Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 3
|Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform|
This section of the blog focuses on using IAS as a proxy for Azure AD when authenticating apps/portal sites in SAP Cloud Platform. In this approach, IAS will be configured as an IdP with SAP Cloud Platform. However, all authentication requests will be forwarded to Azure AD as IAS acts as a proxy. This will be the default scenario for cloud solutions like SuccessFactors in the coming months.
There is a detailed step-by-step tutorial on this from Microsoft.
To get started, you will need to first create Enterprise Applications within your Azure Active Directory service. This time you will use the Application “SAP Cloud Platform Identity Authentication”
I have created an application called “IAS”. In the “Single Sign-on” section, I have provided the below values.
- Identifier: hcpta.accounts.ondemand.com (hcpta is my tenant ID)
Note: At the time of writing this blog post, I did not have to provide https:// in the beginning. It gave me an error AADSTS700016: Application with identifier XXXX.accounts.ondemand.com’ was not found in the directory ‘9e56a4763903-f7fc-4163-b6e7- f7fc’. As of Aug 2019, it appears that there have been some changes on Azure and it now requires the use of https.
- Reply URL: https://hcpta.accounts.ondemand.com/saml2/idp/acs/hcpta.accounts.ondemand.com
- Sign on URL: https://flpportal-p1942768752trial.dispatcher.hanatrial.ondemand.com/sites (Link to the Portal service)
Save your settings and download the Federated metadata XML file.
Switch to IAS Administration console. In the “Corporate Identity Providers” menu, create a new entry. I have given it the name “Azure AD”.
- SAML 2.0 configuration – Upload the metadata XML file obtained from Azure AD
- Identity Provider Type – Set it to “Microsoft ADFS/Azure AD”.
If you don’t set this, you will get an error “The SAML authentication request property ‘Scoping/ProxyCount’ is not supported”. Resolution for this is documented in this SAP Note.
- Name ID Format – Set this to Email
Navigate to the SAP Cloud Platform application which you had earlier configured in IAS. Look for “Conditional Authentication” under the Trust tab.
Set the default Identity Provider to the Corporate Identity Provider configured earlier. In my example, its Azure AD.
Before testing, we need to switch the default IdP in SAP Cloud Platform back to IAS. The configuration we created earlier for Azure AD can be deleted as we would be now accessing Azure AD via IAS.
Since the SAML assertions would be passed from Azure AD, we need to now map the SAP Cloud Platform groups to the Department “az_purchaser” used earlier.
Now when I access the supplier portal site, it will take me to the Azure AD login screen.
On successful authentication (using my user with email domain as outlook), I am able to access the supplier portal.