Skip to Content
Product Information
Author's profile photo Guy Sujetzki

Identity and Authentication Management in SAP Business One

With 10.0 FP 2208, SAP Business One introduces the Identity and Authentication Management (IAM) service, allowing users to authenticate with their Identity Provider’s (IDP) user when Signing-in to SAP Business One.

Connecting SAP Business One with an Identity provider can help you manage user access in a secured manner without compromising on user experience during sign-in to SAP Business One.

What are the main benefits from using IAM solution in SAP Business One?

  • Single sign-on (SSO) experience.
  • Reduce Password fatigue – users do not need to remember an excessive amount of passwords.
  • Enhance security during sign-in by utilizing IDP’s Multi Factor Authentication and reduce potential attack surface.
  • A central user management solution, allowing Landscape administrators to setup IDP users (under one or more IDPs), bind them to SAP Business One company users and manage users from across all company databases in one place.

Identity Providers Management

IAM can be activated by configuring IDPs and Users under newly added ‘Identity Providers’ and ‘Users’ tabs in SAP Business One System Landscape Directory (SLD) control center.
After upgrading to 10.0 FP 2208, The following Identity Providers appear by default under ‘Identity Provider’ tab in SLD:

  • SAP Business One Authentication Server – Built-in Authentication Service
  • Active Directory Domain Services –  Built-in Authentication Service

It is also possible to add OIDC (Open ID Connect) IDP by clicking on ‘Add’

  • OIDC (Open ID Connect)Note: with 10.0 FP 2208, it is possible to register ‘AD FS‘ or ‘Azure Active Directory‘ as external identity providers in OIDC.

Identity%20Providers%20tab%20in%20SLD

Identity Providers tab in SLD

By default, to preserve backward compatibility, IDPs are set to ‘inactive‘ after upgrade. There is no change to the Sign-in experience for SAP Business One users unless an IDP is activated.

Before an IDP is activated, there are a few important prerequisites that need to be fulfilled:

  • There must be at least one corresponding Landscape Admin user configured under ’Users’ tab in SLD.
  • IDP users created and bound to SAP Business One company users across all companies.
  • IDP property for add-ons was adopted.

User Management

The newly added ‘Users’ Tab in SLD, acts as a ‘one stop shop’ for:

  • Adding / removing IDP users.
  • Binding IDP users to SAP Business One users across company databases.
  • Central user management solution: change PwD and activate / deactivate unified users (users created under SAP Business One Authentication Server IDP), assign users with Landscape Admin role.

Note: The licenses assigned to SAP Business One company users remain unchanged after enabling the identity and authentication management.

 

Sign-in to SAP Business One with an IDP

Once an IDP is activated in SLD, SAP Business One users will experience a new Sign-in window. Depending on landscape’s IDP configuration (IDP type, number of IDPs activated), users are redirected to their IDP within SAP Business One Sign-in window to authenticate.


Watch the quick demo below on how to setup Microsoft Azure as an identity provider in SAP Business One and Sign-in to SAP Business One Web client with an Azure account.


How-to-guide

As IAM has a noticeable footprint on user’s Sign-in journey in addition to behavioral changes in SAP Business One, it is highly recommended reviewing ‘Identity and authentication management in SAP Business OneHow-to-guide to learn more about the following topics:

  • IAM Setup and Configuration
  • Recovery / Reset of IAM
  • Behavior changes
  • Supported SAP Business One Components in 10 FP 2208
  • Extension adaptations


Roll out plan

The Identity and authentication management service is planned be rolled out in a phased manner.
With 10.0 FP 2208, IAM is supported by the following SAP Business One Products:

  • SAP Business One
  • SAP Business One, version for SAP HANA

Please note that with 10.0 FP release, The IAM service is not supported by existing SAP Business One Cloud versions. It is planned to be supported in SAP Business One Cloud in later versions.

Hope this Blog was useful to you as an introduction to SAP Business One’s Identification and Authentication Management service. I’m looking forward to hear about your experience from working with IAM in SAP Business One, be sure to leave your feedback in the comments section below.

 

Assigned Tags

      67 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Richard Duffy
      Richard Duffy

      We are looking forward to the release of IDP support for SAP Business One Cloud and will start upgrading our single tenant customers to use IDP with FP2208 soon

      Author's profile photo Mustafa Bensan
      Mustafa Bensan

      Hi Guy,

      Does the new IAM capability support principle propagation of a business user through to the Business One Service Layer during API calls?

      Regards,

      Mustafa.

