Seamless Authentication to Secured ArcGIS Online Services from SAP Spatial Asset Management
This blog describes the steps to consume a secure OGC (Open Geospatial Consortium) or non-OGC service hosted on any ArcGIS platform. Read this blog if you wish you learn about consuming a secure OGC service hosted on non-ArcGIS platforms.
SAP Spatial Asset Management (previously known as Geographical Enablement Framework) supports both OGC (from SAP S/4HANA 2021 onwards) and non-OGC services. One of the major requirement from our customers was that they do not have seamless access to ArcGIS Online secured services from SAP Spatial Asset Management. Everytime the system displays a pop-up to supply ArcGIS Online credentials, which was really annoying for them if they have configured multiple secured services.
This authentication issue has been resolved by integrating SAP SSO (single sign-on) with Esri to enable seamless access to secured services hosted on multiple Esri platforms such as ArcGIS Online or ArcGIS Portal without need to enter credentials multiple times.
Configure SSO using SAML 2.0:
To use the single sign-on feature, you need to configure SSO using SAML 2.0. The SAP IdP server and Esri service provider play a key role in this setup. To configure SSO using SAML 2.0, follow these steps:
- Configuration required in SAP tenant system (SAP IdP server) – The IdP server (which is the SAP tenant system) manages user configurations and details of the service providers integrated with SSO.
- Configuration required in ArcGIS Online (Esri service provider) – This service provider contains the details of the IdP server and the respective services which are hosted in Esri platforms.
Step 1: Configuration in SAP IdP Server:
The integration of SAML 2.0 between SAP IdP and Esri is one-time setup and can be performed using the following steps:
- Log in to the admin console using the URL. Example URL http://<systemname>.ondemand.com/admin. You may perform these steps in the IdP configuration of your own tenant, if you already have one.
- Goto Tenant Settings -> SAML 2.0 Configuration. Download the metadata file. You will need this later to share this with the Esri service provider.
3. Go to Applications and choose Create, Enter the following details and save them.
- Enter Display Name for the application.
- Select Non-SAP solution as the application type.
- In the Trust tab, select SAML 2.0 as protocol and enter the following details.
- Enter Login Name as the subject name identifier
- Enter Email as the default name ID format
- Choose SAML 2.0 Configuration. The Esri service provider has the updated metadata after you share the metadata file that you had downloaded while configuring the SAP tenant settings. Browse for the updated metadata file that you downloaded from Esri service provider (for example, ArcGIS Online).
- Add users to the tenant system if it is a custom tenant by following these steps, or use the existing user information.
- Go to User Management -> Add User.
- Enter all the details and save them.
Step 2: Configuration in ArcGIS Online:
To complete the configuration in ArcGIS Online, follow these steps:
- Log into the administrator console of ArcGIS Online
- Go to Organizations -> Settings -> Security.
- Enable SAML Login and choose Configure LoginImage Credit: ArcGIS
- Enter Name, select File tab and upload metadata file that you downloaded from SAP IdP provider and save the changes.Image Credit: ArcGIS
- Download the updated metadata of the service provider and share it with SAP IdP provider. Please check the SAP tenant system settings to upload this metadata file.Image Credit: ArcGIS
Enable SSO in SAP Spatial Asset Management
Next, you can enable single sign-on in SAP Spatial Asset Management using the following steps:
- Execute transaction GEF_UI_CONFIG.
- Navigate to the node Authentication Services.
- Enter Authentication ID. This ID must be unique. For Example, ArcGIS_SSO.
- Enter Application ID. This can be copied from ArcGIS Online. You also need to set up the redirection URL as URL of SAP Spatial Asset Management while configuring the ArcGIS Online application.
- Enter the URL of the Portal Server. This is the URL of the ArcGIS online server. For example, https://<companyname>.maps.arcgis.com/.
- Enter the description of the server.
- Save the configuration.
- Go to Reference Services or Layers and provide the Authentication ID for the respective secured reference layer which you created in Step 3 (for example, ArcGIS_SSO).
This concludes the required configuration setup.
Let’s look at how you can consume SSO enabled services from SAP Spatial Asset Management.
As soon as you try to access a secured service from ArcGIS Online,the system displays a one-time popup to supply the credentials to access ArcGIS Online. Choose OK to initiate SSO authentication.
The request is then redirected to ArcGIS Online and you can click on SAP SE.
The system displays a one-time popup for SAML 2.0 authentication and you can provide your credentials and click on Log On.
If you have already logged into ArcGIS Online using SAML 2.0 authentication, you will not be getting the above login screen, instead you can give permission to access the service by clicking Allow.
The respective secured layers are loaded into the map and you should be able to use them seamlessly without providing any Esri credentials.
For more information about SAP Spatial Asset Management, refer this page on the SAP Help portal.
You may use comments or ask questions to let me know if this blog was useful, and to suggest information that could add further value to this blog.
Hi Aneesh KB,
Thanks for this valuable blog.
I have a question related to consuming OGC WMTS in spatial explorer.
In our specific case, we want to consume a public available WMTS service.
This service provides multiple layers, each layer having multiple TileMatrixSets.
At the moment, with spatial explorer, we cannot address a specific layer in a specific TileMatrix for our base map in customizing.
Are there any plans in the future to add this option in customizing? It do not see it mentioned on the roadmap.
Can you provide me your insides on this?
Thanks for your feedback. Yes, the changes related to the customizing for specific layers is part of future enhancements.
Thanks Aneesh KB,
another small question just to be sure...
I suppose SAP IdP is not a limitation, or is it? I presume we can use other IdP's as well... Right?
Yes, we can use other IdP providers and need to sync up the metadata file with the Service provider as explained above.