Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 1
In this blog series, I am going to explain some of the different scenarios when configuring Identity Authentication Service (IAS) as well as Azure Active Directory (AD) with SAP Cloud Platform. These are some of the most commonly used authentication services used to authenticate users accessing apps/portal sites on SAP Cloud Platform.
This is not a step-by-step guide. I will point to some of the existing blogs/articles where you can get more details on the individual scenarios.
|Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform|
For this blog, I have already prepared a supplier Portal site with apps and roles defined. To know more about creating Portal sites in SAP Cloud Platform, please go through this openSAP course.
In the below screenshot, I have defined a Portal role called supplier and assigned my catalog/group to this role.
The Portal role has been mapped to SAP Cloud Platform group called “cp_suppliers”
SAP Cloud Platform does not hold any users. All the users will reside in an Identity Provider which you choose to use. Later in the blog, I will show how you can map these SAP Cloud Platform groups to users who are logging in to the apps/portal sites. Assume for this scenario, IAS is used to store users with a domain Gmail.com and Azure AD stores users with domain Outlook.com
Configuring Identity Authentication Service (IAS) with SAP Cloud Platform
For detailed step-by-step instruction, follow this youtube video. I am repeating the steps here for continuity with the next blog. I have also posted another blog series focusing only on IAS and its capabilities – “Setting up Authentication for Cloud Portal using Cloud Identity”
In your SAP Cloud Platform account, set the “Local Service Provider” to custom and download the metadata file.
Navigate to the IAS administration screen and create an application for the SAP Cloud Platform account. In the below example, I have kept the name as IAS.
Under Trust, set the below values:
- Type – SAML 2.0
- SAML 2.0 Configuration – Upload the metadata obtained from your SAP Cloud Platform account
- Name ID Attribute – Set it as E-Mail
- Assertion Attributes – Add a new assertion attribute for groups as shown below. This will be used later to group mappings between IAS and SAP Cloud Platform.
For demonstrations, I have already created a group in IAS called as “ias_supplier” and assigned it to my user P000008. Notice that this user has an email address firstname.lastname@example.org . I am using IAS to store users with one domain and in this case its Gmail.com
Navigate back to your SAP Cloud Platform account and click on “Add trusted Identity Provider”
Ensure that Assertion Consumer Service is set as “Assertion Consumer Service” and signature is SHA-256
In the Principal attribute, I am mapping the attributes from IAS with SAP Cloud Platform. After a successful logon, when you click on the user profile icon in the Fiori Launchpad, you will be able to see the first name and last name of the logged on user (propagated from IAS).
Finally, one of the most important step is the group mappings. Notice that I have mapped SAP Cloud Platform group called “cp_supplier” with “ias_supplier”. This will ensure that when the user with the proper group in IAS logs on, they will be assigned the corresponding apps for the mapped group in SAP Cloud Platform.
Note: The changes which you make in the group/attribute section are cached and it takes a while (1~2 mins) for the cache to invalidate. Pay attention to this and you will save couple of hours.
Once the configurations are saved, any calls which go out to apps/portal sites in this SAP Cloud Platform account, will be redirected to IAS for authentication. Below is the logon screen which I have configured in IAS which shows up when accessing the supplier portal site (configured earlier)
Once IAS has authenticated me, I am now able to see the Supplier portal with all the relevant apps (based on my role)
When you check the user profile, you will notice that the first name, last name and email address have been mapped accordingly in SAP Cloud Platform.