How To Use Single Sign-On (SSO) For Your Chatbots Built With SAP Conversational AI
Single sign-on (SSO) is a centralized session and user authentication service in which a set of login credentials can be used to access multiple applications. SSO thus assists you to sign in to connected domains or applications with one username and password.
SSO has a clear, positive impact on productivity. The amount of time saved might seem quite small, but all the time you usually spend looking up users and passwords for logging into individual applications adds up. With SSO, you spend more time working. SSO minimizes the password-related frustrations, as you only need to remember and enter a single set of credentials. This is a huge benefit when you consider that most users have to remember an average of 40 passwords.
Apart from SAP Conversational AI’s focus on better customer experience, this feature specifically impacts the employee experience domain.
How does SAP Conversational AI use SSO?
At many points in your conversation, you most likely want to retrieve business information or connect to an external system to perform actions. You would want your bot to assist the enterprise users by executing certain business operations on their behalf, for example, creating a leave request. For this, the bot will need to call an external service. The external service allows secure transmission of information by issuing a user token that uniquely identifies the user on that external service (JSON Web Token or JWT). The user needs to log on to acquire this token.
Single Sign-On (SSO) permits users to use a set of login credentials to access the SAP Conversational AI Web Client.
The SAP Conversational AI Web Client is a web frontend developed by SAP for connecting to SAP Conversational AI bots via the SAP Conversational AI Web Client channel. It is a rich web client capable of rendering the bot responses using SAP Fiori compliant UI controls. To know more about SAP Conversational AI Web Client, refer to SAP Conversational AI Web Client.
The SAP Conversational AI Web Client needs to be integrated into the main web application or application shell of a supported SAP product (for example the Fiori Launchpad of a S/4HANA system).
Once authenticated, the business user can interact with the chatbot without providing their credentials on each log-on.
Workflow with SSO:
How to configure SAP Conversational AI Web Client with SSO?
You need to integrate the SAP Conversational AI Web Client in an On-Premise SAP Fiori Launchpad.
The SAP Conversational AI Web Client runs inside an Iframe. The page that is hosting the SAP Conversational AI Web Client must allow this in its Content Security Policy.
a. An SAP Cloud Foundry Subaccount
- Remote SAML 2.0 identity provider
- SAP Web Dispatcher 7.53 (latest patch level)
- Have trust enabled between the SAP Cloud Foundry Subaccount and the IDP server. See details here.
- For the full SSO experience, the ABAP front-end server also has to trust and use the same IDP for its user logon
- SAP Fiori Launchpad Designer: Configure the SAP Fiori launchpad target mappings, catalogs, and roles (Front-end server)
- SAP Cloud Foundry Security role
To configure user authentication or single sign-on, you need to do the following:
1/ You need to whitelist the hosting domain
Before you start:
- You need basic knowledge of how to use a REST API client. You can use command-line clients like curl or applications like Postman (which you can download from the com).
- You need to have access to the XSUAA configuration API, which relies on retrieving an OAuth token. For further information, refer to SAP Note 2760424 Information published on the SAP site.
- You need to know the technical tenant ID (GUID) of your Cloud Foundry subaccount. You can find this in the Overview section of your subaccount:
You need to whitelist the hosting domain as the SAP Conversational AI Web Client runs inside an iFrame to offer complete isolation from the hosting page. For security reasons, the Cloud Foundry authentication service (XSUAA) prevents the logon page to be embedded in an iFrame unless the origin domains are whitelisted. This currently cannot be done from the SAP Cloud Foundry cockpit, but only via REST API calls.
2/ You need to subscribe to SAP Conversational AI
3/ You need to configure the ABAP Frontend Server
The SAP Conversation AI client is integrated into the SAP Fiori Launchpad using the Fiori Launchpad Shell plugin mechanism. You need to add this plugin to your SAP Fiori Launchpad for which you need admin rights for the Fiori Launchpad Designer. For more information see Running the Launchpad Designer
4/ You need to connect the SAP Conversational AI Web Client to your bot
The above steps will integrate the SAP Conversational AI Web Client into the SAP Fiori Launchpad from a pure technical frontend perspective. In order to be able to use it, connect it to a bot built on the SAP Conversational AI platform. For this you need to:
- Build a bot
- Use this destination to configure the outbound call in the Actions tab of your bot in the SAP Conversation AI platform. For more information, see Connect to external service.
- Use the “Connect” tab of your bot to create an SAP Conversational AI Web Client channel
Awesome! Single sign-on is now enabled for your users!
Once the SSO is enabled, you can integrate the SAP Conversational AI Web Client into an on-premise SAP Fiori launchpad or with your web solution based on the SAP Business Technology Platform. For more details, follow the SAP Conversational AI Web Client Configuration Guide.
Note- For now, the SSO feature is only available for enterprise users of SAP products (like SAP S/4HANA, SAP SuccessFactors, and so on) to access the SAP Conversational AI Web Client.
How is it beneficial?
- Seamless user experience
- Single Sign-On eliminates the need for multiple passwords and user IDs
- Lowers the risks of unsecured login information
- Reduces password fatigue from different username and password combinations.
- Reduces customer time spent re-entering passwords for the same identity.
Hope you enjoyed this tutorial. If you have any questions about it, feel free to ask us in the comments section below or go to SAP Answers.
Happy bot building!
Very very helpful and interesting article.
In order to develop a PoC of a CAI - backend integrated Chatbot I was checking the SAP CP Trial offering for the SAP Conversational AI service.. unfortunately it is not available. Do you have any insight in this? I suppose that without the service in SAP CP the described approach is not possible and I have to rely on the "old" WebChat?
You can access a trial version on Cai.tools.sap and you should get access. In regards to sso I'm not sure.
Can we also achieve SSO with Web Chat instead of Web Client.
SSO is only supported with the Web Client.
Thanks, Paul for the confirmation.
If you would like to implement this with a non SAP web application, is it possible to enhance the web client? or there is no other way but to do everything from scratch and connect with the bot APIs? Is there any information about it?
You will be able to use the SAP Conversational AI Web Client. No need to enhance it as it should be flexible enough to integrate in any web application (some restrictions might apply). I would suggest to give it a try and open an internal ticket if you face issues and need support. And if it is a success, you'll be the first one publishing a blog on the topic 🙂
BR - Jean-Yves
Thank you for your answer. I wouldn't be the first, I had later found this other blog post about it 🙂
I am actually interested in a SSO scenario but this one is quite close.