Technical Articles
How to configure Azure AD for Principal Propagation with SAP Cloud Connector
Hello Everyone
This blog aims to assist anyone that is trying to configure Principal Propagation scenario between SAP Cloud Platform and a backend system, but uses Azure as the Identity Provider.
The Principal Propagation method is very popular among customers and several times they use a custom IdP, like Azure.
When this happens, there are some adjustments that need to be made in order to properly send the attributes in the SAML that the SAP Cloud Connector will be able to recognize and use it to generate the X.509 certificate, used to authenticate the user in the backend.
What you will need:
- SAP Cloud Platform account
- (Optional) SAP Cloud Platform Identity Authentication tenant
- Microsoft Azure AD
- SAP Cloud Connector
- Backend system (in this case we are going to use an ABAP)
Before you start:
- Make sure that your SAP Cloud Platform account is configured to trust the Azure AD or the Identity Authentication tenant (that trusts the Azure AD)
- Make sure your SAP Cloud Connector is synchronized with your SAP Cloud Platform account and also is synchronized with the Azure AD.
Configure Trusted Entities in the Cloud Connector
Configuration Steps:
- Add a new claim under User Attributes & Claims
- Test to see if the new parameter is now included on the SAML
- Follow the Principal Propagation configuration
1 – Add a new claim under User Attributes & Claims
As we can see in the help page (Configure a Subject Pattern for Principal Propagation), the SAP Cloud Connector expects four types of attributes when performing the Principal Propagation. They are the following:
- name
- display_name
- login_name
So, when we are configuring a scenario like this, we need to make sure that at least one of the attributes above will be present in the SAML sent by the IDP.
In order to make the Azure include this attribute in the SAML, you need to do the following:
- In your Azure account, go to Azure Active Directory -> Enterprise Applications
- All Applications -> SAP Cloud Platform Identity Authentication OR SAP Cloud Platform (depending if you are using the IAS tenant or the SCP directly)
- Single sign-on -> User Attributes & Claims
- Click on Add new claim
- Set the Name with one of the four values that the SAP Cloud Connector accepts (name, mail, display_name and login_name) and set the Source Attribute accordingly, then press Save
2 – Test to see if the new parameter is now included on the SAML
- Open your SAP Cloud Platform account
- Go to Services -> Web IDE Full-Stack
- Open the developer tools of the Chrome (F12)
- Select the SAML tab
- Click on Go to Service
- You will be redirected to the Azure login page.
Login with your user and password from Azure - You should be able to see the SAML traces recorded on the Chrome’s DevTools.
- The attribute you included on Azure AD(in this case, login_name) should now be visible in the SAML as follows:
3 – Follow the Principal Propagation configuration
Now you have everything you need to go through the Principal Propagation configuration.
There is a good blog about it already, check it out: How to Guide – Principal Propagation in an HTTPS Scenario
You can also follow our official documentation:
Configure Principal Propagation to an ABAP System for HTTPS
Just remember the following differences:
- When synchronizing the IdP for Principal Propagation, remember that you will need to syncronize with your custom IDP (Azure AD)
- When configuring the certificates on SAP Cloud Connector, in the Principal Propagation section, use the attribute created on step 1 (the one you customized on Azure AD to include in the SAML).
That is it!
Feel free to leave any comments or questions. I will be happy to answer.
Error messages for discoverability:
Unable to generate authorization token for user <user> on system <system>:<port>
Cheers,
Augusto Ferreira
Support Engineer, SAP Product Support
Great blog, Augusto! Thanks for sharing!
Thanks Ervin! 😀
Thanks Augusto Ferreira - really nice blog but it is missing one of the major pieces - the groups/roles the user is assigned to then assert the security in SAP Cloud Platform. For me, this has been seriously tricky in MS Azure as compared to SCIAS (SAP Cloud Platform Identity Authentication Service) or MS ADFS so would be good if you could include this.
If you could add this please then I would feel it is more complete. Thanks!
Hi Phil
Thank you for the feedback.
In this blog post, I'm focusing on the minimal configuration to integrate the Azure with SAP Cloud Platform/SAP Cloud Connector in order to enable the principal propagation.
