Technical Articles
Configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)
My name is Imre working at SAP since 2004. Now I’m at Identity Authentication Service area.
In this blog post I will explore in detail how to configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)
I’m working in the Identity Authentication Service team, and we got several questions regarding the realization of Different Trust Configurations for the Same Identity Authentication Tenant.
The technical background is explained here.
So I have decided to build up a test scenario and share in details my experiences.
I will use third party tools for key generation as well and make the settings more visible by inserting the screen shots and pictures made be me.
Note: the article contains third party information about openssl and MS AZURE, which may change in the future.
Prerequisites
- You have an active license for SAP Cloud Platform Identity Authentication Service.
- ‘Manage Applications’ and ‘Manage Corporate Identity Providers’ authorizations are assigned to you as Administrator in IAS.
- You have an active AZURE license.
- You have created an Application in SAP Cloud Platform Identity Authentication Service
Step 1 :Configure Issuer Name at SAP Identity Authentication
- logon to SAP Identity Authentication as admin:
https://<tenant ID>.accounts.ondemand.com/admin - Under Conditional Authentication, choose Configure SAML 2.0 Requests to Corporate Identity Providers.
- Under Configure Issuer Name, type the issuer suffix, which you want to add to the Identity Authentication default issuer name.
as a result the Issuer Name will be changed with the suffix at the end:
(the suffix can be up to 32 chars long)https://<tenant ID>.accounts.ondemand.com/sf
Step 2 : Export and edit Metadata from SAP Identity Authentication
- In SAP Identity Authentication I export the metadata:
- Then I edit the metadata.xml with Notepad++
and change the entityID tohttps://<tenant ID>.accounts.ondemand.com/sf
and save it as metadata_new.xml
Step 3 : Create and configure an Application in AZURE
- (if the AZURE Application is not created yet) open
https://portal.azure.com/
- Once the Application is created,
–>I select “Assign users and groups”
and assign users. - I Click on “Set up single sign on”
- I upload the metadata_new.xml into AZURE (which was created in point 2.2
as a result at “BASIC SAML Configuration”
the entityIDhttps://<tenant ID>.accounts.ondemand.com/sf
will be shown.
Step 4 : Generate a certificate with a private key for the Azure applications.
- Precondition: OPENSSL is installed and configured as decribed:https://slproweb.com/products/Win32OpenSSL.html( I have downloaded the .MSI ) for WIN 64.
- I open OPENSSL Application on my PC
-
openssl req -x509 -days 365 -newkey rsa:2048 -keyout cert.pem -out cert.pem
-
at the end a cert.pem file is created - I convert cert.pem file to cert.pfx:openssl pkcs12 -export -in cert.pem -inkey cert.pem -out cert.pfx
at the end a cert.pfx file is created. - I upload the cert.pfx to
Azure
to the newly created APP (see STEP 3)
at
“SAML Signing Certificate”
- I make sure that the last uploaded Certificate is active.
Step 5 : Convert the certificate for the SAP Identity Authentication
- have to convert the previously created
cert.pfx
to
cert.cer
file. - For example I did this in Chrome:2.1
Open Google Chrome.2.2
Select Show Advanced Settings > Manage Certificates.2.3
Click Import to start the Certificate Import Wizard.2.4
Click Next.2.5
Browse to the downloaded certificate cert.pfx file and click Next.2.6
Enter the password I entered when I generated the cert.pfx certificate.2.7
in Chrome export the certificate and save as cert.cer - In SAP Identity Authentication (as admin)
I go to
Identity Providers
–> Corporate Identity Providers
–>edit my AZURE IdP - AZURE IdP :
SAML2 configuration –>
I go to “Signing Certificate” –> press Add –>
I upload the cert.cer
Summary
If all of the main five steps are done, then as a result calling the Application in an incognito mode will result a calling method:
Application –> SAP Identity Authentication (as proxy) –> MS AZURE (as IdP) –> SAP Identity Authentication (as proxy) –> Application.
P.S.
All other planned Applications created in SAP Identity Authenticationfor example APP1 till APP99 must connect in 1:1 to a separate AZURE Application and
there the same cert.pfx must be used.
(one signing certificate will be used for all of the AZURE applications)
If you read this please feel free to share feedback or thoughts in a comment.
I encourage you to follow my profile for similar content.
Hello Imre
After step 4. Is there a posibility to add the new Azure Application as a second idendity provider? we need dot have a second identity provider with the enhanced configuration of the subject Name Identifier. So we dont have to change all aother Applications running on the same IAS connectet to the AzureAD. When i try to add the Fedrated XML i get "Another identity provider is already configured with the same entity ID"
Could you help here?
Regards Christian Abegg
Hi Christian,
1.
Actually if you have an Azure logon, you can create as much Application inside Azure as you want.
2.
in STEP 3 .
you must create and configure an Application in AZURE .
Each new Application inside AZURE can have different IdP settings behavior.
3.
if you have a suffix in IAS
https://<tenant ID>.accounts.ondemand.com/app1
STEP 1
point 5.
->must be connected to a separate Azure application app1
4.
after you have defined a
https://<tenant ID>.accounts.ondemand.com/app1 in IAS and downloaded the metadata
(STEP 2.)
you have to edit the metadata file and add app1
see STEP 2.
point 2.
5.
you have to upload the modify metadata each time and upload the modified metadata for each AZURE app.
--> so you can avoid duplication.
6.
for each suffix in IAS new AZURE app must be created (1:1)
https://<tenant ID>.accounts.ondemand.com/app2 ->must be connected to a separate Azure app2
Hi Imre
What we are trying to do is to connect the Azure AD to the IAS a second time.
Once with this option enabled "Use Identity Authentication user store" and once disabled.
IAS User Store
User Store IAS
Unfortunately, we can only connect the same Azure AD once in the IAS.
ias error
Best regards Maurizio
Hi Maurizio,
in IAS you can add only one Corporate IdP Azure.
So the Step 4. and Step 5. must be done only once.
(regardless how many Azure Application you have.)
Best regards
Imre
Dear Imre, thanks for this blog. Just to add some infos here.
I've been faced with this challenge two years ago, see here for more details about the backgroud and use case
Cheers Carsten
Thank You Carsten!
Your blog is very nice!
Best regards
Imre
Hi Imre,
Can we add two active AD Azure connection for single SAP connection for the authorization?
Thanks, Jasman
Hi Jasman,
in IAS you must use
only one
AD Azure as Corporate IdP.
But in Azure you can define several Application which will be connect to IAS Applications in 1:1 connection.
Best regards
Imre