Technical Articles
Enable SAML 2.0 from SAP IAS to SAP Commissions
Dear Readers
SAML Flow
SAP IAS – Identity Authentication Service
The single sign-on through SAP IdP is not turned on by default. When disabled, users can only access SAP Commissions through the SAP Commissions login page, using their user ID and password. To enable it, you need to follow the below steps to configure
Once set up, users authenticated with SAP IAS can log in to SAP Commissions without entering their ID or password. Unauthenticated Commissions users that attempt to access a Commissions URL will be redirected to the SAP Identity Access Management login page for authentication.
Integration with IAS and Commission URL
You will be provided with two URLs:
- Standard Commissions URL – Users can enter the user ID and password and access SAP Commissions.
- SAP IdP based Commissions URL – This URL prompts users to enter their user ID and password via IdP and redirects users to SAP Commissions.
Architecture & documentation related to SAP Sales Cloud Single Sign-On(SSO) can be found here
Let’s start the configuration,
Login to SAP Identity Authentication Service
Go to Application & Resources Menu – Tenant Settings
- Click SAML 2.0 Configuration
1. Type
Select SAML 2.0
2. SAML 2.0 Configuration and upload the sp.xml from SAP Commissions
3. Subject Name Identifier
4. Default Name ID Format
Choose either one for users login method
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
5. Assertion Attributes
| User Attributes | Assertion Attributes |
| Language | sapIdp.language |
| User ID | sapIdp.uid |
| Login Name | sapIdp.loginName |
| First Name | sapIdp.firstName |
| Last Name | sapIdp.lastName |
| sapIdp.email | |
| Groups | sapIdp.userGroups |
Update the values from the above table if incase if values are blank
Login to SAP Commission Portal to enable Single Sign-On ( SSO)
Go to Global Settings
Configure from below screen with corresponding sequence numbers in SAML Configuration Type Section
Admin should logout the page after SAML is configured and ask Users to login to SAP Commission Portal.
Users should able to see the login page of SAP IAS Login screen
Admin can see the Security logs in SAP Commission Portal for users Authentication mechanism (SAML)
Troubleshooting in IAS or to find audit logs ( download CSV)
Azure Single Sign on Setup
Links
SAP Cloud Identity Services: https://community.sap.com/topics/cloud-identity-services
Identity Authentication service in a nutshell:
Online & Browser Tools:
➢ Allows you to validate a SAML Response for Chrome (see example in next slide, FF uses SAML Tracer) – https://www.samltool.com/validate_response.php
➢ Allows you to debug your SAML based implementation (see example in next slide, it is a way to validate if all of the related entries are valid) –
https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=en
➢ https://www.base64decode.org/ – Decode from Base64 format.
Thanks, for reading it till the end. 🙏
Hope you find that helpful! Let me know your thoughts on this in the comments section.
Don’t forget to share this article with your friends or colleagues.
Feel free to connect with me on any of the platforms below! 🚀
Yoga, thanks for share this procedure it's very useful. There a lot of customer that have concern about security on our solutions. This could help us for future customer discussions.
Excellent, very understandable and useful. Thanks for sharing.
Thanks, Yogananda for sharing the detailed steps.
May be 1 question, What happens in case my SAML configuration is broken or incorrect (due to manual copy-paste error) and I have already enabled SAML authentication in the Commission's portal? Will as an Admin I be still able to login to commissions bypassing the SAML using some URL parameter like saml2=disabled or so? If not then, how can we troubleshoot or fix the broken SAML message at Commission's side?
Thanks Saurabh!
If you need to deactivate SAML SSO or any troubleshooting issues (suppose you're Admin) ..
you will have to reach out through BCP ticketing and support team can do it from backend for your tenant.
One question. I'm not clear where the SSO login url comes from
You say "You will be provided with two URLs:". Who provides this ? We only have the normal URL for our environment.
We were not given a SAP IdP based Commissions URL
Can this be extracted from the IAS somehow ?
Philip Holtom
Thanks for reading the blog!
SAP Idp based Commission URL will get generated when SSO is active/configured in SAP IAS.
SAP IAS is owned by the user admin of the company who have access to control all the Applications.
SAP - The article is very informative and with this we have been able to help number of customers. Thanks for sharing this article.
Thanks Saurabh for your valuable words. This will motivate to do more. I am very happy to see its helping most of our customers, partners and Internal teams.
Keep sharing to many and make it big
Thanks for sharing!!
Thanks Shyla!
Hi SAP ,
What happens if a tenant has already configured SAML settings to enable SSO functionality for Commissions URL within organization?
Will following above steps breaks the earlier configured SSO URLs?
Regards
Hi Deep Lal Sharma
If SSO is already active and enabled within SAP Commissions without IAS .. then there is no impact or breaking links for SSO..
It's up to the customer to decide if they would like to manage multiple IDPs, then better to go with SAP IAS and gets an advanced security layer by enabling TOTP or OTP or Captcha Authentication.
Hi Yoga,
Please let me know the step by step process to Integrate SAP Sales Cloud to be authenticated via IAS. Is there a need for CPI as well or is nit required.
ANd do we need add anything in the transformations.. Kindly suggest.
Thanks,
Deepika
Hi Deepika B
We don't need CPI or any transformations... Its out of the box.. you need to get metadata.xml from SAP Sales Cloud and upload it in IAS. If user attributes matches, users will be able to go through Single Sign on
Hi Yoga,
Thanks for the guidance. I am new to this and I have only SF integration with IAS.
And there is no external IDP involved.
Kindly let me know from where we will get the metadata.xml from SAles cloud URL.
And any idea about Linking On premise systems to IAS as authentication.
SAP Sales Cloud
Hi Deepika B
you find the help documentation for C4C to enable single sign on and details are there
https://help.sap.com/docs/SAP_HYBRIS_CLOUD_FOR_CUSTOMER/abfba1342cfb4832ab722fa041f6c4b7/f1e6f23267b542ce9a906823c70dc583.html?locale=en-US&version=1705
Azure Onprem ? then there is out of box feature in IAS - Corportate Identity Provider. If other than Azure, you need to go through Cloud connector way.
Hi Yoga,
The page is not getting displayed. And there is no Azure , I have used cloud connector and BTP as well.
Any other link that might help in integrating SAP Sales Cloud with IAS will be very helpful. I am not getting clear documentation anywhere.
Thanks for the support Yoga, Highly appreciate it.
Deepika
Hi Deepika B
I can access the page.. its clearly documented all the steps. If you have any trouble, kindly raise a SAP Technical Support ticket.
Hi Yoga,
Thanks a lot for the help. I will check this.
Deepika