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Mustafa,
      Thanks for your follow up question. I am not sure I fully comprehend the scenario you mentioned. For further evaluation, can you please provide a step by step description of the intended flow?

      BTW - please also refer to the Extension chapter in the Identity and Authentication Management guide to review the required adaptations for DI API and Service Layer based Add-ons in order to consume IAM.

      Best Regards
      Guy

      Author's profile photo Mustafa Bensan
      Mustafa Bensan

      Hi Guy,

      I think my scenario would be covered by the Web App flow for IAM as described in the guide you referred to.  For context, the intended flow in my scenario is as follows:

      • A custom sales order creation Fiori app is deployed on SAP BTP Cloud Foundry environment.
      • This Fiori app interacts with SAP Business One via the APIs of the Business One Service Layer.
      • When the user signs into the Fiori app and authenticates, the desired outcome is that when the Fiori app calls the relevant Business One Service Layer APIs, the user's identity is propagated through to the API so that the data the logged in user sees and the actions they can take via the API are consistent with that particular user's authorisations in Business One.

      Does that make sense?

      Thanks,

      Mustafa.

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Mustafa,
      Thanks for clarifying, yes that seems to fall under the Web App flow for IAM.
      BTW - Regarding BTP application & choice of IDPs - Plz note that in 2208 FP we officially support Azure and ADFS as external IDPs via OIDC configuration. SAP IAS will be officially supported in future releases.
      Best Regards
      Guy

      Author's profile photo Tomer Peer
      Tomer Peer

      Hello,

      Installing new versoin works, New Licence also importing well, But when trying to assign SAP users attributes error appearing:

      Connection to license server is not authenticated

      I've activated the "SAP Business One" in the identity provider tab in SLD but failed to add local user.

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Tomer,
      Thanks for sharing this finding. As we did not encounter this error in various IAM related configurations, I believe this error might be related to a different landscape issue.

      for example
      2409083 Connection to License Server Is Not Authenticated

      Please try to run a KB search. In case you're still unclear about this issue, please create an incident with a step-by-step reproduction desc. so we could further investigate.

      Best Regards
      Guy

      Author's profile photo Gideon Makinwa
      Gideon Makinwa

      Hi Guy,

      We are currently buiding a C# Blazor WASM application hosted on ASPNETCore and using Duende IdentityServer as our OIDC using the BFF (backend for frontend) framework. I want to know how do I add Duende IdentityServer to SAP Authentication Server (Keycloak) as IdP.

      Note

      1. Duende IdentityServer is our IdP providing login, logout, redirection, authentication and authorization to our Blazor WASM client application
      2. Our Blazor WASM client have local API Endpoints (controllers) that call remote API (SAP Service layer), hence a Proxy access
      3. Duende IdentityServer will manage token and grant our Blazor WASM client application access to SAP Business One Layer API Endpoints
      4. We are using Authorization code + PKCE flow

      The link is reference to Duende identityServer implementation of BFF https://docs.duendesoftware.com/identityserver/v6/bff/tokens/

      Best regards,

      Gideon Makinwa

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Gideon,

      With 2208 FP release, we officially support MS Azure and ADFS as external IDPs for OIDC.
      We are planning to expand the list of supported IDPs in the next releases.

      For the time being, i strongly recommend raising your requirement to support Duende as an IDP via our Customer influence site  https://influence.sap.com/sap/ino/#/campaign/887
      This can allow us visibility into overall market's demand for IDPs mostly used in our SAP Business One community.

      Best Regards
      Guy

      Author's profile photo Gideon Makinwa
      Gideon Makinwa

      Hi Guy,

      My App is a Blazor WASM BFF (back-end for frontend) relying on Duende IdentityServer for users authenication and authorization, however for Remote API call (using HttpClinet methods to call SAP B1 Service Layer) I want a machine to machine communication client credential flow. In the SAP Keycloak SapB1 realm servcie layer client  is already created by SAP

      Here is my C# code in a Console app to first get Access Token and then add it to by HTTP call from Service layer APIs

       

      // Console app Program.cs
      using IdentityModel.Client;

       

      var tokenClient = new HttpClient();

      var token2 = await tokenClient.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
      {
      Address = "https://[Server]:40020/auth/realms/sapb1/protocol/openid-connect/token",  //SAP Keycloak Authentication Server TokenEndpoint
      ClientId = "b1-B1ServiceLayers-1713-main-sbo",  //created by SAP already , default
      ClientSecret = "728adc6d-560e-4f80-82d3-452a939182ee"  //generated alerady by SAP
      });

      var apiClient = new HttpClient();
      apiClient.SetBearerToken(token2.AccessToken);

      var response = await apiClient.GetAsync("https://localhost:50000/b1s/v1/Items");  //B1 Service layer Items Endpoints
      var data = await response.Content.ReadAsStringAsync();
      Console.WriteLine(data);

       

      This seems not working. What's the correct way to get Access token to call Service layer APIs.

