Setting up SSO between Salesforce and SAP Cloud Platform Cloud Foundry Application
Welcome to my another blog “Setting up Single Sign on between SalesForce and SAP Cloud Platform, Where SalesForce Would Act as Identity Provider and SAP Cloud Platform would be Service Provider”. Well recently I and my colleage Girish Radhakrishna was working on this requirement and facing some problems to setup initially. Surprisingly there was no enough documentation on this, so after getting our scenario work i thought to put it as Blog so it could help other. This blog i would try to keep technical and Short.
Business Requirement was to make a seamless navigation from SalesForce to SAP Cloud Platform Application, Customer was using Salesforce as default Identity Provider and dont want to invest on another Identity Provider rather want use Salesforce IDP for making single sign on for other application. Now you might be thingking why SAP Cloud Platform is being used, Its Because there are some Salesforce extension application is running on SAP Cloud Platform and Business User Want to Navigate to Cloud Platform Application from Salesforce app launcher option. So in this case SAP Cloud Platform would be Service Provider and SalesForce would be used as Default Identity Provider.
From Above Picture it is clear that user will be first authenticated into Salesforce, then through app launcher option they would navigate into extension application which is running on SAP Cloud Platform Cloud Foundry. Now as Trust has been maintained between SAP Cloud Platform Sub account level and Salesforce where salesforce is Identity provider and SAP Cloud Platform would act as Service Provider user dont have to login again because for the SAP Cloud Platform application identity provider is Salesforce.
How to setup
Now the question is How to achieve this, Well its almost similar with Azure Active Directory but little trick is there which you would find in this blog . But if you have already configured SAP Identity Authentication Service or Azure Active Directory for SAP Cloud Platform Application, then easily you would understand because its 90 percent same. Steps are pretty straight forward like exchange the saml metadata, create a custom group in salesfore assign user into that group, map role collection and group in SAP Cloud Platform. Assign user into role collection in SAP Cloud Platform side.
Step 1: Login to Salesforce, go to Identity Provider Settings and download the metadata
Step 2: Go to SAP Cloud Platform Subaccount, add a new trust and upload the metadata downloaded from salesforce.
Upload the metadata file which was downloaded in previous step
Step 3: Download the SAML metadata from SAP Cloud Platform Sub Account which is required for service provider setup in Salesforce connected app and Salesforce Side Configuration
Go to Identity Provider and click on Service Provider option to add new Service Provider Option
Give Connected App Name and Email Adress for Contact
Now open the medata.xml file which was downloaded from SAP Cloud Platform and copy the Entity ID, ACS URL and Logout Url which would be required in Service Provider Setup
Here if you see subject type in above picture is custom attributes and in custom attributes i have defined Groups and in name id format i added email address. This is very very important step.
Go to Standard User Profile and add the Connected application
Now Create a custom Attribute ‘Groups’ in Service Provider
Map the key value pair as below and save it.
Now Salesforce side all the configuration has been completed.
Step 4: Create Role Collection, Map role collection with Salesforce Group and add user in Trust Configuration
RoleCollection bpmscp have three below roles.
Map the Salesforce public group with role collection.
Now add user in this trust and map the role collection
Setup is Completed, you can test this now.In order to test you have to go to App Luancher in salesforce as below and click on the application.
It will not ask for another authentication automatically it would open in another tab, its like url based custom tiles which we have in fiori launchpad.
I hope you have enjoyed this blog, See you in next blog. Let me know if you have any question in comment section below. Dont forget to like and share this blog with your colleague.
Sudip, Its interesting and well covered in your steps.
Keep sharing us more interesting which none of us thought.
Thank you so much for your words
Good post. Thank you for sharing.
What could be difference in steps for SSO between SAP on-premise HANA and Salesforce.
Thanks for sharing..
Does somebody have done with s/4hana cloud as the resource provider e.g. Salesforce remains as the Identity provider but instead of the SCP/BTP the s/4hana cloud is the resource provider?
Thanks for sharing.
we was searching exactly. Hope it will be helpful for our requirement.