Integrate SAP Cloud Portal and Launchpad Service into Microsoft Teams including SSO
Integrating SAP PaaS services from Business Technology Platform (BTP) into other portal environments is still en vogue nowadays. So, here goes a short guide how to make it happen with SAP Cloud Portal (same for Launchpad service) and Microsoft Teams as an example for the approach.
Off we go through the gate to find that new species of life that lives in both worlds – SAP and Microsoft – at the same time! (Stargate still a thing? Just curious)
Embedding an external page into a web app (including the Teams desktop or web client) is straightforward. iFrames are an popular option to get it done.
Fig.2 Click path to embed external website
The beefy part starts with the ever present Single-Sign-On (SSO) requirement. By default, BTP comes with the SAP ID service. To pursue SSO you need to establish trust between the Identity Provider (IdP) that is attached to your hosting app and the SAP ID service. In my example case that is Azure Active Directory (AAD). In addition to that we need to configure XSUAA for CloudFoundry (excluding NEO environment here. See this post for more details).
|Note: there is also the possibility to configure this with SAP Cloud Identity Services – Identity Authentication in between. See this Azure tutorial and best practice guide for further details. For simplicity I am describing direct integration.|
Let’s look at the moving parts
First, we establish trust with our IdP (Azure AD). The configuration is quite “established”, so it still reads “SAP Cloud Platform” on the Azure portal screen 😀 Find the official docs for the process here.
Fig.3 Setup trust between AAD and BTP
See below example for reference to “flesh out” the official guidance a little more.
Fig.4 SSO config example on AAD for BTP CF domain ms-demo
Once you have established trust you end up with two IdPs being available on your BTP Subaccount. Note that both are available for logon. We will come back to that a little further down.
Fig.5 Additional registered IdP on BTP Subaccount
Trust: Check! What about embedding?
Nowadays, web applications and particularly PaaS or SaaS apps prohibit embedding by default to protect user experience, limit attack vectors, or for branding reasons for instance. Fortunately, BTP allows selective relaxation of that policy. We are looking at the content-security-policy header.
Both the Launchpad and the Portal Service have the same setting and view to maintain it:
frame-ancestors iframe frame object embed 'self' https://teams.microsoft.com;
Fig.6 CSP setting in BTP Portal Service for Teams embedding
Ok great, but the initial login goes to the XSUAA before it hits either of the two available IdPs.
So, next we need to configure our “SAP Authorization and Trust Management Service in CF” (XSUAA) instance to allow embedding by our web application (Microsoft Teams in this example). There are differences by BTP Feature Set. Below example is described for Feature Set B. See the official SAP docs for the other parts.
Fig.7 Subaccount settings for embedding
During my testing I needed to use the Security REST API and PATCH the iframeDomains attribute from Postman instead of the cockpit, because it was not fully functional yet. Find my collection for ease of use here.
Awesome, let’s test!
Fig.8 SAP XSUAA login before redirect to IdP
Not quite there yet. On the upside, we have working trust and embedding! But on the downside, we don’t have immediate SSO, because our portal service doesn’t know which IdP it shall select. How do fix this?
On the NEO environment you were lucky because you could just add the smart URL parameter “saml2idp” to pick the IdP. Unfortunately for CF, SAP decided not to implement something like this yet. Check the customer voice to upvote.
Alternatively, design your CF subaccount in such a way that you can get away with switching off the SAP ID service for your subaccount for login completely.
Fig.9 Switch off default IdP for logon
With that, every single service and app running on that subaccount can only be logged-on using your custom IdP. That might be problematic though: Imagine you have a user split for end-users and developers. Often developers access Business Application Studio (BAS) running on that subaccount with their S-Users. After the switch, this is not possible anymore.
Possible mitigations could be onboarding all users only through the custom IdP or moving all services/apps that require default IdP to another subaccount. Speaking of BAS for instance, you can easily deploy to other subaccounts and CF spaces.
Choose wisely 😉 and once you did, you will find that breath-taking life form on the other end of our “Portal-Gate” illustrated in figure 1, that thrives both in the SAP and the Microsoft world…
Fig.10 Successful SSO from Microsoft Teams and SAP Cloud Portal Service
Beautiful, isn’t it?
|Note: CF approuters offer custom config to “pre-pick” the IdP. However, it is currently not possible to front the Cloud Portal Service with a custom CF approuter, because the managed approuter of the PaaS service conflicts with that setting. Have a look at this blog post by Radu for more details.|
For now we need to stick to the subaccount design, if you want to avoid the “IdP picker-screen” (see fig.8).
What about self-hosted Fiori Launchpad (FLP)?
The same challenges (trust domain, maintain CSP and allow embedding) as for the BTP PaaS applications need to be overcome. For the SAP Gateway there are some nice KBAs/SAP notes I would like to mention to point you in the right direction:
Besides that there are FLP exposure topics. On Azure that usually involves Azure Application Gateway including Web Application Firewall. Have a look at below sources to address:
Pay attention to the automatic redirect setting for the IdP. Tobias Hofmann created a nice post for it
Also the Teams Desktop client running in its secure container is more forgiving than the web client. For instance the allow-list as mentioned in note 2142551 is not required. Since you don’t know how your users consume Teams I would still advise to configure for web access too.
Not too bad, huh? Today, we investigated BTP application and service embedding challenges and shed some light on how to configure SSO with a custom Identity Provider. We used the SAP Cloud Portal Service, Azure AD and Microsoft Teams as examples to support the approach.
In case you want to get started for free find the trials here:
What do you think @community? Anything to add?
As always feel free to ask lots of follow-up questions.