Keeping SAP Enable Now SSO accounts synced with Azure AD
Hi guys, it’s me again with another script that solves an SAP Enable Now Cloud issue when the SSO account is not automatically deactivated after the employee left the company (and obviously doesn’t need SAP Enable Now license any longer). This desynchronization leads to incorrect license consumption numbers, unnecessary questions during the license audit, and, overall, spoils the picture with the rainbow unicorns and happy admins 😉 Ideally, this should be resolved with the SAP Enable Now supporting SCIM or another provisioning model when the accounts in the service provider are always synced with the data in the Identity Provider.
As long as SAP Enable Now doesn’t offer that, one can use the Node.js script I developed for SAP Enable Now Cloud (and On-Prem with SAML SSO) and Microsoft Azure AD. The latter is because Microsoft has a great API platform called Graph, which is well-documented and offers rich possibilities, not only related to our small case.
So, the script does the following:
- Connects to your SAP Enable Now Manager using the service account with the basic authentication (username/password)
- Loads the information about the ACTIVE SSO accounts in the SAP Enable Now Manager
- Checks the status of every active account in Manager against MS Azure AD
- Marks inactive accounts in the list obtained from the SAP Enable Now Manager after comparing with MS Azure AD
- Deactivates (not deletes!) the SAP Enable Now SSO account that is no longer active in MS Azure AD
- Executes steps 1-5 according to the assigned schedule: (i.e., daily).
- Virtual/physical machine with Node.js and npm installed that will be used for running the script
- Administrative access to the MS Azure AD
- MS Visual Studio Code or another IDE
Step 1: Download the Node.js script from GitHub or clone it to your repository. URL: https://github.com/apmavrin/sen-daemon.git
Step 2: Register your SAP Enable Now script in the MS Azure AD Portal according to this guide from the Microsoft website (Step 1) and this instruction from the same source. When selecting the platform for the application, choose the Mobile and Desktop Applications. Generate the Client Secret and save its value immediately somewhere, as you won’t see it again after re-opening the Client Secret page. After you do the steps from the abovementioned manuals, you should see something like this on the Azure AD application overview page.
Step 3: Assign the API Permissions Microsoft Graph -> User.Read.All to your application to allow it to read account data in your MS Azure AD using the MS Graph API.
Step 4 Create the .env file in the script root directory and add there the App registration information you obtained earlier from MS Azure AD, the SAP Enable Now Manager URL, and your service account login and password. Do not modify the global constants’ names (in uppercase). Save the changes.
Step 5 (Optional) The script compares the user e-mail in the MS Azure AD with the e-mail stored in the SAP Enable Now Manager. If you want to use the User Principal Name (UPN) from Azure AD and the SAP Enable Now account name, then please change the default values in the files:
Step 6 Select the scheduled run time for the script in the index.js file. It’s in 24 hr format. For testing purposes, set it 1-3 mins ahead of your current time.
Step 7 Run the npm package manager from the script root directory to get the required dependencies
Step 8: Try the script in action by running the command.
node . --sync azure
Enjoy the result: the account status in the SAP Enable Now is always synced with your Azure AD.
Great stuff Anton!
I also really liked this part: "Deactivates (not deletes!) "
nice and interesting one Anton! very useful for sure.