Microsoft Azure AD as Identity Provider (IdP), SAP Identity Authentication Service as Proxy IdP and SAP BTP Cloud Foundry as Service Provider (SP)
SAP Partner Innovation Lab and SAP HANA Academy have published a series of video tutorials on the topic of SAP Business Technology Platform security.
In this blog post you will find the videos embedded with references and additional information.
For the related blog post, see
Questions? Please post as comment.
Useful? Give us a like and share on social media.
As recently announced, the SAP Cloud Platform portfolio brand is no longer being used to avoid confusing with the SAP Business Technology Platform (BTP).
As it will take some time before the user interfaces and documentation is updated, for the time being we will continue to use both terms.
Hands-On Video Tutorials
SAP ID service is the default identity provider of the SAP Business Technology Platform. However, with a few clicks we can configure the platform to use a custom identity provider to provide authentication and authorisation for our business applications hosted in the Cloud Foundry environment. This is a one-to-one mapping.
For more flexible and demanding scenarios, SAP recommends that you use SAP Cloud Identity Services – Identity Authentication as a hub, especially if your business users are stored in multiple corporate identity providers.
You can watch the video tutorial in a little over 10 minutes. What you learn is
- How to establish the SAML trust between Azure AD and SAP Cloud Identity Service (and vice versa)
- How to establish the SAML trust between SAP Cloud Identity Service and SAP Cloud Platform Cloud Foundry environment subaccount (and vice versa)
- How to configure a service provider as enterprise application in Azure AD
- How to configure a service provider as application in SAP Cloud Identity Service
- How to configure the user attributes in Azure AD
- How to configure the user attributes in SAP Cloud Identity Service
- How to assign a shadow user to a role collection
- How to create a role mapping between an IdP provider role and an XSUAA role collection
How to configure the mapping between the identity provider user groups and the XSUAA role collections is covered below.
Using Azure AD as Identity Provider and SAP Cloud Identity Services as Proxy
In this video tutorial, we show how we can configure Azure AD as identity provider (IdP), SAP Cloud Identity Services – Identity Authentication as proxy, and a SAP Cloud Platform Cloud Foundry environment tenant as service provider (SP).
This requires the exchange of SAML metadata on both sides with modifications of the user attributes.
0:00 – Introduction
2:20 – Create new Enterprise application in Azure AD
3:00 – Configure User Attributes & Claims
3:30 – Download federation metadata XML (IdP)
4:30 – Download IAS metadata (IdP Proxy)
4:55 – Upload IAS metadata in Azure Ad
5:55 – Create new application in SAP Identity Authentication Service and upload SP metadata
7:15 – First test (fails with SAML error)
7:55 – Download federation metadata XML from Azure AD and upload for the IdP in SAP Identity Authentication Service
8:15 – Second test succeeds on authentication
8:25 – Shadow users
8:50 – Third test with myappsec sample appliation: Forbidden
9:20 – Option 1: Assign shadow user to role collection
10:15 – User authorization concepts
11:05 – Map role collection to Azure AD group
SAML Claims and Assertion Attributes
For the role mapping to succeed, the claim attributes need to correspond. Note the Groups with an uppercase G.
For the role mapping to succeed, you need to create the corresponding groups in the Identity Provider and assign these groups the service provider entry (enterprise application in Azure AD).
The object ID is used to map the role collection for the attribute: Groups.
SAP HANA Academy YouTube Playlist and Code Repository
To bookmark the playlist on YouTube, go to
How to build the sample application myappsec is covered in the post
- End-to-End Tutorial | Developing Secure Applications on the SAP Cloud Platform Cloud Foundry Runtime
SAP Developer Center Mission
For a step-by-step description of the procedure, see the tutorial mission
- Enable SSO Between Azure AD and SAP Cloud Platform Using Identity Authentication Service by Maximilian Streifeneder
SAP Discovery Center
For information about SAP Cloud Identity Service, visit the entry in the service catalog of the SAP Discovery Center. Here you also find links to the documentation, tutorials, and the SAP Community topic area
The topic is documented, in generic terms (not specific to Azure AD or SAP Cloud Identity Services under Security Administration: Managing Authentication and Authorization of the SAP Business Technology Platform guide.
Share and Connect
Questions? Post as comment.
Useful? Give us a like and share on social media. Thanks!
If you would like to receive updates, connect with me on