Product Information
Identity and Authentication Management in SAP Business One
With 10.0 FP 2208, SAP Business One introduces the Identity and Authentication Management (IAM) service, allowing users to authenticate with their Identity Provider’s (IDP) user when Signing-in to SAP Business One.
Connecting SAP Business One with an Identity provider can help you manage user access in a secured manner without compromising on user experience during sign-in to SAP Business One.
What are the main benefits from using IAM solution in SAP Business One?
- Single sign-on (SSO) experience.
- Reduce Password fatigue – users do not need to remember an excessive amount of passwords.
- Enhance security during sign-in by utilizing IDP’s Multi Factor Authentication and reduce potential attack surface.
- A central user management solution, allowing Landscape administrators to setup IDP users (under one or more IDPs), bind them to SAP Business One company users and manage users from across all company databases in one place.
Identity Providers Management
IAM can be activated by configuring IDPs and Users under newly added ‘Identity Providers’ and ‘Users’ tabs in SAP Business One System Landscape Directory (SLD) control center.
After upgrading to 10.0 FP 2208, The following Identity Providers appear by default under ‘Identity Provider’ tab in SLD:
- SAP Business One Authentication Server – Built-in Authentication Service
- Active Directory Domain Services – Built-in Authentication Service
It is also possible to add OIDC (Open ID Connect) IDP by clicking on ‘Add’
- OIDC (Open ID Connect)Note: with 10.0 FP 2208, it is possible to register ‘AD FS‘ or ‘Azure Active Directory‘ as external identity providers in OIDC.
Identity Providers tab in SLD
By default, to preserve backward compatibility, IDPs are set to ‘inactive‘ after upgrade. There is no change to the Sign-in experience for SAP Business One users unless an IDP is activated.
Before an IDP is activated, there are a few important prerequisites that need to be fulfilled:
- There must be at least one corresponding Landscape Admin user configured under ’Users’ tab in SLD.
- IDP users created and bound to SAP Business One company users across all companies.
- IDP property for add-ons was adopted.
User Management
The newly added ‘Users’ Tab in SLD, acts as a ‘one stop shop’ for:
- Adding / removing IDP users.
- Binding IDP users to SAP Business One users across company databases.
- Central user management solution: change PwD and activate / deactivate unified users (users created under SAP Business One Authentication Server IDP), assign users with Landscape Admin role.
Note: The licenses assigned to SAP Business One company users remain unchanged after enabling the identity and authentication management.
Sign-in to SAP Business One with an IDP
Watch the quick demo below on how to setup Microsoft Azure as an identity provider in SAP Business One and Sign-in to SAP Business One Web client with an Azure account.
How-to-guide
As IAM has a noticeable footprint on user’s Sign-in journey in addition to behavioral changes in SAP Business One, it is highly recommended reviewing ‘Identity and authentication management in SAP Business One‘ How-to-guide to learn more about the following topics:
- IAM Setup and Configuration
- Recovery / Reset of IAM
- Behavior changes
- Supported SAP Business One Components in 10 FP 2208
- Extension adaptations
Roll out plan
The Identity and authentication management service is planned be rolled out in a phased manner.
With 10.0 FP 2208, IAM is supported by the following SAP Business One Products:
- SAP Business One
- SAP Business One, version for SAP HANA
Please note that with 10.0 FP release, The IAM service is not supported by existing SAP Business One Cloud versions. It is planned to be supported in SAP Business One Cloud in later versions.
Hope this Blog was useful to you as an introduction to SAP Business One’s Identification and Authentication Management service. I’m looking forward to hear about your experience from working with IAM in SAP Business One, be sure to leave your feedback in the comments section below.
We are looking forward to the release of IDP support for SAP Business One Cloud and will start upgrading our single tenant customers to use IDP with FP2208 soon
Hi Guy,
Does the new IAM capability support principle propagation of a business user through to the Business One Service Layer during API calls?
Regards,
Mustafa.
Hi Mustafa,
Thanks for your follow up question. I am not sure I fully comprehend the scenario you mentioned. For further evaluation, can you please provide a step by step description of the intended flow?
