Integrating Azure IDP with Integrated Business Planning(IBP)

This blog post focuses on integrating Azure IDP or SSO with Integrated Business Planning(IBP) using SAP Identity Authentication Service(IAS) as a proxy.

As we know SAP IAS is one of the core cloud services offered by SAP and all your IBP systems by default integrated with SAP IAS and delivered to the customers. Customers can also integrate their external IDP providers like Azure, Okta, PingID, etc., with IBP. But please note that we cannot eliminate IAS from IBP and integrate with other external IDP providers. SAP IAS will be acting as your proxy and helps in delegating the authentication to your external IDP provider.

The Integration procedure task will be divided among the customer and SAP, where 90% of the effort comes from the customer and 10% of the effort comes from the SAP IBP team. The Customer will update the configuration in SAP IAS and Microsoft Azure AD like exchanging the metadata, IBP team will guide and help you in troubleshooting in case of any issues.

meanwhile SAP IBP team will help in updating the configuration in IBP SAML backend mostly related to the name id attributes, which can be used as a condition to authenticate the users.

Most of your work goes into IAS and Azure, since your IBP application is already added to the IAS, we are not going to make any changes in the IBP application which is added in IAS. The Integration procedure is a simple process. You will be exchanging your metadata between your IAS and Azure, this is required to know your application has valid destination to send the request or response and it also helps in establishing the trust between IAS and Azure IDP.

Before we start the Integration procedure, please make sure that you have required admin privileges or the admin access for editing the configuration in SAP IAS and Azure AD.

1. Configuring the Azure AD in SAP Identity Authentication Service (IAS)

Login to your SAP IAS admin console and click on Identity Providers, next choose Corporate Identity Provider, and click on Add and add your identity provider name(mostly user specified).

Adding Azure AD in IAS

    2. Once your identity provider app is created in IAS, you need to upload the Azure IDP metadata in your IAS under the SAML 2.0 configuration, so you have to visit your Azure AD and download the metadata. In case if you have not added/created your SAP Cloud Platform Identity Application in Azure, you can go through the below link.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial

If your application is already configured in Azure, please login to the Azure AD portal, go to SAP IAS application, under SAML Signing Certificate, click to download the Federation Metadata XML.

3. Once the metadata is downloaded from Azure AD, now it’s time to upload the metadata in your SAP IAS, so we need to select the application which was created under Identity Providers and click on SAML 2.0 configuration, upload the metadata that we had got it from Azure and save it.

upload Azure metadata

Upload Azure Metadata

4. Next step update your Identity Provider Type and Name ID Formats.

Select Identity Provider Type  to “Microsoft ADFS / Azure Identity Provider Type AD” and save. 

Name ID Format can be selected as “Default“, by selecting default, attributes which are sent from Azure IDP will be forwarded to your IBP. Users can also opt for Email and Unspecified based on their requirements. Once done please save the changes.

Once you are done with the above setup, your IDP integration is almost completed.

Note : Please don’t forget to change the conditional authentication to Azure IDP under the application tab!!!

Hope this blog post helps to integrate your Azure IDP and SAP Integrated business planning without any obstacles.