       

      Best regards,

      Gideon Makinwa

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Gideon,

      Thanks for the details.

      In case you haven't done so before, please check out the extension chapter in our Identity and Authentication Management How-to Guide
      https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/07a8fc4acabe4ba5884bdff86347730c.html

      Otherwise, I recommend reporting an incident to allow our Support experts to take a closer look.
      Kind Regards
      Guy

      Author's profile photo Simon Berleb
      Simon Berleb

      Hi Guy,

      we think there is a authentification process without popup login page missing. In keycloak there is the "Direct Access Grants Enabled" disabled.

      So in SAP B1 you have to types of licensing api users:

      a) Indirect Access User -> scenario is clear an working, thank you for that.
      b) Indirect Access non-emplyoee (api sync users) -> scenario is not clear by checking your documentation here: https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/07a8fc4acabe4ba5884bdff86347730c.html

      Could you please give the answers to us partner to going further in working with service layer an api sync users for FP2208 and higher?

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Simone,

       

      Regarding point b) - If I read your question correctly - technical users are supposed to continue working normally (without any change required) after upgrading to FP 2208. Plz refer to the following section in the IAM documentation:

      https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/a22e86b800794aca934b82d73c48279b.html?q=technical

      Hope this helps,
      Kind Regards
      Guy

      Author's profile photo Simon Berleb
      Simon Berleb

      Hi Guy,

      thanks for the additional documentation, but unfortunately this is no answer to my question.

      However, my question was aimed at "Technical" users based on Indirect access by instance / non-employee.

      This could be a new user in B1 for example called: “sync_job_for_facebook”.

      Is there a token with longer lifetime / API token / API Key?
      Or is a POST /Login possible for this technical api user?

      In the past for B1Authentification and WindowsAuthentification we did a easy POST Login.

      POST /Login
      
      {
          "CompanyDB": "SBODEMODE",
          "UserName": "domain\\Administrator",
          "Password": "xxxxxxx"
      }
      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Simon Berleb

      Nice meeting you in the Vienna Summit 🙂
      Let me summarize main points we discussed in our meeting face to face for the benefit of anyone reading this in the community;

      1. In case you work with Active Directory IDP in FP 2208, in order to make a connection with Service Layer - you need to use a SAP Business One Authentication service user (binded to the relevant User code).

      2. The good news; in upcoming FP (2305) we plan to support Active Directory user for SL connection, so no modification will be required as suggested in point above.

      3. In Future release we will also provide a solution for technical users to consume IAM as well.

      hope I didn't miss anything,
      Kind Regards
      Guy

      Author's profile photo Erick Gómez
      Erick Gómez

      Hi, Guy!

      Maybe it's already happening to others, but when I try to configure the external IP for the authentication service and SLD, it returns an error message that doesn't make sense with what the FP 2208 administration manual says.

      The option to map the SLD with the domain/external IP is no longer in the External Mapping tab, it is now configured in the Security tab.

      Either the manual has an error or the service has an internal problem, they are something very easy to configure that are not working as we would expect.

      Regards,

      Erick

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Erick,

      Thanks for sharing this scenario.
      When defining an address for SLD and Authentication service under Security tab, to prevent a scenario where SLD is no longer reachable after the update, there is a check in place that the defined addresses for SLD and authentication service are indeed reachable in order to successfully save the new values.

      Please make sure that the new addresses for SLD and Authentication service are indeed reachable. If you still face an issue during save operation, I recommend logging an incident with relevant details incl. actual error message shown.

      Best Regards
      Guy

      Author's profile photo Erick Gómez
      Erick Gómez

      Hi Guy,

      SLD redirection explained.

      Best regards,

      EG​

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Erick,
      Muchas Gracias por el Link.
      Muy buen Video 🙂

      Switching to English as my Spanish is somewhat rusty,
      Thanks for sharing this with video the community, that's a very helpful resource making IAM further accessible to wider audience. Now we need an English version as well. 🙂

      Best Regards
      Guy

      Author's profile photo Erick Gómez
      Erick Gómez

      Hi Guy,

      Yeeei soon, sure 🙂

      Best regards,

      EG

      Author's profile photo Luis Alejandro Ruiz Pinilla
      Luis Alejandro Ruiz Pinilla

      Hi, Guy

      We have a novelty after the update to version 2208. 
      
