SAP Cloud Platform Open Connectors authentication using SAP Cloud Platform Identity Authentication Service

SAP Cloud Platform Identity Authentication service is a cloud solution for identity life cycle management for SAP Cloud Platform applications. It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers.

In this blog steps to configure SAP Cloud Platform Open Connectors to authenticate against SAP Cloud Platform Identity Authentication is captured.

More blogs on SAP Cloud Platform Open Connectors is covered in Simplify integration with non-SAP applications blog series.

Prerequisites

• SAP Cloud Platform trial
• SAP Cloud Platform Open Connectors
• SAP Cloud Platform Identity Authentication Service

Add your SAP Cloud Platform Identity Service as Trusted Identity Provider in SAP Cloud Platform Open Connectors

• Logon to your SAP Cloud Platform Identity Authentication Service (https://<yourscitenant>.ondemand.com/admin/)
• Navigate to Tenant Settings-> SAML 2.0 Configurations

• Note down these fields from your SAML 2.0 Configurations :-
  1. Name
  2. Single Sign-On Endpoint (HTTP Redirect)
  3. Single Logout URL (HTTP Redirect)
  4. Signing Certificate ( Insert as Text)

These fields would be used to add your SAP Cloud Platform Identity Service as a trusted identity provider in SAP Cloud Platform Open Connectors.

• Navigate to your SAP Cloud Platform Open Connectors account, select the tab Security-> Identity -> Application Identity Provider. Select Add Trusted Identity Provider option.

• In the Configure Identity Provider select Account from the Level drop down. Enter the Name field value of your SAP Cloud Platform Identity Service as Entity ID. Enter the Single Sign-On Endpoint (HTTP Redirect URL) of your SAP Cloud Platform Identity Service as SSO URL. Select unspecified as the Name ID format. Enter the Single Logout URL (HTTP Redirect) of your SAP Cloud Platform Identity Service as Logout URL. Enter your SAP Cloud Platform account say https://cockpit.hanatrial.ondemand.com/cockpit/#/home/trial as your Logout Redirect URL. Enter Signing Certificate ( Insert as Text ) field of your SAP Cloud Platform Identity Service as Signing Certificate.  Select RSA-SHA1 from the signature algorithm drop down. Select true from the Strict Mode drop down.
• Select Save after all the values are provided.

• Download the SAML service provider metadata of the newly added identity provider. This service provider xml would have to be imported into your SAP Cloud Platform Identity Service account to establish the trust between SAP Cloud Platform Open Connectors and your identity service.

• Navigate to the Members tab to add the users of your SAP Cloud Platform Identity Service to your SAP Cloud Platform Open Connectors. Select option Add Member. 
• Enter the user id of your SAP Cloud Platform Identity Authentication Service users, select Account Admin from the Roles drop down and select Save option.

Establish trust between SAP Cloud Platform Open Connectors and SAP Cloud Platform Identity Authentication Service

• Logon to the SAP Cloud Platform Identity Authentication service account (https://<yourscitenant>.ondemand.com/admin/)
• Navigate to the Applications tab.

• Click on the Add button as shown in the screen shot. Provide an Application name (e.g SAP Cloud Platform Open Connectors) and click on the Save button

• In the newly created Application, under the Trust tab, click on the option SAML 2.0 Configuration. 

• Under the Define from Metadata tab click on the Browse button and upload the SAML metadata downloaded in previous section and then click on the Save button

• In case you have configured your corporate identity provider in SAP Cloud Platform Identity Authentication service , then you configure the same for this newly on-boarded applications by navigating to the Conditional Authentication.

• Optionally you can select your on-boarded identity provider as the default identity provider.

• Select the option to Allow Identity Authentication Users Log On.

• Navigate to the Assertion Attributes of the SAML 2.0 configurations, and then provide the mapping between the SAML Assertion values (ref screenshot below).  Click Save to persist the assertion changes.

The table contains the mapping between the user attribute and the assertion attribute fields.

Note the user attributes value may vary based on your corporate identity provider, for example, in case you have selected Azure Active Directory as your identity provider, Assertion Attribute value should be mail instead of email. 

Finally testing the configurations

All the configuration work has been done. To test the configuration, clear up your browser cache configuration and navigate to your SAP Cloud Platform cockpit. Select your SAP Cloud Platform Open Connectors service and select the option Go to Application.

You should be navigated to SAP Cloud Platform Authentication Identity service. Logon using the user credentials who has been assigned SAP Cloud Platform Open Connector account administrator role.