This blog post is about the setup of Single Sign-On with SAP Business Technology Platform (BTP) and Okta. This was a request from a customer and the requirement also included to configure an IdP-initiated SSO from Okta to authenticate external users accessing a supplier portal hosted on SAP BTP Cloud Foundry environment.
Special mention to my colleague Lochner Louw who configured this setup and supported me in this process.
You can try these steps using the SAP BTP trial environment too. For this blog post, I have used an Okta trial account.
Setup trust between SAP BTP and Okta
Download the SAML metadata from the Trust configuration of your SAP BTP subaccount
In your Okta console, you would need to create an application for SAP BTP. Click on “Add App”
In the “App Integration Catalog” click on “Create New App”.
Select SAML 2.0 as shown below and click on “Next”
Open the metadata file which you downloaded from SAP BTP. Copy the URL in the “AssertionConsumerService” that is listed as “HTTP-POST”. This will be the value for “Single sign on URL” in the below screen. The Audience URI is the entityID in the metadata file. The Name ID format is “EmailAddress”.
In order to map the assertion attributes and pass them in the SAML assertion, you would need to maintain the below attributes and groups. Notice, for the groups we have used regular expression “.*” – This will pass through all the assigned groups of the user in the SAML assertion.
Continue with the remaining steps and save your application. We will be using the Okta groups to map roles in SAP BTP. For demonstration, we have created a group called Suppliers as shown below.
A user has been assigned to this group
The SAP BTP app created in Okta has been assigned to this group
This is probably the last step in Okta where you go back to the App and in the Sign On tab, download the metadata file.
Setup trust configuration in SAP BTP
In SAP BTP subaccount, create a new trust configuration.
Upload the metadata file obtained from Okta. Provide a name for the IdP setup as well as a name that showup on the login screen (when you have multiple IdPs enabled). Save your changes.
Setup of Launchpad site and roles
We are assuming you know how to access and configure the launchpad service to show a Fiori Launchpad. For this blog post, we have created a role called “Transactions” which provides access to an app called “Purchase Orders”. This app will need to show up to all those external users who are authenticated via Okta.
All the local Launchpad roles get created as a Role Collection within the SAP BTP subaccount. Navigate to the role collection and edit it.
Under User Group mappings, map this role collection with the group created in Okta. In the below screenshot, we have mapped the Transactions role for supplier to the Okta Group called Suppliers.
When you test the Fiori Launchpad, you will see two links for the login mechanism. You can switch off the Default Identity Provider, thereby preventing the user from seeing this screen.
You can do this by clicking on the pencil icon next to the Default Identity Provider and deselecting the option “Available for user logon”
After making this change, when you try to access the Launchpad site, it would take you directly to the Okta login screen.
On successful authentication, the user will be presented with the relevant apps based on the role assignments.
In the beginning of the blog post, I mentioned that the requirement was to support an IdP-initiated SSO. The users would be accessing the launchpad site as a tile from the Okta dashboard.
Clicking on this app takes the user to the “Where to?” screen in the SAP BTP Cloud Foundry environment.
Set redirect/default home screen for SAP BTP Sub-Account
IdP-initiated SSO works in SAP BTP Cloud Foundry environment. However, there is no automatic redirection to the corresponding application. This is documented in the SAP KBA 2900190.
There is a way to set the default home screen. The only drawback is that you can only set one default home screen for a SAP BTP subaccount. The approach has been documented in the SAP KBA 2775274
Here is a summary of the steps:
- Create an instance for “Authorization & Trust Management”
- Create a service key to obtain the URL, Client Key and Client Secret
- Use a rest client to obtain an access token
- Use the access token to issue a PATCH command to update the homeRedirect attribute