      Previously it allowed that when activating the SSO from the SLD, if a user needed to change the linked user, clicking "change user" to type a new user. 
      
      With this version, we don't see that possibility. 
      
      It is important to be able to have this option, since with the link it was possible to indicate which databases the users had access to.
      
      
      In previous versions, the service was activated by the SLD
      
      
      
      The SSO option was shown activated for users with the Microsoft Windows account link
      
      
      
      
      If they need to change the user, uncheck the option and they could enter with a new user
      
      
      I appreciate if you can help me with this news.
      
      Best Regards
      Camilo
      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Luis,

      Thanks for addressing this behavior change.
      With FP 2208, once Active Directory Domain services is enabled (Will be automatically enabled in case you worked with SSO prior to upgrade) the option to sign-in with B1 User codes in parallel is no longer available. This is part of a security measure we took to comply with security standards for authorizing users during sign-in process.

      For your scenario:

      • In case you have B1 user codes that are not yet binded to  domain users, you should be able to complete all necessary IDP user creation and bindings from SLD - under User's tab. for more information please refer to our IAM guide
        https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/76de0bbf52a24cfc997084f3a294abc2.html?q=User%20code
      • In case you would like to avoid binding some of your B1 User codes to a domain users, as an option you may also consider activating in parallel SAP Business One Authentication Service and creating relevant IDP users (under SAP B1 authentication service) and bindings for these B1 user codes.

        By doing so, users may log-in with their corresponding domain user (SSO) or with their B1 IDP user (SAP B1 Authentication service).

      Hope this helps

      Best Regards
      Guy

      Author's profile photo Lukasz Bloch
      Lukasz Bloch

      We have user named "xdtw" with license  "SAP Business One Indirect Access User"

      In SLD we will add user as "SAP Business One Authentication Server"

      SLD

      SLD

      What happes next? This new feature force us to change password for first time.

      How we can change password for user XDTW when we can not log in to SAP with this user?

       

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Bloch,

      Would it be possible to remove "SAP Business One Indirect Access User" license assignment for the user code, only in order to sign-in with the IDP user "xdtw" to SAP Business One and change the Password? is that a viable option?

      Best Regards
      Guy

      Author's profile photo Lukasz Bloch
      Lukasz Bloch

      But how we can log if there is no option to log to SAP using user name. When you have SSO configured there is no window to put user name, am I right?

       

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Lukasz
      That's why I proposed in my initial reply in this comment thread to activate in parallel the SAP Business One authentication service and create a new SAP Business One Authentication service user (as you apparently did according to screen capture above) and bind the user to your SAP Business One relevant user code, e.g. xdtw.
      Once you do that, you will be able to sign-in using the SAP Business One Authentication service user "xdtw" and during sign-in process it will be mapped to the xdtw user code sign-in.
      Hope it is now clearer,

      Best Regards
      Guy

      Author's profile photo Lukasz Bloch
      Lukasz Bloch

      I have bind my user DOMAIN\LUKASZ.BLOCH  with SAP account so when i start SAP client there is no option to put username and password. Sop i am not able to change password for user I have created

       

      so the option is to log in to OS as user that IS NOT SET UP and bind and then SAP will ask about username and password during login

       

      Regards

       

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Lukasz

      1. You have to make sure that your SAP Business One authentication service is activated (under Identity Provider tab) in parallel to Active domain Services IDP.

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      2. in case more than one IDP is activated in a landscape, you should be getting the following initial screen when opening SAP Business One:

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      3. In case you do not get this window, despite having 2 IDPs activated and instead you are automatically signed in with your Domain user - I suggest the following actions:
      - temporary disable your Active Directory authentication service.
      - finish setting up the needed SAP Business One authenitcation IDP users and bindings to relevant B1 User codes across all companies.
      - Sign-in with the SAP Business One IDP users, you will be asked to set a new Password as part of the initial sign-in process.
      - reactivate the Active Directory authentication service.
      Hope this helps
      Best Regards
      Guy

      Author's profile photo Joshua Brodowsky
      Joshua Brodowsky

      This does not work.....

      As soon as the Active Directory authentication service is re-enabled, the ability to enter a user code disappears again.
      I'm sorry but this is horrendous.

