Skip to Content
Product Information
Author's profile photo Guy Sujetzki

Identity and Authentication Management in SAP Business One

With 10.0 FP 2208, SAP Business One introduces the Identity and Authentication Management (IAM) service, allowing users to authenticate with their Identity Provider’s (IDP) user when Signing-in to SAP Business One.

Connecting SAP Business One with an Identity provider can help you manage user access in a secured manner without compromising on user experience during sign-in to SAP Business One.

What are the main benefits from using IAM solution in SAP Business One?

  • Single sign-on (SSO) experience.
  • Reduce Password fatigue – users do not need to remember an excessive amount of passwords.
  • Enhance security during sign-in by utilizing IDP’s Multi Factor Authentication and reduce potential attack surface.
  • A central user management solution, allowing Landscape administrators to setup IDP users (under one or more IDPs), bind them to SAP Business One company users and manage users from across all company databases in one place.

Identity Providers Management

IAM can be activated by configuring IDPs and Users under newly added ‘Identity Providers’ and ‘Users’ tabs in SAP Business One System Landscape Directory (SLD) control center.
After upgrading to 10.0 FP 2208, The following Identity Providers appear by default under ‘Identity Provider’ tab in SLD:

  • SAP Business One Authentication Server – Built-in Authentication Service
  • Active Directory Domain Services –  Built-in Authentication Service

It is also possible to add OIDC (Open ID Connect) IDP by clicking on ‘Add’

  • OIDC (Open ID Connect)Note: with 10.0 FP 2208, it is possible to register ‘AD FS‘ or ‘Azure Active Directory‘ as external identity providers in OIDC.

Identity%20Providers%20tab%20in%20SLD

Identity Providers tab in SLD

By default, to preserve backward compatibility, IDPs are set to ‘inactive‘ after upgrade. There is no change to the Sign-in experience for SAP Business One users unless an IDP is activated.

Before an IDP is activated, there are a few important prerequisites that need to be fulfilled:

  • There must be at least one corresponding Landscape Admin user configured under ’Users’ tab in SLD.
  • IDP users created and bound to SAP Business One company users across all companies.
  • IDP property for add-ons was adopted.

User Management

The newly added ‘Users’ Tab in SLD, acts as a ‘one stop shop’ for:

  • Adding / removing IDP users.
  • Binding IDP users to SAP Business One users across company databases.
  • Central user management solution: change PwD and activate / deactivate unified users (users created under SAP Business One Authentication Server IDP), assign users with Landscape Admin role.

Note: The licenses assigned to SAP Business One company users remain unchanged after enabling the identity and authentication management.

 

Sign-in to SAP Business One with an IDP

Once an IDP is activated in SLD, SAP Business One users will experience a new Sign-in window. Depending on landscape’s IDP configuration (IDP type, number of IDPs activated), users are redirected to their IDP within SAP Business One Sign-in window to authenticate.


Watch the quick demo below on how to setup Microsoft Azure as an identity provider in SAP Business One and Sign-in to SAP Business One Web client with an Azure account.


How-to-guide

As IAM has a noticeable footprint on user’s Sign-in journey in addition to behavioral changes in SAP Business One, it is highly recommended reviewing ‘Identity and authentication management in SAP Business OneHow-to-guide to learn more about the following topics:

  • IAM Setup and Configuration
  • Recovery / Reset of IAM
  • Behavior changes
  • Supported SAP Business One Components in 10 FP 2208
  • Extension adaptations


Roll out plan

The Identity and authentication management service is planned be rolled out in a phased manner.
With 10.0 FP 2208, IAM is supported by the following SAP Business One Products:

  • SAP Business One
  • SAP Business One, version for SAP HANA

Please note that with 10.0 FP release, The IAM service is not supported by existing SAP Business One Cloud versions. It is planned to be supported in SAP Business One Cloud in later versions.

Hope this Blog was useful to you as an introduction to SAP Business One’s Identification and Authentication Management service. I’m looking forward to hear about your experience from working with IAM in SAP Business One, be sure to leave your feedback in the comments section below.

 

Assigned Tags

      18 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Richard Duffy
      Richard Duffy

      We are looking forward to the release of IDP support for SAP Business One Cloud and will start upgrading our single tenant customers to use IDP with FP2208 soon

      Author's profile photo Mustafa Bensan
      Mustafa Bensan

      Hi Guy,

      Does the new IAM capability support principle propagation of a business user through to the Business One Service Layer during API calls?

