Background and Context
Many SAP customers own their own user store and most often they want to enable Single Sign on for the applications that run on SAP BTP.In this blog I would like to show step by step procedure for an end to end activity that an admin needs to perform in order to get it enabled. For this exercise I have taken Azure active directory as a corporate user store and list down the steps.
Prerequisite:
1. You have an active Azure account.
2. You have an SAP IAS tenant.
3. You have an application running on SAP BTP.
Procedure:
Azure:
1. Login to Azure Portal by going to
https://portal.azure.com and provide your credentials
2. Click on Azure Active Directory.
3. Click On Enterprise Application on the left
4. Click
New application and search for SAP Cloud Platform Identity
5. Click on SAP Cloud Platform Identity Authentication
6. Enter a name and click on create
7. Click on Single Sign on and Choose SAML as the Single-Sign On method
8. Click on the upload metadata file and browse the metadata file of your custom IAS tenant , click on Add and then click on save
9. Under UserAttributes and Claims make sure you maintain the groups attribute like in the screenshot below
10. Under SAML Signing Certificate and download the federated metadata xml. Upload this in custom IAS to establish trust
SAP IAS:
1. Login to the administration console of SAP Cloud Platform Identity Authentication service through your particular URL
2. Navigate to
Identity Providers and click
Corporate Identity Providers
3.Click
Add at the bottom of the page and define a name for the Identity Provider. Click
Save to finally create the Identity Provider.
4.Click
SAML 2.0 Configurationand to upload the recently downloaded federation metadata from Azure Active Directory.
5.Choose the metadata file from your local file system and click on save.
6.Select Enriched Assertion attributes and make sure you maintain this
Attribute
Groups
Value ${
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups}
7. Click on Identity Provider Type. Change the selection to Microsoft ADFS / Azure AD. Save the the configuration through clicking the Save button at the bottom of the page.This has to be chosen if you are using Microsoft Azure AD as corporate IDP
8.If you are using a different IAS tenant then the below setting needs to be selected.
9.Enable Single Sign-On Forward all SSO request to Corporate Idp and choose Identity Federation. Under Identity Federation maintain the below settings
10.Similarly a trust has to be established between the IAS tenant and the SAAS application .
11. Configure a trust by exchanging metadata between your custom IAS and SAP Cloud Platform subaccount
That's it you have enabled SSO using a corporate IDP.
For more information, see
Manually Establish Trust and Federation Between UAA and SAP Cloud Platform Identity Authentication S...