BTW - please also refer to the Extension chapter in the Identity and Authentication Management guide to review the required adaptations for DI API and Service Layer based Add-ons in order to consume IAM.
Best Regards
Guy
Hi Guy,
I think my scenario would be covered by the Web App flow for IAM as described in the guide you referred to. For context, the intended flow in my scenario is as follows:
Does that make sense?
Thanks,
Mustafa.
Hi Mustafa,
Thanks for clarifying, yes that seems to fall under the Web App flow for IAM.
BTW - Regarding BTP application & choice of IDPs - Plz note that in 2208 FP we officially support Azure and ADFS as external IDPs via OIDC configuration. SAP IAS will be officially supported in future releases.
Best Regards
Guy
Hello,
Installing new versoin works, New Licence also importing well, But when trying to assign SAP users attributes error appearing:
Connection to license server is not authenticated
I've activated the "SAP Business One" in the identity provider tab in SLD but failed to add local user.
Hi Tomer,
Thanks for sharing this finding. As we did not encounter this error in various IAM related configurations, I believe this error might be related to a different landscape issue.
for example
2409083 Connection to License Server Is Not Authenticated
Please try to run a KB search. In case you're still unclear about this issue, please create an incident with a step-by-step reproduction desc. so we could further investigate.
Best Regards
Guy
Hi Guy,
We are currently buiding a C# Blazor WASM application hosted on ASPNETCore and using Duende IdentityServer as our OIDC using the BFF (backend for frontend) framework. I want to know how do I add Duende IdentityServer to SAP Authentication Server (Keycloak) as IdP.
Note
The link is reference to Duende identityServer implementation of BFF https://docs.duendesoftware.com/identityserver/v6/bff/tokens/
Best regards,
Gideon Makinwa
Hi Gideon,
With 2208 FP release, we officially support MS Azure and ADFS as external IDPs for OIDC.
We are planning to expand the list of supported IDPs in the next releases.
For the time being, i strongly recommend raising your requirement to support Duende as an IDP via our Customer influence site https://influence.sap.com/sap/ino/#/campaign/887
This can allow us visibility into overall market's demand for IDPs mostly used in our SAP Business One community.
Best Regards
Guy
Hi Guy,
My App is a Blazor WASM BFF (back-end for frontend) relying on Duende IdentityServer for users authenication and authorization, however for Remote API call (using HttpClinet methods to call SAP B1 Service Layer) I want a machine to machine communication client credential flow. In the SAP Keycloak SapB1 realm servcie layer client is already created by SAP
Here is my C# code in a Console app to first get Access Token and then add it to by HTTP call from Service layer APIs
// Console app Program.cs
using IdentityModel.Client;
var tokenClient = new HttpClient();
var token2 = await tokenClient.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
Address = "https://[Server]:40020/auth/realms/sapb1/protocol/openid-connect/token", //SAP Keycloak Authentication Server TokenEndpoint
ClientId = "b1-B1ServiceLayers-1713-main-sbo", //created by SAP already , default
ClientSecret = "728adc6d-560e-4f80-82d3-452a939182ee" //generated alerady by SAP
});
var apiClient = new HttpClient();
apiClient.SetBearerToken(token2.AccessToken);
var response = await apiClient.GetAsync("https://localhost:50000/b1s/v1/Items"); //B1 Service layer Items Endpoints
var data = await response.Content.ReadAsStringAsync();
Console.WriteLine(data);
This seems not working. What's the correct way to get Access token to call Service layer APIs.
Best regards,
Gideon Makinwa
Hi Gideon,
Thanks for the details.
In case you haven't done so before, please check out the extension chapter in our Identity and Authentication Management How-to Guide
https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/07a8fc4acabe4ba5884bdff86347730c.html
Otherwise, I recommend reporting an incident to allow our Support experts to take a closer look.
Kind Regards
Guy
Hi Guy,
we think there is a authentification process without popup login page missing. In keycloak there is the "Direct Access Grants Enabled" disabled.
