Setting up SSO between Salesforce and SAP Cloud Platform Cloud Foundry Application

Hello Everyone,

Welcome to my another blog “Setting up Single Sign on between SalesForce and SAP Cloud Platform, Where SalesForce Would Act as Identity Provider and SAP Cloud Platform would be Service Provider”. Well recently I and my colleage Girish Radhakrishna was working on this requirement and facing some problems to setup initially. Surprisingly there was no enough documentation on this, so after getting our scenario work i thought to put it as Blog so it could help other. This blog i would try to keep technical and Short.

Business Requirements 

Business Requirement was to make a seamless navigation from SalesForce to SAP Cloud Platform Application, Customer was using Salesforce as default Identity Provider and dont want to invest on another Identity Provider rather want use Salesforce IDP for making single sign on for other application. Now you might be thingking why SAP Cloud Platform is being used, Its Because there are some Salesforce extension application is running on SAP Cloud Platform and Business User Want to Navigate to Cloud Platform Application from Salesforce app launcher option. So in this case SAP Cloud Platform would be Service Provider and SalesForce would be used as Default Identity Provider.

From Above Picture it is clear that user will be first authenticated into Salesforce, then through app launcher option they would navigate into extension application which is running on SAP Cloud Platform Cloud Foundry. Now as Trust has been maintained between SAP Cloud Platform Sub account level and Salesforce where salesforce is Identity provider and SAP Cloud Platform would act as Service Provider user dont have to login again because for the SAP Cloud Platform application identity provider is Salesforce.

How to setup

Now the question is How to achieve this, Well its almost similar with Azure Active Directory but little trick is there which you would find in this blog . But if you have already configured SAP Identity Authentication Service or Azure Active Directory for SAP Cloud Platform Application, then easily you would understand because its 90 percent same. Steps are pretty straight forward like exchange the saml metadata, create a custom group in salesfore assign user into that group, map role collection and group in SAP Cloud Platform. Assign user into role collection in SAP Cloud Platform side.

Step 1: Login to Salesforce, go to Identity Provider Settings and download the metadata

Step 2: Go to SAP Cloud Platform Subaccount, add a new trust and upload the metadata downloaded from salesforce.

Upload the metadata file which was downloaded in previous step

Step 3: Download the SAML metadata from SAP Cloud Platform Sub Account which is required for service provider setup in Salesforce connected app and Salesforce Side Configuration

Go to Identity Provider and click on Service Provider option to add new Service Provider Option

Give Connected App Name and Email Adress for Contact

Now open the medata.xml file which was downloaded from SAP Cloud Platform and copy the Entity ID, ACS URL and Logout Url which would be required in Service Provider Setup

Now fill the details in Service Provider Section as below and Save, N.B Start Url would be the application URL. In this example I using Business Rules Editor Appiication url 

Here if you see subject type in above picture is custom attributes and in custom attributes i have defined Groups and in name id format i added email address. This is very very important step. 

In order to do that first create a public group in Salesforce and assign the users into that group

 Create a custom field called Groups with 255 character in Users object

Go to Standard User Profile and add the Connected application

Now Create a custom Attribute ‘Groups’ in Service Provider

Map the key value pair as below and save it.

Now Salesforce side all the configuration has been completed.

Step 4: Create Role Collection, Map role collection with Salesforce Group and add user in Trust Configuration

RoleCollection bpmscp have three below roles.

Map the Salesforce public group with role collection.

Now add user in this trust and map the role collection

Setup is Completed, you can test this now.In order to test you have to go to App Luancher in salesforce as below and click on the application.

It will not ask for another authentication automatically it would open in another tab, its like url based custom tiles which we have in fiori launchpad.

I hope you have enjoyed this blog, See you in next blog. Let me know if you have any question in comment section below. Dont forget to like and share this blog with your colleague.

Regards,

Sudip