Skip to Content
Technical Articles

Connect Okta to SAP Cloud Platform Identity Authentication Service

In this blog, we will explore how to establish trust between your SAP Identity Authentication Service and Okta as a corporate identity provider.

Once the connection between your Okta and the SAP Cloud Platform Identity Authentication Service is done, you can simply use it to connect it to several applications and environments.

Prerequisites

  1. You have an active license for SAP Cloud Platform Identity Authentication Service.
  2. Manage Applications and Manage Corporate Identity Providers authorizations are assigned to you as Administrator in IAS.
  3. You have access to Okta Admin portal.

Step 1: Log in to Okta admin portal and create SAML 2.0 application

Log in to Okta admin portal by going to https://login.okta.com/ and provide your credentials.

Click on ‘Use single sign on‘ – ‘Add App‘ option.

Note: in Okta there is no predefined SAP Cloud Platform Identity Authentication Service application, you have to create and configure it manually.

For more information about configuration on Okta side, refer to official Okta documentation: Create a SAML integration using AIW (Application Integration Wizard).

In the ‘New Application Integration’ tab choose Web as the platform, and SAML 2.0 as sign on method:

As the last part of the application creation, you can define a custom application name, logo, and visibility. Finally, click the Next button.

Step 2: Create SAML Integration in Okta

In this step, you have to fill in the SAML settings taken from SAP Cloud Platform Identity Authentication Service. Please pay special attention to all steps taken in this part.

Single sign on URL:

To get URL value, follow steps:

  1. Open Identity Authentication Service (IAS) Admin Console: https://<tenantid>.accounts.ondemand.com/admin
  2. Navigate to ‘Tenant Settings’ tile. Click on ‘SAML2.0 Configuration’.
  3. Copy ‘Assertion Consumer Service Endpoint’ (ACS endpoint) URL.
    Assertion%20Consumer%20Service%20Endpoint%20taken%20from%20SAP%20IAS

After copy-pasting the URL, tick the ‘Use this for Recipient URL and Destination URL’ option.

Audience URI (SP Entity ID):

This has to be identical as the ‘Name’ value of your IAS tenant.

To get the URL, follow steps:

  1. Open IAS Admin Console: https://<tenantid>.accounts.ondemand.com/admin
  2. Navigate to ‘Tenant Settings’ tile. Click on ‘SAML2.0 Configuration’.

Copy value of the ‘Name’ field.

Note: Make sure the audience matches exactly as described in KBA 2693814 – Service Provider does not match specified audience in the SAML2Assertion.

Default RelayState should be empty.

Leave further SAML settings default as well.

Step 3: Download Identity Provider metadata file from Okta

In Okta navigate to ‘Sign On’ tab, then click ‘Identity Provider metadata’ hyperlink to download the metadata in .xml format.

Step 4: Configure trust in the Identity Authentication Service

In this scenario, SAP Cloud Platform Identity Authentication service acts as a proxy to delegate the authentication to the corporate identity provider. For more information check our official SAP documentation: Configure Trust with Corporate Identity Provider.

To use Identity Authentication as a proxy to delegate authentication to an external corporate identity provider you have to configure trust with that corporate identity provider.

To configure trust with the corporate identity provider, follow the procedures below:

Import the downloaded Okta metadata (from Step 3) into Identity Authentication Service:

  1. Open IAS Admin Console: https://<tenantid>.accounts.ondemand.com/admin
  2. Navigate to ‘Corporate Identity Providers’ in the submenu of ‘Identity Providers’.
  3. Add Identity Provider with a custom name.
  4. Choose SAML 2.0 Configuration and import metadata:

Now almost all the required details are filled in:

Configure HTTP-POST Single Logout Endpoint URL with the same value set for the ‘Name’ value in IAS:

Save the configuration:

As a tenant administrator, you can specify a link that is sent as an extension in the SAML 2.0 Logout Response. The link can be used by the application to redirect the user after successfully logging out of the application when Identity Authentication acts as an identity provider proxy. See our official documentation: Service Provider Initiated Logout with Corporate Identity Providers.

Navigate to the ‘Trust’ tab and choose the ‘Logout Redirect URL‘ option. Define the desired URL where you want to redirect end-users after successful logout:

Step 5: Connect your application to use Okta as the identity provider

In the Admin Console of your IAS, navigate to ‘Applications & Resources’ then click on the ‘Applications’ tab and configure an application or choose an existing one.

Option A: Click on the ‘Conditional Authentication’ option on the ‘Trust’ tab of your application. Set your Okta as ‘Default Identity Provider‘.

For more information see our official documentation: Choose a Corporate Identity Provider as Default.

Option B: Set ‘Trust all corporate Identity Providers’ on. In this case, you should define Conditional Authentication to redirect users to Okta.

For more information see: Configure Conditional Authentication for an Application

 

Summary

After following the above steps, your application should use Okta as a corporate identity provider, and in this case, IAS is acting as a proxy.

Hint: If you are facing issues during configuration, you can download the Troubleshooting logs from your IAS tenant to self-investigate the root cause of the issue. See: KBA 2942816 – How to export troubleshooting logs from Identity Authentication Service.

Also, we advise checking the IAS Guided Answers about the most common issues: KBA 2701851 – SAP Cloud Platform Identity Authentication Service (IAS) – Guided Answers.

8 Comments
You must be Logged on to comment or reply to a post.