Configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)
My name is Imre working at SAP since 2004. Now I’m at Identity Authentication Service area.
In this blog post I will explore in detail how to configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)
I’m working in the Identity Authentication Service team, and we got several questions regarding the realization of Different Trust Configurations for the Same Identity Authentication Tenant.
The technical background is explained here.
So I have decided to build up a test scenario and share in details my experiences.
I will use third party tools for key generation as well and make the settings more visible by inserting the screen shots and pictures made be me.
Note: the article contains third party information about openssl and MS AZURE, which may change in the future.
- You have an active license for SAP Cloud Platform Identity Authentication Service.
- ‘Manage Applications’ and ‘Manage Corporate Identity Providers’ authorizations are assigned to you as Administrator in IAS.
- You have an active AZURE license.
- You have created an Application in SAP Cloud Platform Identity Authentication Service
Step 1 :Configure Issuer Name at SAP Identity Authentication
- logon to SAP Identity Authentication as admin:
- Under Applications and Resources, choose the Applications tile.
- Choose the Trust tab.
- Under Conditional Authentication, choose Configure SAML 2.0 Requests to Corporate Identity Providers.
- Under Configure Issuer Name, type the issuer suffix, which you want to add to the Identity Authentication default issuer name.
as a result the Issuer Name will be changed with the suffix at the end:
(the suffix can be up to 32 chars long)https://<tenant ID>.accounts.ondemand.com/sf
Step 2 : Export and edit Metadata from SAP Identity Authentication
- In SAP Identity Authentication I export the metadata:
- Then I edit the metadata.xml with Notepad++
and change the entityID tohttps://<tenant ID>.accounts.ondemand.com/sf
and save it as metadata_new.xml
Step 3 : Create and configure an Application in AZURE
- (if the AZURE Application is not created yet) open
- Once the Application is created,
–>I select “Assign users and groups”
and assign users.
- I Click on “Set up single sign on”
- I upload the metadata_new.xml into AZURE (which was created in point 2.2as a result at “BASIC SAML Configuration”
the entityIDhttps://<tenant ID>.accounts.ondemand.com/sf
will be shown.
Step 4 : Generate a certificate with a private key for the Azure applications.
- Precondition: OPENSSL is installed and configured as decribed:https://slproweb.com/products/Win32OpenSSL.html( I have downloaded the .MSI ) for WIN 64.
- I open OPENSSL Application on my PC
openssl req -x509 -days 365 -newkey rsa:2048 -keyout cert.pem -out cert.pem
at the end a cert.pem file is created
- I convert cert.pem file to cert.pfx:openssl pkcs12 -export -in cert.pem -inkey cert.pem -out cert.pfxat the end a cert.pfx file is created.
- I upload the cert.pfx to
to the newly created APP (see STEP 3)
“SAML Signing Certificate”
- I make sure that the last uploaded Certificate is active.
Step 5 : Convert the certificate for the SAP Identity Authentication
- have to convert the previously created
- For example I did this in Chrome:2.1
Open Google Chrome.2.2
Select Show Advanced Settings > Manage Certificates.2.3
Click Import to start the Certificate Import Wizard.2.4
Browse to the downloaded certificate cert.pfx file and click Next.
Enter the password I entered when I generated the cert.pfx certificate.
in Chrome export the certificate and save as cert.cer
- In SAP Identity Authentication (as admin)
I go to
–> Corporate Identity Providers
–>edit my AZURE IdP
- AZURE IdP :
SAML2 configuration –>
I go to “Signing Certificate” –> press Add –>
I upload the cert.cer
If all of the main five steps are done, then as a result calling the Application in an incognito mode will result a calling method:
Application –> SAP Identity Authentication (as proxy) –> MS AZURE (as IdP) –> SAP Identity Authentication (as proxy) –> Application.
All other planned Applications created in SAP Identity Authenticationfor example APP1 till APP99 must connect in 1:1 to a separate AZURE Application and
there the same cert.pfx must be used.
(one signing certificate will be used for all of the AZURE applications)
If you read this please feel free to share feedback or thoughts in a comment.
I encourage you to follow my profile for similar content.