Single sign on for ABAP Engine with Azure active directory using OAuth
In today’s world, Organizations have requirement to integrate multiple applications. To reduce complexity in authentication requirements, single sign on becomes mandatory between applications. open standard protocols like OAuth, SAML became de facto standard for many integrations.
This blog post talks how to Configure Single Sign On for Web APIs (Web services) to SAP NetWeaver system (SAP SID: T01) by integrating with AAD using OAuth.
SAP T01 system is being accessed by T01 users and needs SSO for the web API Interfaces. SAP T01 system will act as Service provider and OAuth will be configured using Microsoft’s Azure Active Directory (AAD) as identity provider.
Integrating SAP NetWeaver with Azure AD provides following benefits:
- Users who can have access to SAP NetWeaver web-based APIs can be controlled in AAD.
- Users can be enabled to automatically get signed-on to SAP NetWeaver (Single Sign-On) with their Azure AD accounts
- Manage accounts in one central location – the Azure portal
SAP System Configuration – 1
Make sure that http and https services are active and appropriate ports are assigned in SMICM T-Code.
Log on to business client of SAP System (T01), where SSO is required and activate HTTP Security session Management.
Go to Transaction code SICF_SESSIONS. It displays all relevant profile parameters with current values. They look like below: –
login/create_sso2_ticket = 2
login/accept_sso2_ticket = 1
login/ticketcache_entries_max = 1000
login/ticketcache_off = 0
login/ticket_only_by_https = 0
icf/set_HTTPonly_flag_on_cookies = 3
icf/user_recheck = 0
http/security_session_timeout = 1800
http/security_context_cache_size = 2500
rdisp/plugin_auto_logout = 1800
rdisp/autothtime = 60
Note: Adjust above parameters as per your organization requirements, Above parameters are given here as indication only.
If required adjust parameters, in the instance/default profile of SAP system and restart SAP system.
Double click on relevant client to enable HTTP security session
Activate below SICF services:
/sap/bc/webdynpro/sap/sec_diag_tool (This is only to enable / disable trace)
Go to Transaction code SAML2 in business client of SAP system [T01/122]. It will open a user interface in a browser. In this example, we assumed 122 as SAP business client.
Provide your username and password to enter in user interface.
Replace Provider Name from T01122 to http://T01122.
Note: By default provider name come as <sid><client> format but AAD expects name in the format of <protocol>://<name>, Recommending to maintain provider name as https://<sid><client> to allow multiple SAP NetWeaver ABAP engines to configure in AAD.
Click on Save
Generating Service Provider Metadata
Once we are done with configuring the Local Provider and Trusted Providers settings on SAML 2.0 User Interface, the next step would be to generate the Service Provider’s metadata file (which would contain all the settings, authentication contexts and other configurations in SAP). Once this file is generated we need to upload this in AAD.
Go to Local Provider tab
- Click on Metadata
- Save the generated XML metadata file on a local hard drive
- This XML metadata file will uploaded to Azure AD application.
Azure AD Configuration -1
Logon to Azure AD tenant using your credentials.
In the Azure Portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise applications. Then go to All applications.
To add new application, click New application button on the top of dialog
In the search box, type SAP NetWeaver.
In the results panel, select SAP NetWeaver, and then click Add button to add the application.
Provide Name. We recommend using naming convention SAP-<SID><Client>, which will allow to configure SSO for multiple SAP systems / clients.
In the Azure portal, on the application name SAP-<SID><client> (ex: SAP-T01122) application integration page, click Single sign-on
Select SAML as single-sign-on method as shown below and double click
On the setup single sign-on with SAML screen, edit Basic SAML configuration by clicking on pencil button.
Click upload metadata file. Note: recommending to upload metadata files to avoid human errors.
Select the downloaded metadata file from SAP as specified in section “SAP System Configuration”
Note that Sing on URL, Identifier (Entity ID), reply URLs gets filled automatically. Identifier name is exactly same as provider name in SAP SAML2 configuration. If they are not matched SSO won’t work, suggesting verifying configuration in SAP and re-upload metadata file.
For single sign-on to work, Azure AD needs to know what the counterpart user in SAP NetWeaver is to a user in Azure AD vice-versa. In other words, a link relationship between an Azure AD user and the related user in SAP NetWeaver needs to be established.
This link relationship is established by assigning the value of the user name in Azure AD as the value of the Username in SAP NetWeaver. This link should be established based on SAML claims & attributes and corresponding mapping procedure in SAP SAML2 transaction code.
