Skip to Content
Technical Articles
Author's profile photo Yogananda Muthaiah

Enable SAML 2.0 from SAP IAS to SAP Commissions

Dear Readers

Do you want to know how to enable Single Sign-On from SAP IAS ??

SAML Flow

SAP IAS – Identity Authentication Service 

 

The single sign-on through SAP IdP is not turned on by default. When disabled, users can only access SAP Commissions through the SAP Commissions login page, using their user ID and password. To enable it, you need to follow the below steps to configure

Once set up, users authenticated with SAP IAS can log in to SAP Commissions without entering their ID or password. Unauthenticated Commissions users that attempt to access a Commissions URL will be redirected to the SAP Identity Access Management login page for authentication.

Integration with IAS and Commission URL

You will be provided with two URLs:

  1. Standard Commissions URL – Users can enter the user ID and password and access SAP Commissions.
  2. SAP IdP based Commissions URL – This URL prompts users to enter their user ID and password via IdP and redirects users to SAP Commissions.

Architecture & documentation related to SAP Sales Cloud Single Sign-On(SSO) can be found here


Let’s start the configuration, 

Login to SAP Identity Authentication Service [IAS] Portal

Go to Application & Resources Menu – Tenant Settings

  • Click SAML 2.0 Configuration

Download Metadata.xml
which will be used to upload in SAP Commission ( will be shown in below steps)

Navigate to Applications and choose the product you need to enable SSO

1. Type

Select SAML 2.0

2. SAML 2.0 Configuration and upload the sp.xml from SAP Commissions

3. Subject Name Identifier

4. Default Name ID Format

Choose either one for users login method

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

5. Assertion Attributes

User Attributes Assertion Attributes
Language sapIdp.language
User ID sapIdp.uid
Login Name sapIdp.loginName
First Name sapIdp.firstName
Last Name sapIdp.lastName
Email sapIdp.email
Groups sapIdp.userGroups

Update the values from the above table if incase if values are blank

Login to SAP Commission Portal to enable Single Sign-On ( SSO) 

Go to Global Settings

Configure from below screen with corresponding sequence numbers in SAML Configuration Type Section

 

Admin should logout the page after SAML is configured and ask Users to login to SAP Commission Portal.

 

Users should able to see the login page of SAP IAS Login screen

 

Admin can see the Security logs in SAP Commission Portal for users Authentication mechanism (SAML)

 

Troubleshooting in IAS or to find audit logs ( download CSV)

Azure Single Sign on Setup

https://microlearning.opensap.com/media/Azure+AD+as+IdP+and+SAP+Identity+Authentication+Service+as+SAML+Federation+Proxy/1_i0kmu1x0

Links

SAP Cloud Identity Services: https://community.sap.com/topics/cloud-identity-services

Identity Authentication service in a nutshell:


Troubleshooting Resources

Online & Browser Tools:

➢ Allows you to validate a SAML Response for Chrome (see example in next slide, FF uses SAML Tracer) – https://www.samltool.com/validate_response.php

➢ Allows you to debug your SAML based implementation (see example in next slide, it is a way to validate if all of the related entries are valid) –
https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=en

➢ https://www.base64decode.org/  – Decode from Base64 format.

 

Thanks, for reading it till the end. 🙏


Hope you find that helpful! Let me know your thoughts on this in the comments section.
Don’t forget to share this article with your friends or colleagues.
Feel free to connect with me on any of the platforms below! 🚀

SAP |Twitter | LinkedIn | GitHub

Assigned Tags

      19 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Fabian Rendon
      Fabian Rendon

      Yoga, thanks for share this procedure it's very useful. There a lot of customer that have concern about security on our solutions.  This could help us for future customer discussions.

      Author's profile photo Javier Miranda
      Javier Miranda

      Excellent, very understandable and useful.  Thanks for sharing.

      Author's profile photo Saurabh Kabra
      Saurabh Kabra

      Thanks, Yogananda for sharing the detailed steps.