      Regards,

      Mustafa.

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Mustafa,
      Thanks for your follow up question. I am not sure I fully comprehend the scenario you mentioned. For further evaluation, can you please provide a step by step description of the intended flow?

      BTW - please also refer to the Extension chapter in the Identity and Authentication Management guide to review the required adaptations for DI API and Service Layer based Add-ons in order to consume IAM.

      Best Regards
      Guy

      Author's profile photo Mustafa Bensan
      Mustafa Bensan

      Hi Guy,

      I think my scenario would be covered by the Web App flow for IAM as described in the guide you referred to.  For context, the intended flow in my scenario is as follows:

      • A custom sales order creation Fiori app is deployed on SAP BTP Cloud Foundry environment.
      • This Fiori app interacts with SAP Business One via the APIs of the Business One Service Layer.
      • When the user signs into the Fiori app and authenticates, the desired outcome is that when the Fiori app calls the relevant Business One Service Layer APIs, the user's identity is propagated through to the API so that the data the logged in user sees and the actions they can take via the API are consistent with that particular user's authorisations in Business One.

      Does that make sense?

      Thanks,

      Mustafa.

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Mustafa,
      Thanks for clarifying, yes that seems to fall under the Web App flow for IAM.
      BTW - Regarding BTP application & choice of IDPs - Plz note that in 2208 FP we officially support Azure and ADFS as external IDPs via OIDC configuration. SAP IAS will be officially supported in future releases.
      Best Regards
      Guy

      Author's profile photo Tomer Peer
      Tomer Peer

      Hello,

      Installing new versoin works, New Licence also importing well, But when trying to assign SAP users attributes error appearing:

      Connection to license server is not authenticated

      I've activated the "SAP Business One" in the identity provider tab in SLD but failed to add local user.

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Tomer,
      Thanks for sharing this finding. As we did not encounter this error in various IAM related configurations, I believe this error might be related to a different landscape issue.

      for example
      2409083 Connection to License Server Is Not Authenticated

      Please try to run a KB search. In case you're still unclear about this issue, please create an incident with a step-by-step reproduction desc. so we could further investigate.

      Best Regards
      Guy

      Author's profile photo Gideon Makinwa
      Gideon Makinwa

      Hi Guy,

      We are currently buiding a C# Blazor WASM application hosted on ASPNETCore and using Duende IdentityServer as our OIDC using the BFF (backend for frontend) framework. I want to know how do I add Duende IdentityServer to SAP Authentication Server (Keycloak) as IdP.

      Note

      1. Duende IdentityServer is our IdP providing login, logout, redirection, authentication and authorization to our Blazor WASM client application
      2. Our Blazor WASM client have local API Endpoints (controllers) that call remote API (SAP Service layer), hence a Proxy access
      3. Duende IdentityServer will manage token and grant our Blazor WASM client application access to SAP Business One Layer API Endpoints
      4. We are using Authorization code + PKCE flow

      The link is reference to Duende identityServer implementation of BFF https://docs.duendesoftware.com/identityserver/v6/bff/tokens/

      Best regards,

      Gideon Makinwa

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Gideon,

      With 2208 FP release, we officially support MS Azure and ADFS as external IDPs for OIDC.
      We are planning to expand the list of supported IDPs in the next releases.

      For the time being, i strongly recommend raising your requirement to support Duende as an IDP via our Customer influence site  https://influence.sap.com/sap/ino/#/campaign/887
      This can allow us visibility into overall market's demand for IDPs mostly used in our SAP Business One community.

      Best Regards
      Guy

      Author's profile photo Gideon Makinwa
      Gideon Makinwa

      Hi Guy,

      My App is a Blazor WASM BFF (back-end for frontend) relying on Duende IdentityServer for users authenication and authorization, however for Remote API call (using HttpClinet methods to call SAP B1 Service Layer) I want a machine to machine communication client credential flow. In the SAP Keycloak SapB1 realm servcie layer client  is already created by SAP

      Here is my C# code in a Console app to first get Access Token and then add it to by HTTP call from Service layer APIs

       

      // Console app Program.cs
      using IdentityModel.Client;

       

      var tokenClient = new HttpClient();

      var token2 = await tokenClient.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
      {
      Address = "https://[Server]:40020/auth/realms/sapb1/protocol/openid-connect/token",  //SAP Keycloak Authentication Server TokenEndpoint
      ClientId = "b1-B1ServiceLayers-1713-main-sbo",  //created by SAP already , default
      ClientSecret = "728adc6d-560e-4f80-82d3-452a939182ee"  //generated alerady by SAP
      });

      var apiClient = new HttpClient();
      apiClient.SetBearerToken(token2.AccessToken);

      var response = await apiClient.GetAsync("https://localhost:50000/b1s/v1/Items");  //B1 Service layer Items Endpoints
      var data = await response.Content.ReadAsStringAsync();
      Console.WriteLine(data);

       

      This seems not working. What's the correct way to get Access token to call Service layer APIs.

