Product Information
Identity and Authentication Management in SAP Business One
With 10.0 FP 2208, SAP Business One introduces the Identity and Authentication Management (IAM) service, allowing users to authenticate with their Identity Provider’s (IDP) user when Signing-in to SAP Business One.
Connecting SAP Business One with an Identity provider can help you manage user access in a secured manner without compromising on user experience during sign-in to SAP Business One.
What are the main benefits from using IAM solution in SAP Business One?
- Single sign-on (SSO) experience.
- Reduce Password fatigue – users do not need to remember an excessive amount of passwords.
- Enhance security during sign-in by utilizing IDP’s Multi Factor Authentication and reduce potential attack surface.
- A central user management solution, allowing Landscape administrators to setup IDP users (under one or more IDPs), bind them to SAP Business One company users and manage users from across all company databases in one place.
Identity Providers Management
IAM can be activated by configuring IDPs and Users under newly added ‘Identity Providers’ and ‘Users’ tabs in SAP Business One System Landscape Directory (SLD) control center.
After upgrading to 10.0 FP 2208, The following Identity Providers appear by default under ‘Identity Provider’ tab in SLD:
- SAP Business One Authentication Server – Built-in Authentication Service
- Active Directory Domain Services – Built-in Authentication Service
It is also possible to add OIDC (Open ID Connect) IDP by clicking on ‘Add’
- OIDC (Open ID Connect)Note: with 10.0 FP 2208, it is possible to register ‘AD FS‘ or ‘Azure Active Directory‘ as external identity providers in OIDC.
Identity Providers tab in SLD
By default, to preserve backward compatibility, IDPs are set to ‘inactive‘ after upgrade. There is no change to the Sign-in experience for SAP Business One users unless an IDP is activated.
Before an IDP is activated, there are a few important prerequisites that need to be fulfilled:
- There must be at least one corresponding Landscape Admin user configured under ’Users’ tab in SLD.
- IDP users created and bound to SAP Business One company users across all companies.
- IDP property for add-ons was adopted.
User Management
The newly added ‘Users’ Tab in SLD, acts as a ‘one stop shop’ for:
- Adding / removing IDP users.
- Binding IDP users to SAP Business One users across company databases.
- Central user management solution: change PwD and activate / deactivate unified users (users created under SAP Business One Authentication Server IDP), assign users with Landscape Admin role.
Note: The licenses assigned to SAP Business One company users remain unchanged after enabling the identity and authentication management.
Sign-in to SAP Business One with an IDP
Watch the quick demo below on how to setup Microsoft Azure as an identity provider in SAP Business One and Sign-in to SAP Business One Web client with an Azure account.
How-to-guide
As IAM has a noticeable footprint on user’s Sign-in journey in addition to behavioral changes in SAP Business One, it is highly recommended reviewing ‘Identity and authentication management in SAP Business One‘ How-to-guide to learn more about the following topics:
- IAM Setup and Configuration
- Recovery / Reset of IAM
- Behavior changes
- Supported SAP Business One Components in 10 FP 2208
- Extension adaptations
Roll out plan
The Identity and authentication management service is planned be rolled out in a phased manner.
With 10.0 FP 2208, IAM is supported by the following SAP Business One Products:
- SAP Business One
- SAP Business One, version for SAP HANA
Please note that with 10.0 FP release, The IAM service is not supported by existing SAP Business One Cloud versions. It is planned to be supported in SAP Business One Cloud in later versions.
Hope this Blog was useful to you as an introduction to SAP Business One’s Identification and Authentication Management service. I’m looking forward to hear about your experience from working with IAM in SAP Business One, be sure to leave your feedback in the comments section below.
We are looking forward to the release of IDP support for SAP Business One Cloud and will start upgrading our single tenant customers to use IDP with FP2208 soon
Hi Guy,
Does the new IAM capability support principle propagation of a business user through to the Business One Service Layer during API calls?
Regards,
Mustafa.
Hi Mustafa,
Thanks for your follow up question. I am not sure I fully comprehend the scenario you mentioned. For further evaluation, can you please provide a step by step description of the intended flow?
BTW - please also refer to the Extension chapter in the Identity and Authentication Management guide to review the required adaptations for DI API and Service Layer based Add-ons in order to consume IAM.
Best Regards
Guy
Hi Guy,
I think my scenario would be covered by the Web App flow for IAM as described in the guide you referred to. For context, the intended flow in my scenario is as follows:
Does that make sense?
Thanks,
Mustafa.
Hi Mustafa,
Thanks for clarifying, yes that seems to fall under the Web App flow for IAM.
BTW - Regarding BTP application & choice of IDPs - Plz note that in 2208 FP we officially support Azure and ADFS as external IDPs via OIDC configuration. SAP IAS will be officially supported in future releases.
Best Regards
Guy
Hello,
Installing new versoin works, New Licence also importing well, But when trying to assign SAP users attributes error appearing:
Connection to license server is not authenticated
I've activated the "SAP Business One" in the identity provider tab in SLD but failed to add local user.