The idea is to detail and explain what is necessary to make this work.
But anyhow, this is a good idea for another blog post.
Thanks,
Augusto
Hi Augusto Ferreira no problems and yeah I understand the intention of the blog post. Another blog showing the group/roles claims and how they are set up would be good as this is not simple with Azure for some strange reason. I have implemented this quickly for SCIAS and MS ADFS but Azure has not been as straightfoward.
Will look forward to it!
Thanks!
Phil
Hi Phil,
there is another blog post with instructions on how to configure Azure AD as Application Identity Provider on SAP CP:
https://blogs.sap.com/2017/09/27/how-to-guide-integrate-microsoft-azure-active-directory-to-sap-cloud-platform-mobile-services/
Feel free to provide feedback!
There is a page in the Microsoft docs too:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial
Best Regards,
Lucas
Thanks Lucas, but have the same feedback on this blog post. It covers the main set up requirements but just does not cover the assertion group aspect which is really important. I've set up Microsoft Azure AD as the identity provider to SAP Cloud Platform so know the steps, assertion of the groups though has never been documented - well properly anyway. This is my feedback.
Thanks
Phil
Hi Phil,
We can create an article about it. I'd like to know the most common business scenario. Did you configure the groups claim with their object ID’s?
Lucas
Hello Augusto, am encountering the similar error ... Unable to generate authorization token for user <user>
Any advise ?
Hi Ravi
There is a KBA about this issue. Look for the KBA 2727260 – SAP Cloud Connector – Principal propagation: “CN is not available in context”.
Anyway, this error is caused because the SAML token coming from the identity provider does not contain the SAML assertion which is mapped in Cloud Connector to the client certificate common name field.
The cloud connector only accepts mail, last_name, first_name and login_name.
You need to verify which one you have set your cloud connector to use and validate if it is inside the SAML.
In this blog post, I used the login_name as example, so in the cloud connector, you just need to use the login_name as parameter to generate the x.509.
Thanks,
Augusto
SAP Note https://launchpad.support.sap.com/#/notes/0002727260 highlights now we can use
custom patterns.
Since 2.12.0.1 version the attribute name can be adjusted in the subject pattern configuration, see the online help Configure a Subject Pattern for Principal Propagation.
Tried mapping “uid” as per doc ${uid} custom pattern, in CC I was seeing below error
The variable ‘uid’ needed for object CN is not available in context.
it did not work me, I had to map in SCP cockpit -> Trust ->Assertion to Principal mapping to work.
Again this only worked when I was accessing the app from FLP.
This did not work if I try to access my backed via Web IDE to get OData services ..(Try to create an App via Template)
Hi Augusto
We want configure this same procedure between Azure AD and SCP.
In step 3.1 BASIC CONFIGURATION XML ,,,, where can we find the correct paths for (Sign on url , identifier, and reply url f)ields?
Thanks for your blogs
Best Regards
Hi Franciso
This configuration is not related to the Principal Propagation itself.
But, you can find more details about it here: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial
Regards,
Augusto
Hi Augusto,
Thank you for sharing this great blog. I am wondering if it is possible to setup two SAML in Azure AD. I am about to try it out but there is already SAML configured in our Azure AD but it is pointing to SAP Cloud Platform subaccount.
Regards,
Florence
Hi Florence
I'm not sure I understand your question.
The idea of this blog is to explain how to set the necessary user attributes in the SAML sent by the Azure to the SAP Cloud Platform.
I'm not sure why you would need to configure another SAML for the SAP Cloud Platform... You can just add more parameters to the SAML you are already sending, if you need something different for another application running on SCP.
Thanks,
Augusto
Hi Augusto,
I am configuring SSO for another SAP Cloud Platform subaccount. As I could see, on the current SAML the Sign On URL is pointing to another Cloud subaccount.
Regards,
Florence
Hi Augusto,
I have confused. I want to connect to the Azure Active Directory with cpi using cloud connector. When I configure the destination with LDAP protocol I can not choose the saml2 authantication. How is the configuration in sap cloud connector for connection between sap cloud connector and azure active directory?
Sincerely,
Ceren.