Technical Articles
Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 3
Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform |
Part 1 – Configuring Identity Authentication Service with SAP Cloud Platform Part 2 – Configuring Azure Active Directory with SAP Cloud Platform Part 3 – Configuring Identity Authentication service as a Proxy for Azure AD Part 4 – Configuring Conditional Authentication in Identity Authentication Service |
This section of the blog focuses on using IAS as a proxy for Azure AD when authenticating apps/portal sites in SAP Cloud Platform. In this approach, IAS will be configured as an IdP with SAP Cloud Platform. However, all authentication requests will be forwarded to Azure AD as IAS acts as a proxy. This will be the default scenario for cloud solutions like SuccessFactors in the coming months.
There is a detailed step-by-step tutorial on this from Microsoft.
Tutorial: Azure Active Directory integration with SAP Cloud Platform Identity Authentication
To get started, you will need to first create Enterprise Applications within your Azure Active Directory service. This time you will use the Application “SAP Cloud Platform Identity Authentication”
I have created an application called “IAS”. In the “Single Sign-on” section, I have provided the below values.
- Identifier: hcpta.accounts.ondemand.com (hcpta is my tenant ID)
Note: At the time of writing this blog post, I did not have to provide https:// in the beginning. It gave me an error AADSTS700016: Application with identifier XXXX.accounts.ondemand.com’ was not found in the directory ‘9e56a4763903-f7fc-4163-b6e7- f7fc’. As of Aug 2019, it appears that there have been some changes on Azure and it now requires the use of https.
- Reply URL: https://hcpta.accounts.ondemand.com/saml2/idp/acs/hcpta.accounts.ondemand.com
- Sign on URL: https://flpportal-p1942768752trial.dispatcher.hanatrial.ondemand.com/sites (Link to the Portal service)
Save your settings and download the Federated metadata XML file.
Switch to IAS Administration console. In the “Corporate Identity Providers” menu, create a new entry. I have given it the name “Azure AD”.
- SAML 2.0 configuration – Upload the metadata XML file obtained from Azure AD
- Identity Provider Type – Set it to “Microsoft ADFS/Azure AD”.
If you don’t set this, you will get an error “The SAML authentication request property ‘Scoping/ProxyCount’ is not supported”. Resolution for this is documented in this SAP Note.
- Name ID Format – Set this to Email
Navigate to the SAP Cloud Platform application which you had earlier configured in IAS. Look for “Conditional Authentication” under the Trust tab.
Set the default Identity Provider to the Corporate Identity Provider configured earlier. In my example, its Azure AD.
Before testing, we need to switch the default IdP in SAP Cloud Platform back to IAS. The configuration we created earlier for Azure AD can be deleted as we would be now accessing Azure AD via IAS.
Since the SAML assertions would be passed from Azure AD, we need to now map the SAP Cloud Platform groups to the Department “az_purchaser” used earlier.
Now when I access the supplier portal site, it will take me to the Azure AD login screen.
On successful authentication (using my user with email domain as outlook), I am able to access the supplier portal.
Part 4 – Configuring Conditional Authentication in Identity Authentication Service
Murali,
Great Blog Sir!
Question:
We are using IAS as the proxy to an IDP (Ping) – directly not via a cloud connector (Corporate IdP Scenario). If I do not configure the IdP as the Default Identity Provider (in IAS), I can log in to the subaccount directly with http://account-(subaccount_name).us3.hana.ondemand.com. I can also get to an application like webIDE with https://webidecp-(subaccount_name).dispatcher.us3.hana.ondemand.com since I setup users in the IAS and pointed both the App-IdP and Platform-IdP of the subaccount to the IAS.
To setup the IDP,
When I go to login the subaccount URL, it redirects me to the IDPs login page. After I provide credentials, I’m redirected back to the Cloud Platform where I get the following error:
SAML-Tracer says:
<samlp:StatusMessage>Unknown AssertionConsumerServiceURL https://(IAS).accounts.ondemand.com/saml2/idp/acs/<IAS>.accounts.ondemand.com</samlp:StatusMessage>
Of course, this is the same URL that is in the IAS meta-data file as the AssertionConsumerService that was provided to the IdP.
I could see it if the SSO between the IAS and Subaccount wasn’t working, but it is. Its just when I flip the switch that I get this error. The fact that after logging in I get to this SAP Cloud error screen lets me know authentication was successful and is trying to pass the Assertion back to IAS for processing where I get this error.
Thoughts on the error?
Thanks in advance.
Hi Andrew,
Maybe it is worth to check the SAML trace for configuration itself once like for all mandatory parameters like first name,last name and mail id etc. And try to map the parameters in IAS in case you find any differences.
Regards
Ravindra
This was resolved. The Corporate IdP administrator was mis-typing the ACS and other URLs instead of looking into the XML we provided. Once that was done. Everything worked.
Thanks
Hi,
First, thank you for this blog. It is very detailed and good to follow.
I have followed the steps and was able to setup the IdP but my problem is that when logon is completed, it shows my email as Name instead of showing actual name. I feel like I am missing a mapping somewhere but I can't tell where. Can you please advise?
user name
Thanks,
Rutul