Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 2
|Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform|
This section of the blog focuses on using Azure AD as the SAML provider. In most of the organizations, this is the default Identity Provider where all the employees are maintained. There is a detailed step-by-step tutorial on this from Microsoft.
To get started, you will need to first create Enterprise Applications within your Azure Active Directory service. Note the below two standard apps which are already made available in Azure. For this section of the blog, we will be using “SAP Cloud Platform”
For this demonstration, I have already created an app called “SCPTrial” based on the “SAP Cloud Platform” application from the gallery.
In the “Single Sign-on” section, I have followed the above tutorial to provide the values for the below:
- Identifier: https://hanatrial.ondemand.com/p1942768752trial (This should match the Local Provider name in SAP Cloud Platform)
- Reply URL: https://authn.hanatrial.ondemand.com/saml2/sp/acs/p1942768752trial/p1942768752trial
If your account is a productive account in EU, then it will follow a pattern such as – https://authn.hana.ondemand.com/saml2/sp/acs/<accountname>/<accountname>
- Sign on URL: https://flpportal-p1942768752trial.dispatcher.hanatrial.ondemand.com/sites (URL to the portal service)
In the “User attributes & claims” section, I have changed the unique user identifier to user.mail and also added a new claim called “Department”
Once you have made these changes, download the Federation Metadata XML file.
For demonstration, I have added a user to this application. This user has an email domain with Outlook.com and also a department with value “az_purchaser”
Switch to the SAP Cloud Platform and add another Trusted Identity Provider.
Upload the metadata obtained when configuring the app in Azure AD.
In the attributes tab, you will need to map the first name, last name and email address from Azure AD to SAP Cloud Platform.
If you are not sure, you can obtain the namespace of the assertion attributes from the “User Attributes and claims” section in your Azure AD setup.
Finally, we need to also provide the group mappings. For demonstration, I have mapped the SAP Cloud Platform group “cp_suppliers” with the Department “az_purchaser”. Notice that under mapping rule, I have the value as “Department” and this should match the claim name as shown in the above screen. I haven’t provided a namespace for this claim and hence it wouldn’t have prefix such as http://schemas.xmlsoap.org/ws/2005/05/identity/claims
Save your changes and prepare to test this scenario. Since we have already configured IAS as the default Identity Provider, you would now need to make Azure AD as the default Identity Provider.
When you try to access the Portal site, this will now take you to the Azure AD login screen. I can now login with the user (for which access to this app has been configured in Azure AD)
On successful authentication, I will be presented the supplier portal site with all the relevant apps.
If you will like to use both the Identity Providers for different apps/portal sites, you can leverage the saml2idp parameter. I have explained this in detail in this blog post – “Using multiple Identity Providers for a Portal site in SAP Cloud Platform”