Skip to Content
Technical Articles

Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 3

This section of the blog focuses on using IAS as a proxy for Azure AD when authenticating apps/portal sites in SAP Cloud Platform. In this approach, IAS will be configured as an IdP with SAP Cloud Platform. However, all authentication requests will be forwarded to Azure AD as IAS acts as a proxy. This will be the default scenario for cloud solutions like SuccessFactors in the coming months.

There is a detailed step-by-step tutorial on this from Microsoft.

Tutorial: Azure Active Directory integration with SAP Cloud Platform Identity Authentication

To get started, you will need to first create Enterprise Applications within your Azure Active Directory service. This time you will use the Application “SAP Cloud Platform Identity Authentication”

I have created an application called “IAS”. In the “Single Sign-on” section, I have provided the below values.

  • Identifier:  hcpta.accounts.ondemand.com (hcpta is my tenant ID)

Note: Do not provide https:// in the beginning. You will get an error AADSTS700016: Application with identifier XXXX.accounts.ondemand.com’ was not found in the directory ‘9e56a4763903-f7fc-4163-b6e7- f7fc’.

Save your settings and download the Federated metadata XML file.

Switch to IAS Administration console. In the “Corporate Identity Providers” menu, create a new entry. I have given it the name “Azure AD”.

  • SAML 2.0 configuration – Upload the metadata XML file obtained from Azure AD
  • Identity Provider Type – Set it to “Microsoft ADFS/Azure AD”.

If you don’t set this, you will get an error “The SAML authentication request property ‘Scoping/ProxyCount’ is not supported”.  Resolution for this is documented in this SAP Note.

  • Name ID Format – Set this to Email

 

Navigate to the SAP Cloud Platform application which you had earlier configured in IAS. Look for “Conditional Authentication” under the Trust tab.

Set the default Identity Provider to the Corporate Identity Provider configured earlier. In my example, its Azure AD.

Before testing, we need to switch the default IdP in SAP Cloud Platform back to IAS. The configuration we  created earlier for Azure AD can be deleted as we would be now accessing Azure AD via IAS.

Since the SAML assertions would be passed from Azure AD, we need to now map the SAP Cloud Platform groups to the Department “az_purchaser” used earlier.

Now when I access the supplier portal site, it will take me to the Azure AD login screen.

On successful authentication (using my user with email domain as outlook), I am able to access the supplier portal.

Part 4 – Configuring Conditional Authentication in Identity Authentication Service

2 Comments
You must be Logged on to comment or reply to a post.
  • Murali,

    Great Blog Sir!

    Question:

    We are using IAS as the proxy to an IDP (Ping) – directly not via a cloud connector (Corporate IdP Scenario).  If I do not configure the IdP as the Default Identity Provider (in IAS), I can log in to the subaccount directly with http://account-(subaccount_name).us3.hana.ondemand.com.  I can also get to an application like webIDE with https://webidecp-(subaccount_name).dispatcher.us3.hana.ondemand.com since I setup users in the IAS and pointed both the App-IdP and Platform-IdP of the subaccount to the IAS.

    To setup the IDP,

    1. I imported its meta-data file which populated everything. Made no changes, SAVED
    2. Left Name ID Format at default.
    3. Set “Forward All SSO Request to Corporate IdP” to on.
    4. Changed the subaccount “application” to point to the IDP. SAVED

    When I go to login the subaccount URL, it redirects me to the IDPs login page.  After I provide credentials, I’m redirected back to the Cloud Platform where I get the following error:

     

    SAML-Tracer says:

    <samlp:StatusMessage>Unknown AssertionConsumerServiceURL https://(IAS).accounts.ondemand.com/saml2/idp/acs/<IAS>.accounts.ondemand.com</samlp:StatusMessage>

    Of course, this is the same URL that is in the IAS meta-data file as the AssertionConsumerService that was provided to the IdP.

    I could see it if the SSO between the IAS and Subaccount wasn’t working, but it is.  Its just when I flip the switch that I get this error.  The fact that after logging in I get to this SAP Cloud error screen lets me know authentication was successful and is trying to pass the Assertion back to IAS for processing where I get this error.

    Thoughts on the error?

    Thanks in advance.

    • Hi Andrew,

      Maybe it is worth to check the SAML trace for configuration itself once like for all mandatory parameters like first name,last name and mail id etc. And try to map the parameters in IAS in case you find any differences.

      Regards

      Ravindra