Technical Articles
Configure Single Sign-On with Okta & SAP BTP Launchpad service on Cloud Foundry
This blog post is about the setup of Single Sign-On with SAP Business Technology Platform (BTP) and Okta. This was a request from a customer and the requirement also included to configure an IdP-initiated SSO from Okta to authenticate external users accessing a supplier portal hosted on SAP BTP Cloud Foundry environment.
Special mention to my colleague Lochner Louw who configured this setup and supported me in this process.
You can try these steps using the SAP BTP trial environment too. For this blog post, I have used an Okta trial account.
Setup trust between SAP BTP and Okta
Download the SAML metadata from the Trust configuration of your SAP BTP subaccount
In your Okta console, you would need to create an application for SAP BTP. Click on “Add App”
In the “App Integration Catalog” click on “Create New App”.
Select SAML 2.0 as shown below and click on “Next”
Open the metadata file which you downloaded from SAP BTP. Copy the URL in the “AssertionConsumerService” that is listed as “HTTP-POST”. This will be the value for “Single sign on URL” in the below screen. The Audience URI is the entityID in the metadata file. The Name ID format is “EmailAddress”.
In order to map the assertion attributes and pass them in the SAML assertion, you would need to maintain the below attributes and groups. Notice, for the groups we have used regular expression “.*” – This will pass through all the assigned groups of the user in the SAML assertion.
Continue with the remaining steps and save your application. We will be using the Okta groups to map roles in SAP BTP. For demonstration, we have created a group called Suppliers as shown below.
A user has been assigned to this group
The SAP BTP app created in Okta has been assigned to this group
This is probably the last step in Okta where you go back to the App and in the Sign On tab, download the metadata file.
Setup trust configuration in SAP BTP
In SAP BTP subaccount, create a new trust configuration.
Upload the metadata file obtained from Okta. Provide a name for the IdP setup as well as a name that showup on the login screen (when you have multiple IdPs enabled). Save your changes.
Setup of Launchpad site and roles
We are assuming you know how to access and configure the launchpad service to show a Fiori Launchpad. For this blog post, we have created a role called “Transactions” which provides access to an app called “Purchase Orders”. This app will need to show up to all those external users who are authenticated via Okta.
All the local Launchpad roles get created as a Role Collection within the SAP BTP subaccount. Navigate to the role collection and edit it.
Under User Group mappings, map this role collection with the group created in Okta. In the below screenshot, we have mapped the Transactions role for supplier to the Okta Group called Suppliers.
When you test the Fiori Launchpad, you will see two links for the login mechanism. You can switch off the Default Identity Provider, thereby preventing the user from seeing this screen.
You can do this by clicking on the pencil icon next to the Default Identity Provider and deselecting the option “Available for user logon”
After making this change, when you try to access the Launchpad site, it would take you directly to the Okta login screen.
On successful authentication, the user will be presented with the relevant apps based on the role assignments.
In the beginning of the blog post, I mentioned that the requirement was to support an IdP-initiated SSO. The users would be accessing the launchpad site as a tile from the Okta dashboard.
Clicking on this app takes the user to the “Where to?” screen in the SAP BTP Cloud Foundry environment.
Set redirect/default home screen for SAP BTP Sub-Account
IdP-initiated SSO works in SAP BTP Cloud Foundry environment. However, there is no automatic redirection to the corresponding application. This is documented in the SAP KBA 2900190.
There is a way to set the default home screen. The only drawback is that you can only set one default home screen for a SAP BTP subaccount. The approach has been documented in the SAP KBA 2775274
Here is a summary of the steps:
- Create an instance for “Authorization & Trust Management”
- Create a service key to obtain the URL, Client Key and Client Secret
- Use a rest client to obtain an access token
- Use the access token to issue a PATCH command to update the homeRedirect attribute
Hi Murali,
We recently configured this in our landscape which works fine however while trying to implement this for SAP BTP Subaccount url (for Admins) to obtain the access token for SAP BTP Subaccount url the postman returns "405 Method Not Allowed".
fyi, we are using same service key used for SAP BTP Launchpad url
Would you please comment if this ask is feasible ?
Thanks
Himanshu
Hi Murali,
Very Nice Blog, Quick question - We have a customer who is using Agentry on Cloud and would like to use Okta as IDP provider.
Can we configure Agentry application running on BTP platform to connect via OKTA?
Thanks,
Madhur
Hi Murali,
Thanks for the detailed information.
We have one issue, after the url redirected to okta page for login, we have noticed after entering the user id and password, it is transmitting as plain text in chrome browser, it doesn't encrypting. is there way how we can achieve the encrypted communication.
We received vulnerability defect for this kind of setup from security testing team as below :
Okta team suggested as below, but I am not sure what kind of certificates are required from the application/from BTP cloud platform.
We can send the encrypted response from Okta. To achieve this, we need to configure the encryption for Okta authentication response using application certificate. Application will decrypt the authentication response using private key to validate the authentication response from Okta. This will avoid the plain text transmission through Web.
Details required for Okta : Application Public certificate.
You need to check and configure the encryption & decryption setup on application SSO settings as well.
Thanks and Regards
Zameer Ahamad