Skip to Content
Technical Articles

How to integrate Azure AD with SAP Cloud Platform Cloud Foundry

In this post, we are going to configure Microsoft Azure AD as the Identity Provider of applications running on an SAP Cloud Platform Cloud Foundry account. Furthermore, we are going to grant authorizations (scopes) to users by mapping Azure Groups to Role Collections.

Prerequisites

  • You have a Cloud Foundry subscription or a trial account, and you are a Security administrator of it (meaning that you can see the Security menu in the cloud cockpit).
  • You have an Azure subscription or a free account.
  • You know the basics of SAML 2.0 authentication.

Procedure

  1. Download the metadata file from the Cloud Foundry subaccount
  2. Add Cloud Foundry as an Enterprise Application on Azure.
  3. Add Azure as Identity Provider in the Cloud Foundry account.
  4. Configure Role Collection mappings.
  5. Test.

1. Download the metadata file from the Cloud Foundry subaccount

To download the metadata file of the subaccount, open a new browser window and enter the SAML metadata endpoint of the UAA (User Account and Authentication Server) tenant, replacing the tenant name and region domain accordingly:

https://<tenant_name>.authentication.<region>.hana.ondemand.com/saml/metadata

Hints:

  • The tenant name is equal to the subaccount domain, which can be found in the Overview page of the subaccount.
  • The correct region domain can be found in the API Endpoint in the same page.

2. Add Cloud Foundry as an Enterprise Application on Azure

Go to the Azure Portal > Azure Active Directory > Enterprise applications, and click on New Application.

Search for the SAP Cloud Platform application in the gallery, give it a name and save it.

Access the newly created application, click on Single-sign on the left and select SAML.

Upload the metadata file downloaded from the Cloud Foundry account. The Basic SAML Configuration panel will open. Fill in the Sign On URL and save.

Hint: You can set the UAA tenant URL from the step 1 as the Sign On URL.

Under ‘2. User Attributes & Claims’, click on the pencil icon, and configure the name identifier, groups and user attributes as shown below (case sensitive):

For the Groups attribute (case sensitive), you will have to use the Advanced options as shown below. The Groups attribute is needed on Cloud Foundry to match with Role Collections and grant authorizations to users in applications. In this tutorial, we are going to use the value “Security groups” (for security groups and Azure AD roles). The “Source attribute” is the attribute that will be used to define Role Collection Mappings in the CF account (step 4).

Finally, download the Federation Metadata XML from Azure:

3. Add Azure as Identity Provider in the Cloud Foundry account.

Access your Cloud Foundry account and go to Security > Trust Configuration. Choose New Trust Configuration and import the metadata file downloaded from Azure. The ‘Link Text” is the text that will be displayed in the logon page of the UAA tenant for end users.

4. Configure Role Collection mappings

The final configuration step is to define Role Collection mappings in order to give authorizations to users to the CF applications. This will be done with the Groups attribute as explained in the step 2.

Go to Security > Trust Configurations > [Azure AD entry] > Role Collection Mappings, and configure it according to the Role Collections that you have for your applications.

Since we selected “Group ID” as the “Source attribute” for the Groups claim, Azure will send the “Object ID” of all groups assigned to the user. They can be seen in the Azure Portal > Azure Active Directory > Groups. Example:

5. Test

Open a new browser window and enter the UAA tenant URL (from the step 1):

https://<tenant_name>.authentication.<region>.hana.ondemand.com

You will still be able to logon with your S-user’s e-mail and password. You will see a link to Azure AD below the form. In the Trust Configuration, you can enable/disable the SAP ID Service or any other IdP you have configured. If you disable the SAP ID Service, you will only see the links to the external Identity Providers. If there is only one Identity Provider configured, you will be automatically redirected to it.

Click on the Azure link and logon with your Azure user. You will be redirected back to UAA afterwards.

Note: If you get a message similar to “AADSTS50105: The signed in user … is not assigned to a role for the application …” on Azure, you will have to either assign your user to the enterprise application, or disable the requirement for user assignment. More information in the Azure docs.

The screenshot below means that the authentication was successful. We see “Where to?” because we did not access a CF application, only the UAA tenant page.

Hint: you can check the user’s details, including the groups that were mapped, by accessing the following URL:

https://<tenant_name>.authentication.<region>.hana.ondemand.com/config?action=who&details=true

For troubleshooting, you can use the SAML-tracer extension for Chrome and Firefox. You will be able to see the SAML assertions exchanged between CF and Azure.

Result

You have configured Azure AD as the SAML Identity Provider for your Cloud Foundry applications and delegated authorizations using Azure Groups! Feel free to leave any comment and to check our documentation.

5 Comments
You must be Logged on to comment or reply to a post.
  • Great post and very easily and quickly comprehensible!

    I’m sure this will help a lot of people to leverage their existing Azure AD resources

  • Hi Lucas

    Thank you for a very good blog. I just have one little question. Under point 1 you mention downloading the metadata file. Where can I find this file to download?

    Regards,

    Caroline

    • Hi Caroline,

      Thanks for the feedback!

      To download the metadata file, you have to open a URL in the following format:

      https://<tenant_name&gt;.authentication.<region>.hana.ondemand.com/saml/metadata

      I’ve added some hints on how to find the <tenant_name> and <region> in the step 1.

      Best Regards,
      Lucas

  • Dear Lucas,

    with the help of your post I was able to configure the connection between my Azure AD and the SAP CF Cloud Foundry in just about 20 minutes. But I have some suggestions and comments.

    1. I’ve done several configurations of the Trusted Identity Provider on SAP CP Neo and never had to manually maintain the Sign On URL. I hope that can be included into the metadata download.
    2. Why isn’t the metadata simply provided by a download link like it’s done in SAP CP Neo?
    3. I don’t think that editing the manifest to change the groupMembershipClaims is needed anymore. This can be done via the User Attributes & Claims UI.
    4. You’ve described and I found the details in Federation Attribute Settings of Any Identity Provider regarding the adjusted assertion attributes for first_name, last_name and mail. In SAP CP Neo there was also a mapping possibility for the attributes. That seems to not exist anymore or?

    Best regards
    Gregor

     

    • Hi Gregor,

      Thanks for the comment.

      For 1 and 2, I will follow up with the responsible people.

      Regarding the point 3, it looks like the User Attributes & Claims configuration was changed after I wrote this blog, so thanks for letting me know. I’ve updated the respective section in the post.

      4. In Cloud Foundry, there is no such mapping for user attributes like there is on Neo. This whole architecture is based on the UAA project of the Cloud Foundry platform, so I’m not sure if the same feature can be implemented on CF. Another point to follow up.

      Best Regards,
      Lucas