With Microsoft Azure AD as Identity Provider (IdP) and SAP BTP as Service Provider (SP)
SAP Partner Innovation Lab and SAP HANA Academy have published a series of video tutorials on the topic of SAP Business Technology Platform security.
In this blog post you will find the videos embedded with references and additional information.
For the related blog post, see
Questions? Please post as comment.
Useful? Give us a like and share on social media.
As recently announced, the SAP Cloud Platform portfolio brand is no longer being used to avoid confusing with the SAP Business Technology Platform (BTP).
As it will take some time before the user interfaces and documentation is updated, for the time being, we will continue to use both terms.
Hands-On Video Tutorials
SAP ID service is the default identity provider of the SAP Business Technology Platform. However, with a few clicks we can configure the platform to use a custom identity provider to provide authentication and authorisation for our business applications hosted in the Cloud Foundry environment.
You can watch the video tutorial in a little over 10 minutes. What you learn is
- How to configure Azure AD to trust a SAP Cloud Platform subaccount as service provider
- How to configure your SAP Cloud Platform subaccount to trust Azure AD as identity provider
How to configure the mapping between the identity provider user groups and the XSUAA role collections is covered below.
Using Azure AD as Identity Provider
In the first video, we show how we can configure Azure AD as identity provider (IdP) and SAP Cloud Platform Cloud Foundry environment tenant as service provider (SP).
This requires the exchange of SAML metadata on both sides with some modifications of the user attributes.
0:00 – Introduction
0:40 – Create an enterprise application for SAP Cloud Platform in Azure AD
2:30 – Set up single sign-on with SAML
3:30 – Download SAML metadata from service provider
4:00 – Upload metadata and add sign on URL
4:30 – Configure user attributes and claims
5:45 – Download SAML metadata from identity provider
5:50 – Create new trust configuration and upload metadata
7:00 – Test single sign-on for the service provider
7:50 – Grant user access to the application (service provider)
8:45 – Showcase sample application using SAP ID services and Azure ID
9:50 – SAP BTP authorisation with roles and role collections
11:00 – Disable SAP ID service as default identity provider
Exchanging SAML Metadata
Three parameters are required. two of which are populated by uploading the SAML metadata file from the service provider, i.e. the SAP Cloud Platform subaccount.
To establish the mutual trust, download the federation metadata XML file and upload it to SAP Cloud Platform subaccount.
Updating Attributes and Claims
User attributes and claims need to be modified configuring e-mail as unique attribute and adding a group claim.
Configuring Role Collection Mappings
In previous videos of this series we covered how the design-time artifacts Scope relates to Role Template and how this maps to the platform runtime attributes Role and Role Collection, as defined in xs-security.json (or mta.yaml).
SAP Business Application Studio | Design-time Configuration
Azure AD | Groups
To illustrate this concept, we have created two groups. For clarity, we used the same name for the group but this can be any name you want as the mapping is made using the group object ID.
SAP Cloud Platform | Role Collection Mappings
Using the Security > Trust Configuration menu of the SAP Cloud Platform cockpit, selecting the custom identity provider we created, Azure AD, provides access to a menu to create role collection mappings.
- Role Collection: select the role collection from the list (as defined in xs-security.json)
- Attribute: as configured in Azure AD “Groups”
- Value: corresponding object ID of the group created for the service provider (enterprise application)
Create Role Collection Mapping
List Role Collection Mappings for the custom identity provider
Security > Role Collections shows the user group mapping.
Details = True
When two or more identity providers are available for user logon, a default selection screen is displayed with the default identity provider SAP ID service (sap.default) with the custom identity provider(s) with the link text as defined when the trust was created.
The URL of the page is
Appending config?action=who&details=true to the URL returns information about about the SAML context, including the object ID for the SAML groups.
SAP HANA Academy YouTube Playlist and Code Repository
To bookmark the playlist on YouTube, go to
For the code snippets, see
The steps are documented in generic terms (any SAML Identity Provider) in the documentation for the SAP Cloud Platform.
- Security Administration: Managing Authentication and Authorization
- Establish Trust and Federation with UAA Using Any SAML Identity Provider
- Federation Attribute Settings of Any Identity Provider
The configuration guide from the Microsoft Documentation provides some information but not all as it covers the Neo environment and not Cloud Foundry.
For an earlier blog post on the topic, see
Share and Connect
Questions? Post as comment.
Useful? Give us a like and share on social media. Thanks!
If you would like to receive updates, connect with me on