Skip to Content
Technical Articles
Author's profile photo Pavithra Thiagarajan

Configure IdP-Initiated SSO with Corporate Identity Providers

Background and Context
Many SAP customers own their own user store and most often they want to enable Single Sign on for the applications that run on SAP BTP.In this blog I would like to show step by step procedure for an end to end activity that an admin needs to perform in order to get it enabled. For this exercise I have taken Azure active directory as a corporate user store and list down the steps.

Prerequisite:

1. You have an active Azure account.
2. You have an SAP IAS tenant.
3. You have an application running on SAP BTP.

Procedure:

Azure:
1. Login to Azure Portal by going to https://portal.azure.com and provide your credentials
2. Click on Azure Active Directory.

3. Click On Enterprise Application on the left

4. Click New application and search for SAP Cloud Platform Identity

5. Click on SAP Cloud Platform Identity Authentication

6. Enter a name and click on create

7. Click on Single Sign on and Choose SAML as the Single-Sign On method

8. Click on the upload metadata file and browse the metadata file of your custom IAS tenant , click on Add and then click on save

9. Under UserAttributes and Claims make sure you maintain the groups attribute like in the screenshot below

10. Under SAML Signing Certificate and download the federated metadata xml. Upload this in custom IAS to establish trust

SAP IAS:

1. Login to the administration console of SAP Cloud Platform Identity Authentication service through your particular URL

2. Navigate to Identity Providers and click Corporate Identity Providers

3.Click Add at the bottom of the page and define a name for the Identity Provider. Click Save to finally create the Identity Provider.

4.Click SAML 2.0 Configurationand to upload the recently downloaded federation metadata from Azure Active Directory.

5.Choose the metadata file from your local file system and click on save.

6.Select Enriched Assertion attributes and make sure you maintain this

Attribute                                                         

Groups

Value                   ${http://schemas.microsoft.com/ws/2008/06/identity/claims/groups}

7. Click on Identity Provider Type. Change the selection to Microsoft ADFS / Azure AD. Save the the configuration through clicking the Save button at the bottom of the page.This has to be chosen if you are using Microsoft Azure AD as corporate IDP

8.If you are using a different IAS tenant then the below setting needs to be selected.

9.Enable Single Sign-On Forward all SSO request to Corporate Idp and choose Identity Federation. Under Identity Federation maintain the below settings

10.Similarly a trust has to be established between the IAS tenant and the SAAS application .

11. Configure a trust by exchanging metadata between your custom IAS and SAP Cloud Platform subaccount

That’s it you have enabled SSO using a corporate IDP.

For more information, see  Manually Establish Trust and Federation Between UAA and SAP Cloud Platform Identity Authentication Service

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Denys van Kempen
      Denys van Kempen

      Excellent post, Pavithra.

      ==

      For the reader and those interested, for the SAP HANA Academy and SAP's Partner Innovation Lab, we recorded a video tutorial series where you can see this in action.

      • https://blogs.sap.com/2021/04/15/sap-business-technology-platform-security-hands-on-video-tutorials-3/
      Author's profile photo Udit Dharni
      Udit Dharni

      Thanks, Pavithra for the wonderful blog and detailed information.

       

      Can you please suggest to me if the same approach and @Denys video can be used for integrating Azure AD with the SAP IBP system?

      Author's profile photo Pavithra Thiagarajan
      Pavithra Thiagarajan
      Blog Post Author

      Hello Udit,

      Thanks for reaching out. I am not the right person for IBP system. Kindly reach out to the product support.