Configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)
My name is Imre working at SAP since 2004. Now I’m at Identity Authentication Service area.
In this blog post I will explore in detail how to configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)
I’m working in the Identity Authentication Service team, and we got several questions regarding the realization of Different Trust Configurations for the Same Identity Authentication Tenant.
The technical background is explained here.
So I have decided to build up a test scenario and share in details my experiences.
I will use third party tools for key generation as well and make the settings more visible by inserting the screen shots and pictures made be me.
Note: the article contains third party information about openssl and MS AZURE, which may change in the future.
- You have an active license for SAP Cloud Platform Identity Authentication Service.
- ‘Manage Applications’ and ‘Manage Corporate Identity Providers’ authorizations are assigned to you as Administrator in IAS.
- You have an active AZURE license.
- You have created an Application in SAP Cloud Platform Identity Authentication Service
Step 1 :Configure Issuer Name at SAP Identity Authentication
- logon to SAP Identity Authentication as admin:
- Under Applications and Resources, choose the Applications tile.
- Choose the Trust tab.
- Under Conditional Authentication, choose Configure SAML 2.0 Requests to Corporate Identity Providers.
- Under Configure Issuer Name, type the issuer suffix, which you want to add to the Identity Authentication default issuer name.
as a result the Issuer Name will be changed with the suffix at the end:
(the suffix can be up to 32 chars long)https://<tenant ID>.accounts.ondemand.com/sf
Step 2 : Export and edit Metadata from SAP Identity Authentication
- In SAP Identity Authentication I export the metadata:
- Then I edit the metadata.xml with Notepad++
and change the entityID tohttps://<tenant ID>.accounts.ondemand.com/sf
and save it as metadata_new.xml
Step 3 : Create and configure an Application in AZURE
- (if the AZURE Application is not created yet) open
- Once the Application is created,
–>I select “Assign users and groups”
and assign users.
- I Click on “Set up single sign on”
- I upload the metadata_new.xml into AZURE (which was created in point 2.2as a result at “BASIC SAML Configuration”
the entityIDhttps://<tenant ID>.accounts.ondemand.com/sf
will be shown.
Step 4 : Generate a certificate with a private key for the Azure applications.
- Precondition: OPENSSL is installed and configured as decribed:https://slproweb.com/products/Win32OpenSSL.html( I have downloaded the .MSI ) for WIN 64.
- I open OPENSSL Application on my PC
openssl req -x509 -days 365 -newkey rsa:2048 -keyout cert.pem -out cert.pem
at the end a cert.pem file is created
- I convert cert.pem file to cert.pfx:openssl pkcs12 -export -in cert.pem -inkey cert.pem -out cert.pfxat the end a cert.pfx file is created.
- I upload the cert.pfx to
to the newly created APP (see STEP 3)
“SAML Signing Certificate”
- I make sure that the last uploaded Certificate is active.
Step 5 : Convert the certificate for the SAP Identity Authentication
- have to convert the previously created
- For example I did this in Chrome:2.1
Open Google Chrome.2.2
Select Show Advanced Settings > Manage Certificates.2.3
Click Import to start the Certificate Import Wizard.2.4
Browse to the downloaded certificate cert.pfx file and click Next.
Enter the password I entered when I generated the cert.pfx certificate.
in Chrome export the certificate and save as cert.cer
- In SAP Identity Authentication (as admin)
I go to
–> Corporate Identity Providers
–>edit my AZURE IdP
- AZURE IdP :
SAML2 configuration –>
I go to “Signing Certificate” –> press Add –>
I upload the cert.cer
If all of the main five steps are done, then as a result calling the Application in an incognito mode will result a calling method:
Application –> SAP Identity Authentication (as proxy) –> MS AZURE (as IdP) –> SAP Identity Authentication (as proxy) –> Application.
All other planned Applications created in SAP Identity Authenticationfor example APP1 till APP99 must connect in 1:1 to a separate AZURE Application and
there the same cert.pfx must be used.
(one signing certificate will be used for all of the AZURE applications)
If you read this please feel free to share feedback or thoughts in a comment.
I encourage you to follow my profile for similar content.
After step 4. Is there a posibility to add the new Azure Application as a second idendity provider? we need dot have a second identity provider with the enhanced configuration of the subject Name Identifier. So we dont have to change all aother Applications running on the same IAS connectet to the AzureAD. When i try to add the Fedrated XML i get "Another identity provider is already configured with the same entity ID"
Could you help here?
Regards Christian Abegg
Actually if you have an Azure logon, you can create as much Application inside Azure as you want.
in STEP 3 .
you must create and configure an Application in AZURE .
Each new Application inside AZURE can have different IdP settings behavior.
if you have a suffix in IAS
->must be connected to a separate Azure application app1
after you have defined a
https://<tenant ID>.accounts.ondemand.com/app1 in IAS and downloaded the metadata
you have to edit the metadata file and add app1
see STEP 2.
you have to upload the modify metadata each time and upload the modified metadata for each AZURE app.
--> so you can avoid duplication.
for each suffix in IAS new AZURE app must be created (1:1)
https://<tenant ID>.accounts.ondemand.com/app2 ->must be connected to a separate Azure app2
What we are trying to do is to connect the Azure AD to the IAS a second time.
Once with this option enabled "Use Identity Authentication user store" and once disabled.
IAS User Store
User Store IAS
Unfortunately, we can only connect the same Azure AD once in the IAS.
Best regards Maurizio
in IAS you can add only one Corporate IdP Azure.
So the Step 4. and Step 5. must be done only once.
(regardless how many Azure Application you have.)
Dear Imre, thanks for this blog. Just to add some infos here.
I've been faced with this challenge two years ago, see here for more details about the backgroud and use case
Thank You Carsten!
Your blog is very nice!
Can we add two active AD Azure connection for single SAP connection for the authorization?
in IAS you must use
AD Azure as Corporate IdP.
But in Azure you can define several Application which will be connect to IAS Applications in 1:1 connection.