Skip to Content
Technical Articles
Author's profile photo Murali Shanmugham

Configure Single Sign-On with Okta & SAP BTP Launchpad service on Cloud Foundry

This blog post is about the setup of Single Sign-On with SAP Business Technology Platform (BTP) and Okta. This was a request from a customer and the requirement also included to configure an IdP-initiated SSO from Okta to authenticate external users accessing a supplier portal hosted on SAP BTP Cloud Foundry environment.

Special mention to my colleague Lochner Louw  who configured this setup and supported me in this process.

You can try these steps using the SAP BTP trial environment too. For this blog post, I have used an Okta trial account.

Setup trust between SAP BTP and Okta

Download the SAML metadata from the Trust configuration of your SAP BTP subaccount

 

In your Okta console, you would need to create an application for SAP BTP. Click on “Add App”

 

 

In the “App Integration Catalog” click on “Create New App”.

 

Select SAML 2.0 as shown below and click on “Next”

 

Open the metadata file which you downloaded from SAP BTP. Copy the URL in the “AssertionConsumerService” that is listed as “HTTP-POST”. This will be the value for “Single sign on URL” in the below screen. The Audience URI is the entityID in the metadata file. The Name ID format is “EmailAddress”.

 

In order to map the assertion attributes and pass them in the SAML assertion, you would need to maintain the below attributes and groups. Notice, for the groups we have used regular expression “.*” – This will pass through all the assigned groups of the user in the SAML assertion.

 

 

Continue with the remaining steps and save your application. We will be using the Okta groups to map roles in SAP BTP. For demonstration, we have created a group called Suppliers as shown below.

A user has been assigned to this group

The SAP BTP app created in Okta has been assigned to this group

This is probably the last step in Okta where you go back to the App and in the Sign On tab, download the metadata file.

 

Setup trust configuration in SAP BTP

In SAP BTP subaccount, create a new trust configuration.

Upload the metadata file obtained from Okta. Provide a name for the IdP setup as well as a name that showup on the login screen (when you have multiple IdPs enabled). Save your changes.

Setup of Launchpad site and roles

We are assuming you know how to access and configure the launchpad service to show a Fiori Launchpad. For this blog post, we have created a role called “Transactions” which provides access to an app called “Purchase Orders”. This app will need to show up to all those external users who are authenticated via Okta.

All the local Launchpad roles get created as a Role Collection within the SAP BTP subaccount. Navigate to the role collection and edit it.

 

Under User Group mappings, map this role collection with the group created in Okta. In the below screenshot, we have mapped the Transactions role for supplier to the Okta Group called Suppliers.

 

When you test the Fiori Launchpad, you will see two links for the login mechanism. You can switch off the Default Identity Provider, thereby preventing the user from seeing this screen.

You can do this by clicking on the pencil icon next to the Default Identity Provider and deselecting the option “Available for user logon”

 

After making this change, when you try to access the Launchpad site, it would take you directly to the Okta login screen.

On successful authentication, the user will be presented with the relevant apps based on the role assignments.

In the beginning of the blog post, I mentioned that the requirement was to support an IdP-initiated SSO. The users would be accessing the launchpad site as a tile from the Okta dashboard.

Clicking on this app takes the user to the “Where to?” screen in the SAP BTP Cloud Foundry environment.

Set redirect/default home screen for SAP BTP Sub-Account

IdP-initiated SSO works in SAP BTP Cloud Foundry environment. However, there is no automatic redirection to the corresponding application. This is documented in the SAP KBA 2900190.

There is a way to set the default home screen. The only drawback is that you can only set one default home screen for a SAP BTP subaccount. The approach has been documented in the SAP KBA 2775274

Here is a summary of the steps:

  • Create an instance for “Authorization & Trust Management”

  • Create a service key to obtain the URL, Client Key and Client Secret

  • Use a rest client to obtain an access token

  • Use the access token to issue a PATCH command to update the homeRedirect attribute

 

Hope this gave you enough information to complete the basic setup of Single Sign-on. There are few other activities which you would need to consider for example – configuring logout URL etc.

 

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Himanshu Mohanty
      Himanshu Mohanty

      Hi Murali,

      We recently configured this in our landscape which works fine however while trying to implement this for SAP BTP Subaccount url (for Admins) to obtain the access token for SAP BTP Subaccount url the postman returns "405 Method Not Allowed".

      fyi, we are using same service key used for SAP BTP Launchpad url

      Would you please comment if this ask is feasible ?

      Thanks
      Himanshu

       

      Author's profile photo Madhur Kanungo
      Madhur Kanungo

      Hi Murali,

       

      Very Nice Blog, Quick question - We have a customer who is using Agentry on Cloud and would like to use Okta as IDP provider.

      Can we configure Agentry application running on BTP platform to connect via OKTA?

      Thanks,

      Madhur