Skip to Content
Technical Articles
Author's profile photo Denys van Kempen

SAP Business Technology Platform Security | Hands-on Video Tutorials

Microsoft Azure AD as Identity Provider (IdP), SAP Identity Authentication Service as Proxy IdP and SAP BTP Cloud Foundry as Service Provider (SP)

SAP Partner Innovation Lab and SAP HANA Academy have published a series of video tutorials on the topic of SAP Business Technology Platform security.

In this blog post you will find the videos embedded with references and additional information.

For the related blog post, see

Questions? Please post as comment.

Useful? Give us a like and share on social media.

Thanks!

As recently announced, the SAP Cloud Platform portfolio brand is no longer being used to avoid confusing with the SAP Business Technology Platform (BTP).

As it will take some time before the user interfaces and documentation is updated, for the time being we will continue to use both terms.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Hands-On Video Tutorials

SAP ID service is the default identity provider of the SAP Business Technology Platform. However, with a few clicks we can configure the platform to use a custom identity provider to provide authentication and authorisation for our business applications hosted in the Cloud Foundry environment. This is a one-to-one mapping.

For more flexible and demanding scenarios, SAP recommends that you use SAP Cloud Identity Services – Identity Authentication as a hub, especially if your business users are stored in multiple corporate identity providers.

 

You can watch the video tutorial in a little over 10 minutes. What you learn is

  • How to establish the SAML trust between Azure AD and SAP Cloud Identity Service (and vice versa)
  • How to establish the SAML trust between SAP Cloud Identity Service and SAP Cloud Platform Cloud Foundry environment subaccount (and vice versa)
  • How to configure a service provider as enterprise application in Azure AD
  • How to configure a service provider as application in SAP Cloud Identity Service
  • How to configure the user attributes in Azure AD
  • How to configure the user attributes in SAP Cloud Identity Service
  • How to assign a shadow user to a role collection
  • How to create a role mapping between an IdP provider role and an XSUAA role collection

How to configure the mapping between the identity provider user groups and the XSUAA role collections is covered below.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Using Azure AD as Identity Provider and SAP Cloud Identity Services as Proxy

Tutorial Video

In this video tutorial, we show how we can configure Azure AD as identity provider (IdP), SAP Cloud Identity Services – Identity Authentication as proxy, and a SAP Cloud Platform Cloud Foundry environment tenant as service provider (SP).

This requires the exchange of SAML metadata on both sides with modifications of the user attributes.

0:00 – Introduction

2:20 – Create new Enterprise application in Azure AD

3:00 – Configure User Attributes & Claims

3:30 – Download federation metadata XML (IdP)

4:00 – Create new Corporate IdP in SAP Identity Authentication Service and upload IdP metadata 4:25 – Update Identiy Provider Type

4:30 – Download IAS metadata (IdP Proxy)

4:55 – Upload IAS metadata in Azure Ad

5:15 – Create net Trust Configuration in SAP Cloud Platform and upload IAS metadata (IdP Proxy) 5:40 – Download service provider (SP) metadata

5:55 – Create new application in SAP Identity Authentication Service and upload SP metadata

6:15 – Configure Default Name ID Format, SAML Assertion Attributes, and Conditional Authentication 6:50 – Assign user to application in Azure AD

7:15 – First test (fails with SAML error)

7:55 – Download federation metadata XML from Azure AD and upload for the IdP in SAP Identity Authentication Service

8:15 – Second test succeeds on authentication

8:25 – Shadow users

8:50 – Third test with myappsec sample appliation: Forbidden

9:20 – Option 1: Assign shadow user to role collection

10:15 – User authorization concepts

11:05 – Map role collection to Azure AD group

/wp-content/uploads/2016/02/sapnwabline_885687.png

Tricky Bits

SAML Claims and Assertion Attributes

For the role mapping to succeed, the claim attributes need to correspond. Note the Groups with an uppercase G.

Mapping Groups

For the role mapping to succeed, you need to create the corresponding groups in the Identity Provider and assign these groups the service provider entry (enterprise application in Azure AD).

The object ID is used to map the role collection for the attribute: Groups.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Additional References

SAP HANA Academy YouTube Playlist and Code Repository

To bookmark the playlist on YouTube, go to

How to build the sample application myappsec is covered in the post

SAP Developer Center Mission

For a step-by-step description of the procedure, see the tutorial mission

SAP Discovery Center

For information about SAP Cloud Identity Service, visit the entry in the service catalog of the SAP Discovery Center. Here you also find links to the documentation, tutorials, and the SAP Community topic area

Documentation

The topic is documented, in generic terms (not specific to Azure AD or SAP Cloud Identity Services under Security Administration: Managing Authentication and Authorization of the SAP Business Technology Platform guide.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Share and Connect 

Questions? Post as comment.

Useful? Give us a like and share on social media. Thanks!

If you would like to receive updates, connect with me on

Assigned tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.