Skip to Content
Technical Articles
Author's profile photo Denys van Kempen

SAP Business Technology Platform Security | Hands-on Video Tutorials

Microsoft Azure AD as Identity Provider (IdP), SAP Identity Authentication Service as Proxy IdP and SAP BTP Cloud Foundry as Service Provider (SP)

SAP Partner Innovation Lab and SAP HANA Academy have published a series of video tutorials on the topic of SAP Business Technology Platform security.

In this blog post you will find the videos embedded with references and additional information.

For the related blog post, see

Questions? Please post as comment.

Useful? Give us a like and share on social media.

Thanks!

As recently announced, the SAP Cloud Platform portfolio brand is no longer being used to avoid confusing with the SAP Business Technology Platform (BTP).

As it will take some time before the user interfaces and documentation is updated, for the time being we will continue to use both terms.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Hands-On Video Tutorials

SAP ID service is the default identity provider of the SAP Business Technology Platform. However, with a few clicks we can configure the platform to use a custom identity provider to provide authentication and authorisation for our business applications hosted in the Cloud Foundry environment. This is a one-to-one mapping.

For more flexible and demanding scenarios, SAP recommends that you use SAP Cloud Identity Services – Identity Authentication as a hub, especially if your business users are stored in multiple corporate identity providers.

 

You can watch the video tutorial in a little over 10 minutes. What you learn is

  • How to establish the SAML trust between Azure AD and SAP Cloud Identity Service (and vice versa)
  • How to establish the SAML trust between SAP Cloud Identity Service and SAP Cloud Platform Cloud Foundry environment subaccount (and vice versa)
  • How to configure a service provider as enterprise application in Azure AD
  • How to configure a service provider as application in SAP Cloud Identity Service
  • How to configure the user attributes in Azure AD
  • How to configure the user attributes in SAP Cloud Identity Service
  • How to assign a shadow user to a role collection
  • How to create a role mapping between an IdP provider role and an XSUAA role collection

How to configure the mapping between the identity provider user groups and the XSUAA role collections is covered below.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Using Azure AD as Identity Provider and SAP Cloud Identity Services as Proxy

Tutorial Video

In this video tutorial, we show how we can configure Azure AD as identity provider (IdP), SAP Cloud Identity Services – Identity Authentication as proxy, and a SAP Cloud Platform Cloud Foundry environment tenant as service provider (SP).

This requires the exchange of SAML metadata on both sides with modifications of the user attributes.

0:00 – Introduction

2:20 – Create new Enterprise application in Azure AD

3:00 – Configure User Attributes & Claims

3:30 – Download federation metadata XML (IdP)

4:00 – Create new Corporate IdP in SAP Identity Authentication Service and upload IdP metadata 4:25 – Update Identiy Provider Type

4:30 – Download IAS metadata (IdP Proxy)

4:55 – Upload IAS metadata in Azure Ad

5:15 – Create net Trust Configuration in SAP Cloud Platform and upload IAS metadata (IdP Proxy) 5:40 – Download service provider (SP) metadata

5:55 – Create new application in SAP Identity Authentication Service and upload SP metadata

6:15 – Configure Default Name ID Format, SAML Assertion Attributes, and Conditional Authentication 6:50 – Assign user to application in Azure AD

7:15 – First test (fails with SAML error)

7:55 – Download federation metadata XML from Azure AD and upload for the IdP in SAP Identity Authentication Service

8:15 – Second test succeeds on authentication

8:25 – Shadow users

8:50 – Third test with myappsec sample appliation: Forbidden

9:20 – Option 1: Assign shadow user to role collection

10:15 – User authorization concepts

11:05 – Map role collection to Azure AD group

/wp-content/uploads/2016/02/sapnwabline_885687.png

Tricky Bits

SAML Claims and Assertion Attributes

For the role mapping to succeed, the claim attributes need to correspond. Note the Groups with an uppercase G.

Mapping Groups

For the role mapping to succeed, you need to create the corresponding groups in the Identity Provider and assign these groups the service provider entry (enterprise application in Azure AD).

The object ID is used to map the role collection for the attribute: Groups.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Additional References

SAP HANA Academy YouTube Playlist and Code Repository

To bookmark the playlist on YouTube, go to

How to build the sample application myappsec is covered in the post

SAP Developer Center Mission

For a step-by-step description of the procedure, see the tutorial mission

SAP Discovery Center

For information about SAP Cloud Identity Service, visit the entry in the service catalog of the SAP Discovery Center. Here you also find links to the documentation, tutorials, and the SAP Community topic area

Documentation

The topic is documented, in generic terms (not specific to Azure AD or SAP Cloud Identity Services under Security Administration: Managing Authentication and Authorization of the SAP Business Technology Platform guide.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Share and Connect

Questions? Please post as comment.

Useful? Give us a like and share on social media.

Thanks!

If you would like to receive updates, connect with me on

For the author page of SAP PRESS, visit

Over the years, for the SAP HANA Academy, SAP’s Partner Innovation Lab, and à titre personnel, I have written a little over 300 posts here for the SAP Community. Some articles only reached a few readers. Others attracted quite a few more.

For your reading pleasure and convenience, here is a curated list of posts which somehow managed to pass the 10k-view mile stone and, as sign of current interest, still tickle the counters each month.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Gustavo Calixto
      Gustavo Calixto

      Hello Denys! First and foremost, really great content!

       

      I just have one doubt, in the context of SAP BTP feature set B, is it possible to federate platform users through IAS? Would it be possible for a user federated from Azure AD to access a BTP Cockpit that is using feature set B?

       

      Thanks! 

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Welcome,

      For my account the Trust configuration at the Global level is not configurable (editable). In other words, I cannot add a third-party IdP or disable the default IdP.

      The UI suggests that configuration is possible but that my account does not have the privileges. It could be that this is different for enterprise accounts other than SAP.

      Is Trust configuration configurable for you / your enterprise account administrator?

      Author's profile photo Gustavo Calixto
      Gustavo Calixto

      Thanks for the quick reply!

      No... We are only able to configure it within the subaccount too. I saw that feature set B lacks support for platform users authenticating with a custom IdP, but I was in doubt if the IAS acting as a proxy would be a way to authenticate these users so that they are able to access the BTP cockpit on a subaccount level at least. But I think this is something we are going to have to wait...

       

      Thanks once again, Denys!

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Gustavo, 

      Here is what's on the roadmap for Q2

      Author's profile photo Gustavo Calixto
      Gustavo Calixto

      That´s awesome Denys! Thanks once again!