Skip to Content
Technical Articles
Author's profile photo Murali Shanmugham

Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 2

This section of the blog focuses on using Azure AD as the SAML provider. In most of the organizations, this is the default Identity Provider where all the employees are maintained. There is a detailed step-by-step tutorial on this from Microsoft.

Tutorial: Azure Active Directory integration with SAP Cloud Platform

To get started, you will need to first create Enterprise Applications within your Azure Active Directory service. Note the below two standard apps which are already made available in Azure. For this section of the blog, we will be using “SAP Cloud Platform”

For this demonstration, I have already created an app called “SCPTrial” based on the “SAP Cloud Platform” application from the gallery.

In the “Single Sign-on” section, I have followed the above tutorial to provide the values for the below:

  1. Identifier: https://hanatrial.ondemand.com/p1942768752trial (This should match the Local Provider  name in SAP Cloud Platform)
  2. Reply URL: https://authn.hanatrial.ondemand.com/saml2/sp/acs/p1942768752trial/p1942768752trial

If your account is a productive account in EU, then it will follow a pattern such as – https://authn.hana.ondemand.com/saml2/sp/acs/<accountname>/<accountname>

  1. Sign on URL: https://flpportal-p1942768752trial.dispatcher.hanatrial.ondemand.com/sites (URL to the portal service)

In the “User attributes & claims” section, I have changed the unique user identifier to user.mail and also added a new claim called “Department”

Once you have made these changes, download the Federation Metadata XML file.

For demonstration, I have added a user to this application. This user has an email domain with Outlook.com and also a department with value “az_purchaser”

Switch to the SAP Cloud Platform and add another Trusted Identity Provider.

Upload the metadata obtained when configuring the app in Azure AD.

In the attributes tab, you will need to map the first name, last name and email address from Azure AD to SAP Cloud Platform.

If you are not sure, you can obtain the namespace of the assertion attributes from the “User Attributes and claims” section in your Azure AD setup.

Finally, we need to also provide the group mappings. For demonstration, I have mapped the SAP Cloud Platform group “cp_suppliers” with the Department “az_purchaser”. Notice that under mapping rule, I have the value as “Department” and this should match the claim name as shown in the above screen. I haven’t provided a namespace for this claim and hence it wouldn’t have prefix such as http://schemas.xmlsoap.org/ws/2005/05/identity/claims

Save your changes and prepare to test this scenario. Since we have already configured IAS as the default Identity Provider, you would now need to make Azure AD as the default Identity Provider.

When you try to access the Portal site, this will now take you to the Azure AD login screen. I can now login with the user (for which access to this app has been configured in Azure AD)

On successful authentication, I will be presented the supplier portal site with all the relevant apps.

If you will like to use both the Identity Providers for different apps/portal sites, you can leverage the saml2idp parameter. I have explained this in detail in this blog post – “Using multiple Identity Providers for a Portal site in SAP Cloud Platform

Part 3 – Configuring Identity Authentication service as a Proxy for Azure AD

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Jacklyn James
      Jacklyn James

      Hi Murali,

      Thanks a lot for breaking it down this well. All your blogs are amazing.

      Regards

      Jacklyn

      Author's profile photo adrian di ruggiero
      adrian di ruggiero

      Hello,

      Thank you for writing this blog series. They are very clear and useful.

      Right now, I'm having trouble to retrieve in SCP some user Attributes, using /services/userapi/currentUser functionality (https://blogs.sap.com/2015/04/16/using-the-hcp-user-api-in-web-ide/). Even when the SAML assertion ticket is returning all the attributes I've selected, only "standards" are filled (name, firstName, lastName, displayName, email), but I couldn't find a way to retrieve "employeeId" (or someone else, even if I mapped in SCP in the attributes tab).

      What am I missing?

      Thank you in advance.