Adjust user attributes & claims as per requirement. Default user attributes & claims may not satisfy SAP SSO scenario. In general, below user attributes & claims should be enough. Note that unique user identifier should be added manually.
Download app federation metadata and certificate (recommending basis64 for SAP) from SAML Signing certificate section to upload in SAP.
SAP System Configuration – 2
Logon to SAP system and go to transaction code SAML2. It opens new browser window with SAML configuration screen.
For configuring End points for trusted Ident
ity provider (AAD) go to Trusted Providers tab.
Select OAuth 2.0 Identity provides in “list of Trusted providers”
press Add and select Upload Metadata File from the context menu.
Upload metadata file, which was downloaded from Azure AD.
Press Next to continue.
Select the certificate downloaded from Azure portal and press Next
Press Next to continue.
Click on Finish button.
Goto tab Identity federation -> Supported NameID Formats.
Select unspecified and press ok button
Select the userid mapping mode as per your requirement depend on the claim that you are getting from Azure AD and attribute that you want to map in SAP. Recommended mapping mode is logon id for easy maintenance, but all mapping modes are supported.
Enable NetWeaver Service for OAuth
SAP Documented process is available at the location: NetWeaver Gateway Service Enabling and OAuth 2.0 Scope Creation https://wiki.scn.sap.com/wiki/display/Security/NetWeaver+Gateway+Service+Enabling+and+OAuth+2.0+Scope+Creation)
Goto SPRO and find ‘Activate and Maintain services’
In this example we want to connect the OData service: DAAG_MNGGRP with OAuth to Azure AD SSO.
Use the technical service name search for the service DAAG_MNGGRP and activate if not yet active, already (look for ‘green’ status under ICF nodes tab). Ensure if system alias (the connected backend system, where the service actually running) is correct.
Then click pushbutton OAuth on the top buttonbar and assign ‘scope’ (keep default name as offered).
For our example the scope is: DAAG_MNGGRP_001, it is generated from the service name by automatically adding a number. Report /IWFND/R_OAUTH_SCOPES can be used to change name of scope or create manually.
Note: message ‘soft state status is not supported’ – can be ignored, as no problem
Create a service user for the OAuth 2.0 Client
OAuth2 uses a ‘service ID’ to get the access token for the end-user on its behalf.
Important restriction by OAuth design: the ‘OAuth 2.0 Client ID’ must be identical with the ‘username’ the OAuth 2.0 client uses for login when requesting an Access Token. Therefore, for our example, we are going to register an OAuth 2.0 client with name CLIENT1, and as a prerequisite a user with the same name (CLIENT1) must exist in the SAP system and that user we will configure to be used by the referred application.
When registering an OAuth Client we use the ‘SAML Bearer Grant type’.
ref. OAuth 2.0 Client Registration for the SAML Bearer Grant Type
tcode: SU01 / create user CLIENT1as ‘system type’ and assign password, save it as need to provide the credential to the API programmer, who should burn it with the username to the calling code. No profile or role should be assigned.
Register the new OAuth 2.0 Client ID with the creation wizard
To register a new ‘OAuth 2.0 client’ start transaction SOAUTH2. The transaction will display an overview about the OAuth 2.0 clients that were already registered. Choose Create to start the wizard for the new OAuth client named as CLIENT1in this example.
Go to T-Code: SOAUTH2
Provide the description and click next.
In the next step just select the already added SAML2 IdP – Azure AD from the dropdown list and save.
Click on Add under scope assignment to add the previously created scope: DAAG_MNGGRP_001
Azure AD Configuration -Assign users/user group to application
Assign users who should access this SAP System using single sign on. This can be done by adding individual users or user groups. Recommending assigning user groups.
Now SSO is enabled for Netweaver web API/Service using Azure active directory as Identity provider.
I have few doubts on this please-
Thanks a lot for the detailed blog on configuring SAP and Azure AD. I have followed all the required steps as per the blog and what to know how you are calling the ODATA service. If you give some details on the section - Create a service user for the OAuth 2.0 Client and explain the process of "who should burn it with the username to the calling code. ".
I am using the postman rest tool to test it, before coding the API client code so what to know how to use Client ID
Also worthwhile checking out is this
Tutorial: Azure Active Directory Single sign-on (SSO) integration with SAP NetWeaver
Would this help to get inside SAP GUI Logon Client as well or just web urls?