      This either forces us to disable Single-Sign-On for our customers who use it or it induces license sharing on the customer side, as sometimes it's necessary to use SBO on another machine.

       

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Joshua,

      Sorry to hear about your experience.
      The ability to enter a user code should when starting SAP Business One should still be available when Active Directory is enabled for users that do not have a corresponding Active Directory IDP user set for them in SLD.

      In case there is a corresponding AD IDP user set in SLD, the user will be indeed automatically signed-in via Kerberos to provide a true SSO experience.

      Best Regards
      Guy

      Author's profile photo Joshua Brodowsky
      Joshua Brodowsky

      Hi Guy,

      this is what our problem is. When I am working with a Windows user that is assigned to an SBO user then there is no way of using another SBO user on that machine, unless the whole windows user is changed.

      And that is a huge step backwards.

      Why don't just provide the option to uncheck "Single-Sign-On" to login with whatever SBO User you want. It was there before and should be there now.
      Even when the checkmark is there, it still would be as you say "a true SSO experience". Just always leave the box checked by default.

      I know this isn't on you personally but things like this really really frustrate me...
      We have several customers who already are disappointed in all the huge bugs the last couple of releases brought with them (not to mention that FP2208 is unusable in german) and now I'm facing another issue where we have to explain to those customers that unfortunately they have to live with that limited functionality or that the users cannot use SSO anymore.

      I really hope that you guys think about this and bring it back.

      Regards,
      Josh

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Joshua,

      Thanks for providing the detailed scenario. I have a clear picture now of your specific setup and challenge with latest change introduced in FP 2208 in Sign-in scenarios.
      -----------------------------------------------------------------------------------------------
      Edited:
      Another option you may consider in order to also fullfill some decent level of security when using a shared computer is to sign in to windows with a user that is not bounded to any B1 User code in SLD.
      In this case, both users (User A bound to B1 authentication service and user B bound to Active Directory Domain Service) can sign in by typing their user credentials.
      -----------------------------------------------------------------------------------------------

      While we continue to review this internally -  I highly recommend sharing this request also over our SAP Business One Customer influence site https://influence.sap.com/sap/ino/#/campaign/887
      to get SAP Business One community take on this.

      Thanks again for sharing this.
      Best Regards
      Guy

      Author's profile photo Joshua Brodowsky
      Joshua Brodowsky

      Okay I will try it there.
      But from our experience, once it goes to customer influence it's a dead end most of the time anyway...

      Thanks.
      Regards,
      Josh

      Author's profile photo Greg Niecka
      Greg Niecka

      Hi Guy,

      does the new IAM solution support integration with OKTA?

      Regards

      Greg

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Greg,

      With FP 2208 we officially support Azure AD and ADFS as external IDPs (via OIDC).
      OKTA & additional IDPs are planned to be supported in future releases.

      Best Regards
      Guy

      Author's profile photo Joerg Aldinger
      Joerg Aldinger

      If you want to renew the certificate used for the Authentication Service, check out my blog post:

      How to renew your SAP B1 Authentication Service Certificate | SAP Blogs

      Hope it is helpful!

      Best regards,

      Joerg.

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Joerg Aldinger

      Thanks for taking the time to share this tip on certificate renewal, great Blog!

      One short comment to this:
      Certificate renewal and DB user configuration changes can be done in the same procedure as before - during Reconfiguration of SAP Business One
      Here are some mockups from my SQL based environment:

       

      Hope this clarifies how to handle certification refresh in SAP Business One landscape.

      Kind Regards
      Guy

      Author's profile photo Joerg Aldinger
      Joerg Aldinger

      Hi Guy, !

      Thanks for sharing the info. I am of course aware that the reconfiguration is possible.

      However, it is not well suited for automated execution, although it might actually be possible to execute unattendedly.

      When using Letsencrypt.org certificates they expire every 90 days (and renew every 60), so an admin would have to "constantly" run the reconfiguration to update the certificates.

      Our renewal script goes into a cronjob (or scheduled task on Windows) and is executed weekly. Only when a renewed certificate is available is it actually substituted, and the service restarted.

      Also, the reconfiguration is much more "invasive" in my opinion, since it revalidates and restarts every single service. The procedure I shared takes just seconds to execute, vs. at least 3 minutes, probably up to 10, when done using the reconfiguration wizard.

      I hope this explains why we don't use the reconfiguration procedure for that purpose (unless a certificate password change or other "major" modification is actually required).

      Best regards,

      Joerg.