      May be 1 question, What happens in case my SAML configuration is broken or incorrect (due to manual copy-paste error) and I have already enabled SAML authentication in the Commission's portal? Will as an Admin I be still able to login to commissions bypassing the SAML using some URL parameter like saml2=disabled or so? If not then, how can we troubleshoot or fix the broken SAML message at Commission's side?

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Thanks Saurabh!

      If you need to deactivate SAML SSO or any troubleshooting issues (suppose you're Admin) ..
      you will have to reach out through BCP ticketing and support team can do it from backend for your tenant.

      Author's profile photo Philip Holtom
      Philip Holtom

      One question. I'm not clear where the SSO login url comes from

       

      You say  "You will be provided with two URLs:".  Who provides this ? We only have the normal URL for our environment.

      We were not given a SAP IdP based Commissions URL

       

      Can this be extracted from the IAS somehow ?

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Philip Holtom

      Thanks for reading the blog!

      SAP Idp based Commission URL will get generated when SSO is active/configured in SAP IAS.

      SAP IAS is owned by the user admin of the company who have access to control all the Applications.

      Author's profile photo Saurabh Katoch
      Saurabh Katoch

      SAP - The article is very informative and with this we have been able to help number of customers. Thanks for sharing this article.

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Thanks Saurabh for your valuable words. This will motivate to do more. I am very happy to see its helping most of our customers, partners and Internal teams.

      Keep sharing to many and make it big

      Author's profile photo Shyla Pathiyal
      Shyla Pathiyal

      Thanks for sharing!!

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Thanks Shyla!

      Author's profile photo Deep Lal Sharma
      Deep Lal Sharma

      Hi SAP ,

      What happens if a tenant has already configured SAML settings to enable SSO functionality for Commissions URL within organization?

      Will following above steps breaks the earlier configured SSO URLs?

      Regards

       

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Hi Deep Lal Sharma

      If SSO is already active and enabled within SAP Commissions without IAS .. then there is no impact or breaking links for SSO..

      It's up to the customer to decide if they would like to manage multiple IDPs, then better to go with SAP IAS and gets an advanced security layer by enabling TOTP or OTP or Captcha Authentication.

      Author's profile photo Deepika B
      Deepika B

      Hi Yoga,

      Please let me know the step by step process to Integrate SAP Sales Cloud to  be authenticated via IAS. Is there a need for CPI as well or is nit required.

      ANd do we need add anything in the transformations.. Kindly suggest.

       

      Thanks,

      Deepika

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Hi Deepika B

      We don't need CPI or any transformations...  Its out of the box.. you need to get metadata.xml from SAP Sales Cloud and upload it in IAS.  If user attributes matches, users will be able to go through Single Sign on

      Author's profile photo Deepika B
      Deepika B

      Hi Yoga,

       

      Thanks for the guidance. I am new to this and I have only SF integration with IAS.

      And there is no external IDP involved.

      Kindly let me know from where we will get the metadata.xml from SAles cloud URL.

      And any idea about Linking On premise systems to IAS as authentication.

      SAP%20Sales%20Cloud

      SAP Sales Cloud

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Hi Deepika B

      you find the help documentation for C4C to enable single sign on and details are there

      https://help.sap.com/docs/SAP_HYBRIS_CLOUD_FOR_CUSTOMER/abfba1342cfb4832ab722fa041f6c4b7/f1e6f23267b542ce9a906823c70dc583.html?locale=en-US&version=1705

      Azure Onprem ? then there is out of box feature in IAS - Corportate Identity Provider.  If other than Azure, you need to go through Cloud connector way.

      Author's profile photo Deepika B
      Deepika B

      Hi Yoga,

      The page is not getting displayed. And there is no Azure , I have used cloud connector and BTP as well.

      Any other link that might help in integrating SAP Sales Cloud with IAS will be very helpful. I am not getting clear documentation anywhere.

      Thanks for the support Yoga, Highly appreciate it.

       

      Deepika

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Hi Deepika B

      I can access the page.. its clearly documented all the steps.  If you have any trouble, kindly raise a SAP Technical Support ticket.

      Author's profile photo Deepika B
      Deepika B

      Hi Yoga,

       

      Thanks a lot for the help. I will check this.

      Deepika