This blog post focuses on integrating Azure IDP or SSO with Integrated Business Planning(IBP) using SAP Identity Authentication Service(IAS) as a proxy.
As we know SAP IAS is one of the core cloud services offered by SAP and all your IBP systems by default integrated with SAP IAS and delivered to the customers. Customers can also integrate their external IDP providers like Azure, Okta, PingID, etc., with IBP. But please note that we cannot eliminate IAS from IBP and integrate with other external IDP providers. SAP IAS will be acting as your proxy and helps in delegating the authentication to your external IDP provider.
The Integration procedure task will be divided among the customer and SAP, where 90% of the effort comes from the customer and 10% of the effort comes from the SAP IBP team. The Customer will update the configuration in SAP IAS and Microsoft Azure AD like exchanging the metadata, meanwhile SAP IBP team will help in updating the configuration in IBP SAML backend mostly related to the name id attributes, which can be used as a condition to authenticate the users.
Most of your work goes into IAS and Azure, since your IBP application is already added to the IAS, we are not going to make any changes in the IBP application which is added in IAS. The Integration procedure is a simple process. You will be exchanging your metadata between your IAS and Azure, this is required to know your application has valid destination to send the request or response and it also helps in establishing the trust between IAS and Azure IDP.
Before we start the Integration procedure, please make sure that you have required admin privileges or the admin access for editing the configuration in SAP IAS and Azure AD.
- Configuring the Azure AD in SAP Identity Authentication Service (IAS)
Login to your SAP IAS admin console and click on Identity Providers, next choose Corporate Identity Provider, and click on Add and add your identity provider name(mostly user specified).
2. Once your identity provider app is created in IAS, you need to upload the Azure IDP metadata in your IAS under the SAML 2.0 configuration, so you have to visit your Azure AD and download the metadata. In case if you have not added/created your SAP Cloud Platform Identity Application in Azure, you can go through the below link.
If your application is already configured in Azure, please login to the Azure AD portal, go to SAP IAS application, under SAML Signing Certificate, click to download the Federation Metadata XML.
3. Once the metadata is downloaded from Azure AD, now it’s time to upload the metadata in your SAP IAS, so we need to select the application which was created under Identity Providers and click on SAML 2.0 configuration, upload the metadata that we had got it from Azure and save it.
4. Next step update your Identity Provider Type and Name ID Formats.
Select Identity Provider Type to “Microsoft ADFS / Azure Identity Provider Type AD” and save.
Name ID Format can be selected as “Default“, by selecting default, attributes which are sent from Azure IDP will be forwarded to your IBP. Users can also opt for Email and Unspecified based on their requirements. Once done please save the changes.
Once you are done with the above setup, your IDP integration is almost completed.
5. Next will be your user attribute configuration, based on which parameters you are going to authenticate your users. Most of the IBP customers are struck with this step.
Please note that IBP supports two Name ID attributes
Unspecified – IBP supports unspecified as the default name id attribute, If you have observed in SAP IAS authentication, users will be authenticated with their login name, Login name is nothing but one of your unspecified attribute. So please be careful in selecting the attributes in Azure AD, if the Login Name is maintained in Azure and the same Login Name is present in the IBP backend we can authenticate the users without any issues, if not then we have to choose the second option, which is nothing but email.
Email – Most of the Azure AD users opt for Email authentication, since it is easy and simple. Users have to make sure that the email id is present in both IBP and Azure IDP, if the user email is not present in the IBP, user can just login to the IBP application and update their email address under Maintain Employees app.
Next step is to add email id attribute configuration in the IBP SAML backend, as i told you earlier unspecified(Login Name) is the default name id attribute which is accepted to authenticate the users in IBP. If users have to be authenticated with their email address, then we have to add email id as one of the name id attribute in the IBP SAML backend. After adding this configuration users can authenticate with their email address.
To add this configuration in the IBP SAML backend, customer can create a ticket to the IBP operations component(SCM-IBP-OPS-SRV) to make the required changes in IBP backend. The operations team will help in updating the configuration in IBP SAML backend. once the changes are confirmed, users can try to login and authenticate the users.
As i said earlier 90% of the effort comes from the customer, till point 4 the steps are carried out by the customer, point 5 goes to SAP, where your name id attribute changes in the IBP backend, this could be done only by SAP, since customer doesn’t have access to the IBP SAML backend.
Once the above changes are done, your setup is complete 🙂
Note : Please don’t forget to change the conditional authentication to Azure IDP under the application tab!!!
Hope this blog post helps to integrate your Azure IDP and SAP Integrated business planning without any obstacles.