Technical Articles
SAP Business Technology Platform Security | Hands-on Video Tutorials
Microsoft Azure AD as Identity Provider (IdP), SAP Identity Authentication Service as Proxy IdP and SAP BTP Cloud Foundry as Service Provider (SP)
|
SAP Partner Innovation Lab and SAP HANA Academy have published a series of video tutorials on the topic of SAP Business Technology Platform security. In this blog post you will find the videos embedded with references and additional information. For the related blog post, see
Questions? Please post as comment. Useful? Give us a like and share on social media. Thanks! |
|
As recently announced, the SAP Cloud Platform portfolio brand is no longer being used to avoid confusing with the SAP Business Technology Platform (BTP). As it will take some time before the user interfaces and documentation is updated, for the time being we will continue to use both terms. |
Hands-On Video Tutorials
SAP ID service is the default identity provider of the SAP Business Technology Platform. However, with a few clicks we can configure the platform to use a custom identity provider to provide authentication and authorisation for our business applications hosted in the Cloud Foundry environment. This is a one-to-one mapping.
For more flexible and demanding scenarios, SAP recommends that you use SAP Cloud Identity Services – Identity Authentication as a hub, especially if your business users are stored in multiple corporate identity providers.
You can watch the video tutorial in a little over 10 minutes. What you learn is
- How to establish the SAML trust between Azure AD and SAP Cloud Identity Service (and vice versa)
- How to establish the SAML trust between SAP Cloud Identity Service and SAP Cloud Platform Cloud Foundry environment subaccount (and vice versa)
- How to configure a service provider as enterprise application in Azure AD
- How to configure a service provider as application in SAP Cloud Identity Service
- How to configure the user attributes in Azure AD
- How to configure the user attributes in SAP Cloud Identity Service
- How to assign a shadow user to a role collection
- How to create a role mapping between an IdP provider role and an XSUAA role collection
How to configure the mapping between the identity provider user groups and the XSUAA role collections is covered below.
Using Azure AD as Identity Provider and SAP Cloud Identity Services as Proxy
Tutorial Video
In this video tutorial, we show how we can configure Azure AD as identity provider (IdP), SAP Cloud Identity Services – Identity Authentication as proxy, and a SAP Cloud Platform Cloud Foundry environment tenant as service provider (SP).
This requires the exchange of SAML metadata on both sides with modifications of the user attributes.
0:00 – Introduction
2:20 – Create new Enterprise application in Azure AD
3:00 – Configure User Attributes & Claims
3:30 – Download federation metadata XML (IdP)
4:00 – Create new Corporate IdP in SAP Identity Authentication Service and upload IdP metadata 4:25 – Update Identiy Provider Type
4:30 – Download IAS metadata (IdP Proxy)
4:55 – Upload IAS metadata in Azure Ad
5:15 – Create net Trust Configuration in SAP Cloud Platform and upload IAS metadata (IdP Proxy) 5:40 – Download service provider (SP) metadata
5:55 – Create new application in SAP Identity Authentication Service and upload SP metadata
6:15 – Configure Default Name ID Format, SAML Assertion Attributes, and Conditional Authentication 6:50 – Assign user to application in Azure AD
7:15 – First test (fails with SAML error)
7:55 – Download federation metadata XML from Azure AD and upload for the IdP in SAP Identity Authentication Service
8:15 – Second test succeeds on authentication
8:25 – Shadow users
8:50 – Third test with myappsec sample appliation: Forbidden
9:20 – Option 1: Assign shadow user to role collection
10:15 – User authorization concepts
11:05 – Map role collection to Azure AD group
Tricky Bits
SAML Claims and Assertion Attributes
For the role mapping to succeed, the claim attributes need to correspond. Note the Groups with an uppercase G.
Mapping Groups
For the role mapping to succeed, you need to create the corresponding groups in the Identity Provider and assign these groups the service provider entry (enterprise application in Azure AD).
The object ID is used to map the role collection for the attribute: Groups.
Additional References
SAP HANA Academy YouTube Playlist and Code Repository
To bookmark the playlist on YouTube, go to
How to build the sample application myappsec is covered in the post
- End-to-End Tutorial | Developing Secure Applications on the SAP Cloud Platform Cloud Foundry Runtime
SAP Developer Center Mission
For a step-by-step description of the procedure, see the tutorial mission
- Enable SSO Between Azure AD and SAP Cloud Platform Using Identity Authentication Service by Maximilian Streifeneder
SAP Discovery Center
For information about SAP Cloud Identity Service, visit the entry in the service catalog of the SAP Discovery Center. Here you also find links to the documentation, tutorials, and the SAP Community topic area
Documentation
The topic is documented, in generic terms (not specific to Azure AD or SAP Cloud Identity Services under Security Administration: Managing Authentication and Authorization of the SAP Business Technology Platform guide.
Share and Connect
Questions? Please post as comment.
Useful? Give us a like and share on social media.
Thanks!
If you would like to receive updates, connect with me on
- LinkedIn > linkedin.com/in/dvankempen
- Twitter > @dvankempen
For the author page of SAP PRESS, visit
|
Over the years, for the SAP HANA Academy, SAP’s Partner Innovation Lab, and à titre personnel, I have written a little over 300 posts here for the SAP Community. Some articles only reached a few readers. Others attracted quite a few more.
For your reading pleasure and convenience, here is a curated list of posts which somehow managed to pass the 10k-view mile stone and, as sign of current interest, still tickle the counters each month. |
Hello Denys! First and foremost, really great content!
I just have one doubt, in the context of SAP BTP feature set B, is it possible to federate platform users through IAS? Would it be possible for a user federated from Azure AD to access a BTP Cockpit that is using feature set B?
Thanks!
Welcome,
For my account the Trust configuration at the Global level is not configurable (editable). In other words, I cannot add a third-party IdP or disable the default IdP.
The UI suggests that configuration is possible but that my account does not have the privileges. It could be that this is different for enterprise accounts other than SAP.
Is Trust configuration configurable for you / your enterprise account administrator?
Thanks for the quick reply!
No... We are only able to configure it within the subaccount too. I saw that feature set B lacks support for platform users authenticating with a custom IdP, but I was in doubt if the IAS acting as a proxy would be a way to authenticate these users so that they are able to access the BTP cockpit on a subaccount level at least. But I think this is something we are going to have to wait...
Thanks once again, Denys!
Hi Gustavo,
Here is what's on the roadmap for Q2
That´s awesome Denys! Thanks once again!
Denys van Kempen is this configuration "re-usable" within multiple subaccounts? Meaning, can I set this up once and then use the same configuration for all of my BTP subaccounts?
Hi Michael,
Would you mind posting your question(s) to the SAP Community forum?
The community is monitored 24/7 by the topic area experts and allows for knowledge sharing.
https://answers.sap.com