Skip to Content
Technical Articles
Author's profile photo Srinivas Bhaktavathsalam

Integrating Azure IDP with Integrated Business Planning(IBP)

This blog post focuses on integrating Azure IDP or SSO with Integrated Business Planning(IBP) using SAP Identity Authentication Service(IAS) as a proxy.

As we know SAP IAS is one of the core cloud services offered by SAP and all your IBP systems by default integrated with SAP IAS and delivered to the customers. Customers can also integrate their external IDP providers like Azure, Okta, PingID, etc., with IBP. But please note that we cannot eliminate IAS from IBP and integrate with other external IDP providers. SAP IAS will be acting as your proxy and helps in delegating the authentication to your external IDP provider.

The Integration procedure task will be divided among the customer and SAP, where 90% of the effort comes from the customer and 10% of the effort comes from the SAP IBP team. The Customer will update the configuration in SAP IAS and Microsoft Azure AD like exchanging the metadata, IBP team will guide and help you in troubleshooting in case of any issues.

meanwhile SAP IBP team will help in updating the configuration in IBP SAML backend mostly related to the name id attributes, which can be used as a condition to authenticate the users.

Most of your work goes into IAS and Azure, since your IBP application is already added to the IAS, we are not going to make any changes in the IBP application which is added in IAS. The Integration procedure is a simple process. You will be exchanging your metadata between your IAS and Azure, this is required to know your application has valid destination to send the request or response and it also helps in establishing the trust between IAS and Azure IDP.

Before we start the Integration procedure, please make sure that you have required admin privileges or the admin access for editing the configuration in SAP IAS and Azure AD.

  1. Configuring the Azure AD in SAP Identity Authentication Service (IAS)

Login to your SAP IAS admin console and click on Identity Providers, next choose Corporate Identity Provider, and click on Add and add your identity provider name(mostly user specified).

Adding%20Azure%20AD%20in%20IAS

Adding Azure AD in IAS

    2. Once your identity provider app is created in IAS, you need to upload the Azure IDP metadata in your IAS under the SAML 2.0 configuration, so you have to visit your Azure AD and download the metadata. In case if you have not added/created your SAP Cloud Platform Identity Application in Azure, you can go through the below link.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial

If your application is already configured in Azure, please login to the Azure AD portal, go to SAP IAS application, under SAML Signing Certificate, click to download the Federation Metadata XML.

 

3. Once the metadata is downloaded from Azure AD, now it’s time to upload the metadata in your SAP IAS, so we need to select the application which was created under Identity Providers and click on SAML 2.0 configuration, upload the metadata that we had got it from Azure and save it.

upload%20Azure%20metadata

upload Azure metadata

Upload%20Azure%20Metadata

Upload Azure Metadata

 

4. Next step update your Identity Provider Type and Name ID Formats.

Select Identity Provider Type  to “Microsoft ADFS / Azure Identity Provider Type AD” and save. 

Name ID Format can be selected as “Default“, by selecting default, attributes which are sent from Azure IDP will be forwarded to your IBP. Users can also opt for Email and Unspecified based on their requirements. Once done please save the changes.

 

Once you are done with the above setup, your IDP integration is almost completed.

Note : Please don’t forget to change the conditional authentication to Azure IDP under the application tab!!!

Hope this blog post helps to integrate your Azure IDP and SAP Integrated business planning without any obstacles.

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Istvan Bokor
      Istvan Bokor

      Nice and informative blog! 🙂

      Author's profile photo Srinivas Bhaktavathsalam
      Srinivas Bhaktavathsalam
      Blog Post Author

      Thank You ?

      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh

      Good one! Will help companies with their own IDPs (Azure) configure it to SAP Identity Authentication Service(IAS)

      Author's profile photo Amel Saidani
      Amel Saidani

      Thank you for the blog ! With this option we avoid replicating users, but how can we manage IBP business role ?

      Author's profile photo Guillermo Juarez
      Guillermo Juarez

      Excellent! This is the only place with a step-by-step configuration guide for Azure ID I found. Great job!!! Should be part of the standard help.sap.com configuration guide!

      Author's profile photo Waldemar Brill
      Waldemar Brill

      Hello,

      isn't it possible to use Azure AD directly? Or is IAS a prerequisite in IBP?

       

      Regards

      Waldemar

      Author's profile photo Srinivas Bhaktavathsalam
      Srinivas Bhaktavathsalam
      Blog Post Author

      Hi Waldemar,

      Blog post is about integrating Azure AD in IBP using IAS as proxy.
      By default all IBP systems will be integrated with IAS, if the customer wishes to integrated with  external IDP providers they have to follow the above steps.

      We cannot directly integrate Azure AD to IBP.

      Thanks,
      Srinivas