools.
- The attribute you included on Azure AD(in this case, login_name) should now be visible in the SAML as follows:
3 – Follow the Principal Propagation configuration
Now you have everything you need to go through the Principal Propagation configuration.
There is a good blog about it already, check it out: How to Guide – Principal Propagation in an HTTPS Scenario
You can also follow our official documentation:
Configure Principal Propagation to an ABAP System for HTTPS
Just remember the following differences:
- When synchronizing the IdP for Principal Propagation, remember that you will need to syncronize with your custom IDP (Azure AD)
- When configuring the certificates on SAP Cloud Connector, in the Principal Propagation section, use the attribute created on step 1 (the one you customized on Azure AD to include in the SAML).
That is it!
Feel free to leave any comments or questions. I will be happy to answer.
Error messages for discoverability:
Unable to generate authorization token for user <user> on system <system>:<port>
Support Engineer, SAP Product Support