Hi Tomer,
Thanks for sharing this finding. As we did not encounter this error in various IAM related configurations, I believe this error might be related to a different landscape issue.
for example
2409083 Connection to License Server Is Not Authenticated
Please try to run a KB search. In case you're still unclear about this issue, please create an incident with a step-by-step reproduction desc. so we could further investigate.
Best Regards
Guy
Hi Guy,
We are currently buiding a C# Blazor WASM application hosted on ASPNETCore and using Duende IdentityServer as our OIDC using the BFF (backend for frontend) framework. I want to know how do I add Duende IdentityServer to SAP Authentication Server (Keycloak) as IdP.
Note
The link is reference to Duende identityServer implementation of BFF https://docs.duendesoftware.com/identityserver/v6/bff/tokens/
Best regards,
Gideon Makinwa
Hi Gideon,
With 2208 FP release, we officially support MS Azure and ADFS as external IDPs for OIDC.
We are planning to expand the list of supported IDPs in the next releases.
For the time being, i strongly recommend raising your requirement to support Duende as an IDP via our Customer influence site https://influence.sap.com/sap/ino/#/campaign/887
This can allow us visibility into overall market's demand for IDPs mostly used in our SAP Business One community.
Best Regards
Guy
Hi Guy,
My App is a Blazor WASM BFF (back-end for frontend) relying on Duende IdentityServer for users authenication and authorization, however for Remote API call (using HttpClinet methods to call SAP B1 Service Layer) I want a machine to machine communication client credential flow. In the SAP Keycloak SapB1 realm servcie layer client is already created by SAP
Here is my C# code in a Console app to first get Access Token and then add it to by HTTP call from Service layer APIs
// Console app Program.cs
using IdentityModel.Client;
var tokenClient = new HttpClient();
var token2 = await tokenClient.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
Address = "https://[Server]:40020/auth/realms/sapb1/protocol/openid-connect/token", //SAP Keycloak Authentication Server TokenEndpoint
ClientId = "b1-B1ServiceLayers-1713-main-sbo", //created by SAP already , default
ClientSecret = "728adc6d-560e-4f80-82d3-452a939182ee" //generated alerady by SAP
});
var apiClient = new HttpClient();
apiClient.SetBearerToken(token2.AccessToken);
var response = await apiClient.GetAsync("https://localhost:50000/b1s/v1/Items"); //B1 Service layer Items Endpoints
var data = await response.Content.ReadAsStringAsync();
Console.WriteLine(data);
This seems not working. What's the correct way to get Access token to call Service layer APIs.
Best regards,
Gideon Makinwa
Hi Gideon,
Thanks for the details.
In case you haven't done so before, please check out the extension chapter in our Identity and Authentication Management How-to Guide
https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/07a8fc4acabe4ba5884bdff86347730c.html
Otherwise, I recommend reporting an incident to allow our Support experts to take a closer look.
Kind Regards
Guy
Hi, Guy!
Maybe it's already happening to others, but when I try to configure the external IP for the authentication service and SLD, it returns an error message that doesn't make sense with what the FP 2208 administration manual says.
The option to map the SLD with the domain/external IP is no longer in the External Mapping tab, it is now configured in the Security tab.
Either the manual has an error or the service has an internal problem, they are something very easy to configure that are not working as we would expect.
Regards,
Erick
Hi Erick,
Thanks for sharing this scenario.
When defining an address for SLD and Authentication service under Security tab, to prevent a scenario where SLD is no longer reachable after the update, there is a check in place that the defined addresses for SLD and authentication service are indeed reachable in order to successfully save the new values.
Please make sure that the new addresses for SLD and Authentication service are indeed reachable. If you still face an issue during save operation, I recommend logging an incident with relevant details incl. actual error message shown.
Best Regards
Guy
Hi, Guy
Hi Luis,
Thanks for addressing this behavior change.
With FP 2208, once Active Directory Domain services is enabled (Will be automatically enabled in case you worked with SSO prior to upgrade) the option to sign-in with B1 User codes in parallel is no longer available. This is part of a security measure we took to comply with security standards for authorizing users during sign-in process.
For your scenario:
https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/76de0bbf52a24cfc997084f3a294abc2.html?q=User%20code
By doing so, users may log-in with their corresponding domain user (SSO) or with their B1 IDP user (SAP B1 Authentication service).
Hope this helps
Best Regards
Guy
Hi Guy,
does the new IAM solution support integration with OKTA?
Regards
Greg
Hi Greg,
With FP 2208 we officially support Azure AD and ADFS as external IDPs (via OIDC).
OKTA & additional IDPs are planned to be supported in future releases.
Best Regards
Guy
If you want to renew the certificate used for the Authentication Service, check out my blog post:
How to renew your SAP B1 Authentication Service Certificate | SAP Blogs
Hope it is helpful!
Best regards,
Joerg.