Skip to Content
Technical Articles
Author's profile photo Martin Pankraz

Integrate SAP Cloud Portal and Launchpad Service into Microsoft Teams including SSO

Dear community,

Integrating SAP PaaS services from Business Technology Platform (BTP) into other portal environments is still en vogue nowadays. So, here goes a short guide how to make it happen with SAP Cloud Portal (same for Launchpad service) and Microsoft Teams as an example for the approach.

Off we go through the gate to find that new species of life that lives in both worlds – SAP and Microsoft – at the same time! (Stargate still a thing? Just curious)

Fig.1 Illustration of embedded BTP service in Teams; source for stargate illustration: Wikipedia, by Stefan Xp, CC BY-SA 3.0, image used as overlay as is

Embedding an external page into a web app (including the Teams desktop or web client) is straightforward. iFrames are an popular option to get it done.

Fig.2 Click path to embed external website

The beefy part starts with the ever present Single-Sign-On (SSO) requirement. By default, BTP comes with the SAP ID service. To pursue SSO you need to establish trust between the Identity Provider (IdP) that is attached to your hosting app and the SAP ID service. In my example case that is Azure Active Directory (AAD). In addition to that we need to configure XSUAA for CloudFoundry (excluding NEO environment here. See this post for more details).

Note: there is also the possibility to configure this with SAP Cloud Identity Services – Identity Authentication in between. See this Azure tutorial and best practice guide for further details. For simplicity I am describing direct integration.

Let’s look at the moving parts

First, we establish trust with our IdP (Azure AD). The configuration is quite “established”, so it still reads “SAP Cloud Platform” on the Azure portal screen 😀 Find the official docs for the process here.

Fig.3 Setup trust between AAD and BTP

See below example for reference to “flesh out” the official guidance a little more.

Fig.4 SSO config example on AAD for BTP CF domain ms-demo

Once you have established trust you end up with two IdPs being available on your BTP Subaccount. Note that both are available for logon. We will come back to that a little further down.

Fig.5 Additional registered IdP on BTP Subaccount

Trust: Check! What about embedding?

Nowadays, web applications and particularly PaaS or SaaS apps prohibit embedding by default to protect user experience, limit attack vectors, or for branding reasons for instance. Fortunately, BTP allows selective relaxation of that policy. We are looking at the content-security-policy header.

Both the Launchpad and the Portal Service have the same setting and view to maintain it:

frame-ancestors iframe frame object embed 'self' https://teams.microsoft.com;

Fig.6 CSP setting in BTP Portal Service for Teams embedding

Ok great, but the initial login goes to the XSUAA before it hits either of the two available IdPs.

So, next we need to configure our “SAP Authorization and Trust Management Service in CF” (XSUAA) instance to allow embedding by our web application (Microsoft Teams in this example). There are differences by BTP Feature Set. Below example is described for Feature Set B. See the official SAP docs for the other parts.

Fig.7 Subaccount settings for embedding

During my testing I needed to use the Security REST API and PATCH the iframeDomains attribute from Postman instead of the cockpit, because it was not fully functional yet. Find my collection for ease of use here.

Awesome, let’s test!

Fig.8 SAP XSUAA login before redirect to IdP

Not quite there yet. On the upside, we have working trust and embedding! But on the downside, we don’t have immediate SSO, because our portal service doesn’t know which IdP it shall select. How do fix this?

On the NEO environment you were lucky because you could just add the smart URL parameter “saml2idp” to pick the IdP. Unfortunately for CF, SAP decided not to implement something like this yet. Check the customer voice to upvote.

Alternatively, design your CF subaccount in such a way that you can get away with switching off the SAP ID service for your subaccount for login completely.

Fig.9 Switch off default IdP for logon

With that, every single service and app running on that subaccount can only be logged-on using your custom IdP. That might be problematic though: Imagine you have a user split for end-users and developers. Often developers access Business Application Studio (BAS) running on that subaccount with their S-Users. After the switch, this is not possible anymore.

Possible mitigations could be onboarding all users only through the custom IdP or moving all services/apps that require default IdP to another subaccount. Speaking of BAS for instance, you can easily deploy to other subaccounts and CF spaces.

Choose wisely 😉 and once you did, you will find that breath-taking life form on the other end of our “Portal-Gate” illustrated in figure 1, that thrives both in the SAP and the Microsoft world…

Fig.10 Successful SSO from Microsoft Teams and SAP Cloud Portal Service

Beautiful, isn’t it?

Note: CF approuters offer custom config to “pre-pick” the IdP. However, it is currently not possible to front the Cloud Portal Service with a custom CF approuter, because the managed approuter of the PaaS service conflicts with that setting. Have a look at this blog post by Radu for more details.

For now we need to stick to the subaccount design, if you want to avoid the “IdP picker-screen” (see fig.8).

What about self-hosted Fiori Launchpad (FLP)?

The same challenges (trust domain, maintain CSP and allow embedding) as for the BTP PaaS applications need to be overcome. For the SAP Gateway there are some nice KBAs/SAP notes I would like to mention to point you in the right direction:

Besides that there are FLP exposure topics. On Azure that usually involves Azure Application Gateway including Web Application Firewall. Have a look at below sources to address:

Pay attention to the automatic redirect setting for the IdP. Tobias Hofmann created a nice post for it

Also the Teams Desktop client running in its secure container is more forgiving than the web client. For instance the allow-list as mentioned in note 2142551 is not required. Since you don’t know how your users consume Teams I would still advise to configure for web access too.

Final Words

Not too bad, huh? Today, we investigated BTP application and service embedding challenges and shed some light on how to configure SSO with a custom Identity Provider. We used the SAP Cloud Portal Service, Azure AD and Microsoft Teams as examples to support the approach.

In case you want to get started for free find the trials here:

What do you think @community? Anything to add?

As always feel free to ask lots of follow-up questions.

 

Best Regards

Martin

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Henning Marquard
      Henning Marquard

      Hi Martin,

      thx for this blogpost, currently this could be a good alternative to Microsoft Viva, at least this is my opinion.

      Henning

      Author's profile photo Martin Pankraz
      Martin Pankraz
      Blog Post Author

      Hey Henning,

      my pleasure. What exactly do you mean by alternative? Viva and BTP Cloud Portal serve completly different use cases. Or did you mean Cloud Portal embedded in Viva?

      KR

      Martin

      Author's profile photo Henning Marquard
      Henning Marquard

      From my understanding VIVA integrates Sharepoint as content provider to MS Teams? Or how can we sort the different use cases of Viva and Cloudportal ?

      Author's profile photo Martin Pankraz
      Martin Pankraz
      Blog Post Author

      On a very high level the is overlap of the products on being content provider, I agree. From my perspective Viva is not a launchpad but rather an experience to learn, collaborate, community, and shape digital work.

      We could now argue about how the Cloud Portal fosters these as well. That is something for another blog post 😀 are you keen to write one? Would be happy to chip in.

      KR

      Martin

      Author's profile photo Nils Lutz
      Nils Lutz

      Hi Martin, (Tak mal tiak)

      awesome content and much love for the Stargate ❤

      Chel Nak 😉

       

      Nils

      Author's profile photo Armado Cappello
      Armado Cappello

      Hey Martin, awesome article and definitely yes! Stargate is still a thing Stargate (1994) - IMDb