      Author's profile photo Victor Durand
      Victor Durand

      Hello,

      we are facing issues with this new FP regarding the new SSO configuration that lead us to a rollback when we tried to upgrade in FP2208.

      • When both AD authentification and SAP authentification are on, we are unable to login with a B1 user that is not bound to a domaine account. This is highly problematic for us, because our infrastructure team of 40+ people can currently access it to perform add-on installation for example. Considering we have a bit less than a 100 SAP B1 environnement, the current functionning would lead us needing approximately 4000 SAP B1 licences ... just for the infrastructure team because of its relatively large size, which is currently done by using manager on the 100 bases, which is roughly ~100 licences. The gap of 3K+ licenses is unreachable.
      • The creation of an SAP B1 user is now divided in 2 parts : the B1 account, done in B1, and the domain account bind, which is now done in SLD. Previously, this bind was directly done in the User management window in SAP B1, which allowed a project manager to create a new user in Business one in complete autonomy. Now with this functionning requiring an SLD access to bind a domain user to an SAP user, we have to either give and SLD access to B1 project manager (unsafe) , or make it so that our infrastructure team is now part of the user creation workflow, which is ... completly out of touch in an organization our size.

      The current functionning is clearly not adapted to a relatively large scale organization, what are you planning regarding this ? we are currently stuck for our upgrades with FP 2202 because of this SSO issue, or we have to comlpletly disable SSO and migrate to 2208

      Author's profile photo Alexey Grebennikov
      Alexey Grebennikov

      +1

      Exactly the same scenario here

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Victor,

      Thanks for sharing your experience.
      Let me try to clarify the existing behavior / status for both points you mentioned;

      • When both AD authentication and SAP authentication are on, we are unable to login with a B1 user that is not bound to a domaine account
        My comment: in the above configuration (both IDPs are set as active) In case you are logged in to Windows with a Domain user that does not exist under 'users' tab in SLD, when opening SAP Business One client, you will be prompted with the option to sign-in with your SAP Business One Authentication IDP user.

         

        In case you experience a different behaviour, please report an incident on component "SBO-BC-IAM" with a step-by-step description of the scenario and supporting screen captures of your settings under "Identity Providers" and "Users" tabs in SLD.

      • Missing the option to bind users from SAP Business One client, as done before.
        My Comment: Thanks for this important feedback, we are aware about this temporary limitation which was introduced in 2208 FP (documented as well under the Identity and Authentication management how to guide under behavior change chapter) and can assure the option to bind users from SAP Business One client will be re-introduced in upcoming versions.

      Best Regards
      Guy

      Author's profile photo Victor Durand
      Victor Durand

      Hi Guy,

      Thank you for your answer

      Concerning those two points :

      • That's the current functionning I have on the 2 systems I tried this FP,and I already have an incident opened about it (123135)
      • Does this feature is planned on your roadmap ? Is there an ETA on it ?

      Best Regards

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Victor,

      Thanks for sharing info, let's continue the follow up with Support teams via the incident.
      As for user binding from B1 client, I can confirm it is on the roadmap with high priority, cannot  commit on ETA at this point.

      Best Regards
      Guy

      Author's profile photo Glenn Siverns
      Glenn Siverns

      Hi Guy,

      Are you able to share information on how to connect to the Service Layer when the Active Directory Domain Services IDP is enabled?  In my initial tests, the old method (https://hostname:50000/b1s/v1/Login) returns a 502 proxy error.

      I was able to make an initial connection using https://hostname:50000/b1s/v1/ssob1s, but subsequent calls using the session ID provided returned a 401 error stating "Invalid session or session already timeout."

      Any information or resources would be greatly appreciated.

      Thanks,

      Glenn

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Glenn,

      Thanks for reaching out. Did you have a chance to review the required changes needed to adopt extensions for IDPs?

      https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/88dcdfca3a11492da0acdbbbcc07c770.html?q=ssob1s

      Hopefully that does the trick.
      🙂

      Best Regards
      Guy

      Author's profile photo Glenn Siverns
      Glenn Siverns

      Thanks Guy,

      Connections to the Service Layer have never been considered to be extensions.  Has this changed with FP2208 then?  This will mean rewriting the authentication for any application connecting to the Service Layer if that's the case.  Are there any examples available showing the connection method using Postman to clarify what needs to happen?

      Cheers,
      Glenn

      Author's profile photo Jay Cheah
      Jay Cheah

      Hi Guy,

      Can we have an idea the priority of IAM for Cloud? Is it within a year? 2 years? SSO for public cloud comes up very often for us from a requirements perspective.

