Skip to Content
Technical Articles
Author's profile photo Imre Takacsi-Nagy

Configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)

My name is Imre working at SAP since 2004. Now I’m at Identity Authentication Service area.

In this blog post I will explore in detail how to configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)
I’m working in the Identity Authentication Service team, and we got several questions regarding the realization of Different Trust Configurations for the Same Identity Authentication Tenant.
The technical background is explained here.
So I have decided to build up a test scenario and share in details my experiences.
I will use third party tools for key generation as well and make the settings more visible by inserting the screen shots and pictures made be me.

 

Note: the article contains third party information about openssl and MS AZURE, which may change in the future.

Prerequisites

  1. You have an active license for SAP Cloud Platform Identity Authentication Service.
  2. ‘Manage Applications’ and ‘Manage Corporate Identity Providers’ authorizations are assigned to you as Administrator in IAS.
  3. You have an active AZURE license.
  4. You have created an Application in SAP Cloud Platform Identity Authentication Service

 

Step 1 :Configure Issuer Name at SAP Identity Authentication

  1.  logon to SAP Identity Authentication as admin:
    https://<tenant ID>.accounts.ondemand.com/admin
  2. Under Applications and Resources, choose the Applications tile. 
  3. Choose the Trust tab. 
  4. Under Conditional Authentication, choose Configure SAML 2.0 Requests to Corporate Identity Providers. 

  5. Under Configure Issuer Name, type the issuer suffix, which you want to add to the Identity Authentication default issuer name. 

    as a result the Issuer Name will be changed with the suffix at the end:
    (the suffix can be up to 32 chars long)
    https://<tenant ID>.accounts.ondemand.com/sf

 

Step 2 : Export and edit Metadata from SAP Identity Authentication

  1. In SAP Identity Authentication I export the metadata:
  2. Then I edit the metadata.xml with Notepad++
    and change the entityID tohttps://<tenant ID>.accounts.ondemand.com/sf
    and save it as metadata_new.xml

Step 3 : Create and configure an Application in AZURE

  1. (if the AZURE Application is not created yet)  open
    https://portal.azure.com/
  2.  Once the Application is created,
    –>I select  “Assign users and groups”
    and assign users.
  3. I Click on “Set up single sign on”
  4. I upload the metadata_new.xml into AZURE (which was created in point 2.2as a result at “BASIC SAML Configuration”
    the entityIDhttps://<tenant ID>.accounts.ondemand.com/sf
    will be shown.

Step 4 : Generate a certificate with a private key for the Azure applications.

  1. Precondition: OPENSSL is installed and configured as decribed:https://slproweb.com/products/Win32OpenSSL.html( I have downloaded the .MSI ) for WIN 64.
  2.  I open OPENSSL Application on my PC
  3.  I run this command:

    openssl req -x509 -days 365 -newkey rsa:2048 -keyout cert.pem -out cert.pem

  4. When FQDN will be asked :
    I give my tenant link :
    https://<tenant ID>.accounts.ondemand.com

    at the end a cert.pem file is created

  5.  I convert cert.pem file to cert.pfx:openssl pkcs12 -export -in cert.pem -inkey cert.pem -out cert.pfxat the end a cert.pfx file is created.
  6.  I upload the cert.pfx to
    Azure
    to the newly created APP (see STEP 3)
    at
    “SAML Signing Certificate”
  7. I make sure that the last uploaded Certificate is active.

Step 5 : Convert the certificate for the SAP Identity Authentication

  1. have to convert the previously created
    cert.pfx
    to
    cert.cer
    file.
  2. For example I did this in Chrome:2.1
    Open Google Chrome.2.2
    Select Show Advanced Settings > Manage Certificates.2.3
    Click Import to start the Certificate Import Wizard.2.4
    Click Next.​2.5
    Browse to the downloaded certificate cert.pfx file and click Next.

