Technical Articles
Configure IdP-Initiated SSO with Corporate Identity Providers
Background and Context
Many SAP customers own their own user store and most often they want to enable Single Sign on for the applications that run on SAP BTP.In this blog I would like to show step by step procedure for an end to end activity that an admin needs to perform in order to get it enabled. For this exercise I have taken Azure active directory as a corporate user store and list down the steps.
Prerequisite:
1. You have an active Azure account.
2. You have an SAP IAS tenant.
3. You have an application running on SAP BTP.
Procedure:
Azure:
1. Login to Azure Portal by going to https://portal.azure.com and provide your credentials
2. Click on Azure Active Directory.
3. Click On Enterprise Application on the left
4. Click New application and search for SAP Cloud Platform Identity
5. Click on SAP Cloud Platform Identity Authentication
6. Enter a name and click on create
7. Click on Single Sign on and Choose SAML as the Single-Sign On method
8. Click on the upload metadata file and browse the metadata file of your custom IAS tenant , click on Add and then click on save
9. Under UserAttributes and Claims make sure you maintain the groups attribute like in the screenshot below
10. Under SAML Signing Certificate and download the federated metadata xml. Upload this in custom IAS to establish trust
SAP IAS:
1. Login to the administration console of SAP Cloud Platform Identity Authentication service through your particular URL
2. Navigate to Identity Providers and click Corporate Identity Providers
3.Click Add at the bottom of the page and define a name for the Identity Provider. Click Save to finally create the Identity Provider.
4.Click SAML 2.0 Configurationand to upload the recently downloaded federation metadata from Azure Active Directory.
5.Choose the metadata file from your local file system and click on save.
6.Select Enriched Assertion attributes and make sure you maintain this
Attribute
Groups
Value ${http://schemas.microsoft.com/ws/2008/06/identity/claims/groups}
7. Click on Identity Provider Type. Change the selection to Microsoft ADFS / Azure AD. Save the the configuration through clicking the Save button at the bottom of the page.This has to be chosen if you are using Microsoft Azure AD as corporate IDP
8.If you are using a different IAS tenant then the below setting needs to be selected.
9.Enable Single Sign-On Forward all SSO request to Corporate Idp and choose Identity Federation. Under Identity Federation maintain the below settings
10.Similarly a trust has to be established between the IAS tenant and the SAAS application .
11. Configure a trust by exchanging metadata between your custom IAS and SAP Cloud Platform subaccount
That’s it you have enabled SSO using a corporate IDP.
For more information, see Manually Establish Trust and Federation Between UAA and SAP Cloud Platform Identity Authentication Service
Excellent post, Pavithra.
==
For the reader and those interested, for the SAP HANA Academy and SAP's Partner Innovation Lab, we recorded a video tutorial series where you can see this in action.
Thanks, Pavithra for the wonderful blog and detailed information.
Can you please suggest to me if the same approach and @Denys video can be used for integrating Azure AD with the SAP IBP system?
Hello Udit,
Thanks for reaching out. I am not the right person for IBP system. Kindly reach out to the product support.
Hi Pavithra Thiagarajan Denys van Kempen
Would you please be able to explain where in the above is the "IdP Initiated" part? I am looking for steps for IdP Initiated SSO, but it seems the above is just regular SSO (SP initiated) with an external IdP? Am I correct?
We wish to use two different external IdP's for the same app in the same subaccount via IAS as a proxy. IAS itself will not be used as a user store. Depending on user group (internal employees vs external) there are two different corporate IdP's, although the BTP Fiori app and subaccount they use are the same. So we need to have the IdP initiate the SSO (via different starting URLs and then open the same BTP app URL). But we are struggling to find documentation that explains in detail how to do this. Note that we are on BTP Neo if it makes any difference.
I'm also curious if the starting URL will be that of the IdP (like an Azure URL) or can it be a special SAP BTP URL that will trigger authentication to one IdP or the other, but then open the same Fiori app on BTP?
For what you've shown above we are very familar integrating Azure AD and regular AD via ADFS using IAS, we are just not familar with the IdP Initiated part.
Thanks,
Brendan
Hi Brendan Farthing
At IdP side, configure the ACS endpoint with "sp" parameter as mentioned at https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/d483a52be22946d5a05951b0fa16221f.html?locale=en-US#configure-the-corporate-identity-provider.
Then at BTP side, configure the "homeRedirect" parameter in XSUAA as mentioned in SAP KBA https://launchpad.support.sap.com/#/notes/2775274
Regards,
Binson
Hi Binson Varikkasseril Abraham ,
Thanks for your reply a while back. Regarding the BTP side configuration, what you've mentioned above applies to Cloud Foundry. We are using Neo. Do you know what I may need to do on the Neo side, if anything?
If you happen to know anywhere that may give an actual step by step example of 2 IAS Corporate IdP's (e.g. ADFS and Azure AD) authenticating via IdP Initiated SSO to a single Neo subaccount Fiori Launchpad URL, that would be appreciated.
The documentation is really not clear in relation to exactly what should be configured. e.g. where do I specify the Fiori Launchpad URL so the corporate IdP knows to push a user there after IdP initiated authentication. Is that Fiori Launchpad URL configured inside the Corporate IdP system somewhere? Or is it configured somehow in the IAS Application configuration that corresponds to the subaccount that is hosting that Fiori Launchpad. Or Both? (if so, where/how?).
I see this in the documentation for the Corporate IdP side which is a bit confusing:
The ACS endpoint URL should have the following format: https://<the current ACS endpoint URL>?sp=<sp_name>&index=<index_number>
It seems to be referring to an "index number" in a setting in IAS. Is this part of the IAS Application (subaccount) configuration? And is this supposed to be our Fiori Launchpad URL at the index number? And is the URL exactly the same as a user would normally use to open Fiori Launchpad for that subaccount?
e.g. URL like this: https://flpnwc-SUBACCOUNT.dispatcher.hana.ondemand.com/sites/fiorilaunchpad
Hope that makes sense.
Thanks again.
Brendan