       

      Best regards,

      Gideon Makinwa

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Gideon,

      Thanks for the details.

      In case you haven't done so before, please check out the extension chapter in our Identity and Authentication Management How-to Guide
      https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/07a8fc4acabe4ba5884bdff86347730c.html

      Otherwise, I recommend reporting an incident to allow our Support experts to take a closer look.
      Kind Regards
      Guy

      Author's profile photo Erick Gómez
      Erick Gómez

      Hi, Guy!

      Maybe it's already happening to others, but when I try to configure the external IP for the authentication service and SLD, it returns an error message that doesn't make sense with what the FP 2208 administration manual says.

      The option to map the SLD with the domain/external IP is no longer in the External Mapping tab, it is now configured in the Security tab.

      Either the manual has an error or the service has an internal problem, they are something very easy to configure that are not working as we would expect.

      Regards,

      Erick

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Erick,

      Thanks for sharing this scenario.
      When defining an address for SLD and Authentication service under Security tab, to prevent a scenario where SLD is no longer reachable after the update, there is a check in place that the defined addresses for SLD and authentication service are indeed reachable in order to successfully save the new values.

      Please make sure that the new addresses for SLD and Authentication service are indeed reachable. If you still face an issue during save operation, I recommend logging an incident with relevant details incl. actual error message shown.

      Best Regards
      Guy

      Author's profile photo Luis Alejandro Ruiz Pinilla
      Luis Alejandro Ruiz Pinilla

      Hi, Guy

      We have a novelty after the update to version 2208. 
      
      Previously it allowed that when activating the SSO from the SLD, if a user needed to change the linked user, clicking "change user" to type a new user. 
      
      With this version, we don't see that possibility. 
      
      It is important to be able to have this option, since with the link it was possible to indicate which databases the users had access to.
      
      
      In previous versions, the service was activated by the SLD
      
      
      
      The SSO option was shown activated for users with the Microsoft Windows account link
      
      
      
      
      If they need to change the user, uncheck the option and they could enter with a new user
      
      
      I appreciate if you can help me with this news.
      
      Best Regards
      Camilo
      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Luis,

      Thanks for addressing this behavior change.
      With FP 2208, once Active Directory Domain services is enabled (Will be automatically enabled in case you worked with SSO prior to upgrade) the option to sign-in with B1 User codes in parallel is no longer available. This is part of a security measure we took to comply with security standards for authorizing users during sign-in process.

      For your scenario:

      • In case you have B1 user codes that are not yet binded to  domain users, you should be able to complete all necessary IDP user creation and bindings from SLD - under User's tab. for more information please refer to our IAM guide
        https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/76de0bbf52a24cfc997084f3a294abc2.html?q=User%20code
      • In case you would like to avoid binding some of your B1 User codes to a domain users, as an option you may also consider activating in parallel SAP Business One Authentication Service and creating relevant IDP users (under SAP B1 authentication service) and bindings for these B1 user codes.

        By doing so, users may log-in with their corresponding domain user (SSO) or with their B1 IDP user (SAP B1 Authentication service).

      Hope this helps

      Best Regards
      Guy

      Author's profile photo Greg Niecka
      Greg Niecka

      Hi Guy,

      does the new IAM solution support integration with OKTA?

      Regards

      Greg

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Greg,

      With FP 2208 we officially support Azure AD and ADFS as external IDPs (via OIDC).
      OKTA & additional IDPs are planned to be supported in future releases.

      Best Regards
      Guy

      Author's profile photo Joerg Aldinger
      Joerg Aldinger

      If you want to renew the certificate used for the Authentication Service, check out my blog post:

      How to renew your SAP B1 Authentication Service Certificate | SAP Blogs

      Hope it is helpful!

      Best regards,

      Joerg.