    2.6
    Enter the password I entered when I generated the cert.pfx certificate.

    2.7
    in Chrome export the certificate and save as cert.cer

  3. In SAP Identity Authentication (as admin)
    I go to
    Identity Providers
    –> Corporate Identity Providers
    –>edit my AZURE IdP
  4. AZURE IdP :
    SAML2 configuration –>
    I go to “Signing Certificate” –> press Add –>
    I upload the cert.cer

Summary

If all of the main five steps are done, then as a result calling the Application in an incognito mode will result a calling method:

Application  –> SAP Identity Authentication (as proxy) –> MS AZURE (as IdP) –> SAP Identity Authentication (as proxy)  –> Application.

P.S.
All other planned Applications created in SAP Identity Authenticationfor example APP1 till APP99 must connect in 1:1  to a separate AZURE Application and
there the same cert.pfx must be used.
(one signing certificate will be used for all of the AZURE applications)

If you read this please feel free to share feedback or thoughts in a comment.
I encourage you to follow my profile for similar content.

Assigned Tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Christian Abegg
      Christian Abegg

      Hello Imre

       

      After step 4. Is there a posibility to add the new Azure Application as a second idendity provider? we need dot have a second identity provider with the enhanced configuration of the subject Name Identifier. So we dont have to change all aother Applications running on the same IAS connectet to the AzureAD. When i try to add the Fedrated XML i get "Another identity provider is already configured with the same entity ID"

      Could you help here?

       

      Regards Christian Abegg

       

      Author's profile photo Imre Takacsi-Nagy
      Imre Takacsi-Nagy
      Blog Post Author

      Hi Christian,

      1.
      Actually if you have an Azure logon, you can create as much Application inside Azure as you want.

      2.
      in STEP 3 .
      you must create and configure an Application in AZURE .
      Each new Application inside AZURE can have different IdP settings behavior.

      3.
      if you have a suffix in IAS
      https://<tenant ID>.accounts.ondemand.com/app1
      STEP 1
      point 5.
      ->must be connected to a separate Azure application  app1

      4.
      after you have defined a
      https://<tenant ID>.accounts.ondemand.com/app1  in IAS and downloaded the metadata
      (STEP 2.)
      you have to edit the metadata file  and add app1
      see STEP 2.
      point 2.

      5.
      you have to upload the modify metadata each time and upload the modified metadata for each AZURE app.
      --> so you can avoid duplication.

      6.
      for each suffix in IAS new AZURE app must be created (1:1)
      https://<tenant ID>.accounts.ondemand.com/app2   ->must be connected to a separate Azure  app2

      Author's profile photo Maurizio D'Autilia
      Maurizio D'Autilia

      Hi Imre

      What we are trying to do is to connect the Azure AD to the IAS a second time.
      Once with this option enabled "Use Identity Authentication user store" and once disabled.

      IAS%20User%20Store

      IAS User Store

      User Store IAS

      Unfortunately, we can only connect the same Azure AD once in the IAS.

      ias%20error

      ias error

       

      Best regards Maurizio

      Author's profile photo Imre Takacsi-Nagy
      Imre Takacsi-Nagy
      Blog Post Author

      Hi Maurizio,

      in IAS you can add only one Corporate IdP Azure.
      So the Step 4. and Step 5. must be done only once.
      (regardless how many Azure Application you have.)

      Best regards
      Imre

      Author's profile photo Carsten Olt
      Carsten Olt

      Dear Imre, thanks for this blog. Just to add some infos here.

      I've been faced with this challenge two years ago, see here for more details about the backgroud and use case

      Cheers Carsten

      Author's profile photo Imre Takacsi-Nagy
      Imre Takacsi-Nagy
      Blog Post Author

      Thank You Carsten!

      Your blog is very nice!

      Best regards
      Imre

      Author's profile photo Jasman Kaur
      Jasman Kaur

      Hi Imre,

       

      Can we add two active AD Azure connection for single SAP connection for the authorization?

       

      Thanks, Jasman

      Author's profile photo Imre Takacsi-Nagy
      Imre Takacsi-Nagy
      Blog Post Author

      Hi Jasman,

      in IAS you must use
      only one
      AD Azure as Corporate IdP.

      But in Azure you can define several Application which will be connect to IAS Applications in 1:1 connection.

      Best regards
      Imre