Skip to Content
Technical Articles

Integrate SSO from SAP IAS to SAP Commissions

Dear Readers

Do you want to know how to enable Single Sign-On from SAP IAS ??

SAP IAS – Identity Authentication Service 

         IDP – Identity Provider

The single sign-on through SAP IdP is not turned on by default. When disabled, users can only access SAP Commissions through the SAP Commissions login page, using their user ID and password. To enable it, you need to follow the below steps to configure

Once set up, users authenticated with SAP IAS can log in to SAP Commissions without entering their ID or password. Unauthenticated Commissions users that attempt to access a Commissions URL will be redirected to the SAP Identity Access Management login page for authentication.

Integration with IAS and Commission URL

You will be provided with two URLs:

  1. Standard Commissions URL – Users can enter the user ID and password and access SAP Commissions.
  2. SAP IdP based Commissions URL – This URL prompts users to enter their user ID and password via IdP and redirects users to SAP Commissions.

Architecture & documentation related SAP Sales Cloud Single Sign-On(SSO) can be found here


Let’s start the configuration, 

Login to SAP Identity Authentication Service[IAS] (Admin of the company)

Navigate as shown in below screen workspace

Tenant Settings

SAML 2.0 Configuration

Configure below information and save. After saving, download Metadata.xml which will be used to upload in SAP Commission 

 

Navigate to Applications and choose which product you need to enable SSO

1. Type

Select SAML 2.0

2. SAML 2.0 Configuration

3. Subject Name Identifier

4. Default Name ID Format

Choose either one for users login method

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

5. Assertion Attributes

User Attributes Assertion Attributes
Language sapIdp.language
User ID sapIdp.uid
Login Name sapIdp.loginName
First Name sapIdp.firstName
Last Name sapIdp.lastName
Email sapIdp.email
Groups sapIdp.userGroups

Update the values from the above table if incase if values are blank

Login to SAP Commission Portal  to enable Single SignOn ( SSO) 

  1. Go to Global Settings

Configure from below screen with corresponding sequence numbers in SAML Configuration Type Section

 

Admin should logout the page after SAML is configured and ask Users to login to SAP Commission Portal.

 

Users should able to see the login page of SAP IAS Login screen

 

Admin can see the Security logs in SAP Commission Portal for users Authentication mechanism (SAML)

Troubleshooting in IAS or to find audit logs ( download CSV)

 

Links

SAP Cloud Identity Services: https://community.sap.com/topics/cloud-identity-services

Identity Authentication service in a nutshell: https://www.youtube.com/watch?v=uwlGrrxwRJ0


Troubleshooting Resources

Online & Browser Tools:

➢ Allows you to validate a SAML Response for Chrome (see example in next slide, FF uses SAML Tracer) – https://www.samltool.com/validate_response.php

➢ Allows you to debug your SAML based implementation (see example in next slide, it is a way to validate if all of the related entries are valid) –
https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=en

➢ https://www.base64decode.org/  – Decode from Base64 format.

10 Comments
You must be Logged on to comment or reply to a post.
  • Yoga, thanks for share this procedure it’s very useful. There a lot of customer that have concern about security on our solutions.  This could help us for future customer discussions.

  • Thanks, Yogananda for sharing the detailed steps.

    May be 1 question, What happens in case my SAML configuration is broken or incorrect (due to manual copy-paste error) and I have already enabled SAML authentication in the Commission’s portal? Will as an Admin I be still able to login to commissions bypassing the SAML using some URL parameter like saml2=disabled or so? If not then, how can we troubleshoot or fix the broken SAML message at Commission’s side?

    • Thanks Saurabh!

      If you need to deactivate SAML SSO or any troubleshooting issues (suppose you’re Admin) ..
      you will have to reach out through BCP ticketing and support team can do it from backend for your tenant.

  • One question. I’m not clear where the SSO login url comes from

     

    You say  “You will be provided with two URLs:”.  Who provides this ? We only have the normal URL for our environment.

    We were not given a SAP IdP based Commissions URL

     

    Can this be extracted from the IAS somehow ?

    • Philip Holtom

      Thanks for reading the blog!

      SAP Idp based Commission URL will get generated when SSO is active/configured in SAP IAS.

      SAP IAS is owned by the user admin of the company who have access to control all the Applications.

    • Thanks Saurabh for your valuable words. This will motivate to do more. I am very happy to see its helping most of our customers, partners and Internal teams.

      Keep sharing to many and make it big