       

      Thanks for all that you do!

       

      Cheers

      Jay

       

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Jay,

      Thanks a lot for sharing this important question.
      I can assure you that we're working on bringing IAM into SAP Business One Cloud (Cloud Control Center) as one of our higher priority items (cannot yet publicly commit on timelines).

      Let me share some insights on this;

      Looking at current customer journey when working on SAP Business One in Cloud (Hosted using Cloud Control Center) we need to consider the dependency we have on RDP in order to consume SAP Business One Desktop Client, using Active Directory Domain users.

      This therefore requires a different approach compared with IAM featured implementation in FP 2208 to make sure we offer a consumable solution that cloud Providers can utilize for this use case and truly benefit from IAM capabilities in this context.

      For Web Client and other web interfaces hosted on Cloud - a similar approach to FP's 2208 IAM can be taken.

      Hope this providers some insights into our planned IAM implementation for Cloud.

      Kind Regards
      Guy

      Author's profile photo Elliott Chandler
      Elliott Chandler

      We are unable to use the reconfiguration wizard to renew the certificate. We are unable to complete the process of renewing the security certificate. When using the Components Wizard it gets to the Service Databases and the options are Keep Current Scheme which is the default - B1AS. After clicking next it says Scheme [B1AS] is not a valid Authentication Service Schema. There is an OK button and this returns to the Wizard and we cannot continue.  We have opened a case with SAP but no progress yet.

      Author's profile photo Victor Durand
      Victor Durand

      With this new functionning,using the SLD, there's no check of validity anmore when adding new users (before that, when we added a user in ActiveDirectory, the system checked the existence of said user), is there a way to control the mappings done in the SLD ?

      Furthermore, as we strive to manage a regular inventory of our users and licences affectation we would like to be able to make regular check up of the users mapped in the SLD to verify

      • If the users in the SLD are still active Active Directory users
      • If the users with a licence in SAP B1 are still active

      is there a way to retrieve the data in the "user" tab of the SLD ?

       

      Thanks

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi David,

      Thanks for your comments and insights;

      I understand you are looking for an online verification (currently does not exist as of FP 2208) of user's existence as a valid Domain User in the following scenarios:

      1. Adding a new AD based IDP User in SLD.

      2. A routine check for existing AD based IDP users that are already registered in SLD.

      In addition, from your last point, I understand you would like to have some traceability in SLD (under users) to evaluate whether your B1 licensed user codes are still active.

      It would be interesting from your (or community's) point of view how you would envision - what defines an Active user.
      e.g. User that signed in in last X days ?

      I fully agree that all 3 points make sense and bring noticeable value to Lifecycle management of SAP Business One.
      I would kindly suggest to raise these points via CIS (Customer Influence) https://influence.sap.com/sap/ino/#/campaign/887 Let's see how our community votes on this idea.

      Thanks once again for sharing these great ideas!
      Best Regards
      Guy

      Author's profile photo Victor Durand
      Victor Durand

      HI, Guy.
      When I was referrign to an "active" account, I was talking about its status in the Active Directory.

      As of now, a user that doesn't exist anymore in the ActiveDirectory is still existing on the SLD configuration. Which means that as time passes, we might have some serious issue of SLD records being polluted by accounts that do not exist anymore.

      This behaviour is harder to treat for 2 main reasons :

      • we have no insight, when in the SLD, if the user is valid in AD or not
      • we have no way of extracting the user mapping data from the SLD. Considering we have tens of licencing server on our infrastrcture this will soon become unmanageable to deal with offboarding as we have no way to process the data stored in SLD other than manually connect to each SLD and manually check each data entry in the "users" tab...

      Consequently, this makes our user auditing processes harder than it already was...

      Author's profile photo Sebastian Jackels
      Sebastian Jackels

      Hi Guy,

      we upgraded our customer to 2208 HF1 and afterwards the windows logon will no longer be recognized? This means when staring sbo the logon window appears. then the user have to click logon without entering anything. then afterwards the the domain login window appears and they can login by entering there credentials.

       

      So any ideas why the windows credentials are no longer retrieved?

      Any held would be greatly appreciated. SAP Support is already contacted, but no response so far.

       

      Best whishes

      Sebastian

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Sebastian,

      Thanks for sharing this issue. Sorry to hear about this behavior drawback.
      Please let me know the incident number so I can follow up with Support accordingly to find out more about this case. As you wrote and also experienced in earlier version FP 2208, when signing in with an AD IDP user, the user should not be required to type his user credentials, instead SSO should take place - users should be signed in automatically (via Kerberos authentication).
      Let's further evaluate this over the incident.

      Best Regards
      Guy

      Author's profile photo Toine Van den broek
      Toine Van den broek

      Hi Guy,

      We upgraded to FP2208 and try to login in in SBO, but get the following error:

      We have enabled the Identity Provider "Active Directory Domain Services" and added a user in the System Landscape Directory with an active SBO account.

      Do you have any idea how we can solve this issue.

      Best Regards,
      Yvette

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Yvette,

      Thanks for sharing this issue. Seems that there's some failing point in your environment that stops you from being able to SSO using Active Directory.

      It is hard to say what could be the cause without proper evaluation of the setting and your environment. It would be interesting to check whether you're able to sign in to SLD with an Active Directory user or you receive the same error as you do in the SAP Business One Client.

      In any case, I recommend to report this incident to support for further investigation.
      Hope this gets resolved soon.

      Best Regards

      Guy

      Author's profile photo Reza Rehman
      Reza Rehman

      Hi Guys,

      Need Help!

      We upgraded SAP B1 HANA 10.00.170 to SAP B1 HANA 10.00.201 FP 2208 HF2. In previous version we was using Active Directory SSO functionality.

      When we click on Login Button it asking for Domain Windows credentials .

       

      In the previous version no credentials was asking.

       

       

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Reza Rehman

      Sorry to hear about your experience.
      I highly recommend contacting support, they should be able to provide you with a manual fix to get the SSO working smooth again under the latest Hotfix. I am working with Development to further evaluate this issue and provide a fix if needed in the next FP.

      Hope this helps,
      Best Regards
      Guy

      Author's profile photo JB Bryant
      JB Bryant

      We just set up Azure as an identity provider and users have to log in twice - once to get into B1 and once to load the Fiori cockpit. I just opened a ticket with SAP support about this but curious if this is normal. I also have to SAP identity provider enabled, and the same happens when I make a user there and bind with the same B1 user and log in that way.

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Bryant,

      Thanks for sharing this. Does not sound to me like a normal behavior, there shouldn't be a duplicated Sign-in process. Were you able to find a possible root cause for this together with Support?
      I remember experiencing such issue in some 'internal' version, however this was not yet under an officially released version as far as I'm aware. if this occurs under one of our recently released FPs we definitely need to look into this further together with Support and our Dev Teams.

      Best Regards
      Guy

      Author's profile photo JB Bryant
      JB Bryant

      No. They said it's a bug and will be fixed in FP2305, which is very unfortunate if true. They also are very vague on the scenario details. This happens for me for a customer without OIDC too once I change the SLD and authentication service URLs to the FQDN for web client external access. For that customer, we can't use the web client for their sales reps even though we want to because it will cause double sign-in requests for local users. https://me.sap.com/notes/3314556

      Author's profile photo Joshua Brodowsky
      Joshua Brodowsky

      We have the same issue.

      Super annoying.

      Author's profile photo Joshua Brodowsky
      Joshua Brodowsky

      Hi Guy,

      in FP2208 HF2 some users get the following error message on the login screen or when SBO locks:

      "Cookie not found. Please make sure Cookies are enabled in your browser."

      Cookies are enabled in the systems default browser. Why is the SAP Business One Client Login dependent on browser cookies in the first place?
      This new IAM creates more and more problems the more we use it.

      SBO%20locked%20itself.%20Then%20this%20came.

      SBO locked itself. Then this came.

      Author's profile photo Guy Sujetzki
      Guy Sujetzki
      Blog Post Author

      Hi Joshua Brodowsky

      Thanks for sharing this issue. Seems we may need further details to analyze this behavior I would therefore appreciate if you reported this as an incident and share incident # in the post.

      When working with IAM the traditional Lock Screen threshold that existed earlier is not longer visible on screen and applicable. Please refer to https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/eb57986eb4644d03a6c03c47ca7d88e8.html
      for further details.

      However, as a security measure, there is a default timeout defined for a Session.
      Once this time expires, the Session is no longer active and any roundtrip call to server should revoke access. In the screen capture you shared, seems the message itself may not be optimal, we therefore need to further examine this over an incident. You also mentioned this message may occur during initial login, which clearly requires further analysis, I'd therefore appreciate your follow up with an incident.

      Thanks!
      Best Regards
      Guy