So in SAP B1 you have to types of licensing api users:
a) Indirect Access User -> scenario is clear an working, thank you for that.
b) Indirect Access non-emplyoee (api sync users) -> scenario is not clear by checking your documentation here: https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/07a8fc4acabe4ba5884bdff86347730c.html
Could you please give the answers to us partner to going further in working with service layer an api sync users for FP2208 and higher?
Hi Simone,
Regarding point b) - If I read your question correctly - technical users are supposed to continue working normally (without any change required) after upgrading to FP 2208. Plz refer to the following section in the IAM documentation:
https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/a22e86b800794aca934b82d73c48279b.html?q=technical
Hope this helps,
Kind Regards
Guy
Hi Guy,
thanks for the additional documentation, but unfortunately this is no answer to my question.
However, my question was aimed at "Technical" users based on Indirect access by instance / non-employee.
This could be a new user in B1 for example called: “sync_job_for_facebook”.
Is there a token with longer lifetime / API token / API Key?
Or is a POST /Login possible for this technical api user?
In the past for B1Authentification and WindowsAuthentification we did a easy POST Login.
Hi Simon Berleb
Nice meeting you in the Vienna Summit 🙂
Let me summarize main points we discussed in our meeting face to face for the benefit of anyone reading this in the community;
1. In case you work with Active Directory IDP in FP 2208, in order to make a connection with Service Layer - you need to use a SAP Business One Authentication service user (binded to the relevant User code).
2. The good news; in upcoming FP (2305) we plan to support Active Directory user for SL connection, so no modification will be required as suggested in point above.
3. In Future release we will also provide a solution for technical users to consume IAM as well.
hope I didn't miss anything,
Kind Regards
Guy
Hi, Guy!
Maybe it's already happening to others, but when I try to configure the external IP for the authentication service and SLD, it returns an error message that doesn't make sense with what the FP 2208 administration manual says.
The option to map the SLD with the domain/external IP is no longer in the External Mapping tab, it is now configured in the Security tab.
Either the manual has an error or the service has an internal problem, they are something very easy to configure that are not working as we would expect.
Regards,
Erick
Hi Erick,
Thanks for sharing this scenario.
When defining an address for SLD and Authentication service under Security tab, to prevent a scenario where SLD is no longer reachable after the update, there is a check in place that the defined addresses for SLD and authentication service are indeed reachable in order to successfully save the new values.
Please make sure that the new addresses for SLD and Authentication service are indeed reachable. If you still face an issue during save operation, I recommend logging an incident with relevant details incl. actual error message shown.
Best Regards
Guy
Hi Guy,
SLD redirection explained.
Best regards,
EG
Hi Erick,
Muchas Gracias por el Link.
Muy buen Video 🙂
Switching to English as my Spanish is somewhat rusty,
Thanks for sharing this with video the community, that's a very helpful resource making IAM further accessible to wider audience. Now we need an English version as well. 🙂
Best Regards
Guy
Hi Guy,
Yeeei soon, sure 🙂
Best regards,
EG
Hi, Guy
Hi Luis,
Thanks for addressing this behavior change.
With FP 2208, once Active Directory Domain services is enabled (Will be automatically enabled in case you worked with SSO prior to upgrade) the option to sign-in with B1 User codes in parallel is no longer available. This is part of a security measure we took to comply with security standards for authorizing users during sign-in process.
For your scenario:
https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/76de0bbf52a24cfc997084f3a294abc2.html?q=User%20code
By doing so, users may log-in with their corresponding domain user (SSO) or with their B1 IDP user (SAP B1 Authentication service).
Hope this helps
Best Regards
Guy
We have user named "xdtw" with license "SAP Business One Indirect Access User"
In SLD we will add user as "SAP Business One Authentication Server"
SLD
What happes next? This new feature force us to change password for first time.
How we can change password for user XDTW when we can not log in to SAP with this user?
Hi Bloch,
Would it be possible to remove "SAP Business One Indirect Access User" license assignment for the user code, only in order to sign-in with the IDP user "xdtw" to SAP Business One and change the Password? is that a viable option?
Best Regards
Guy
But how we can log if there is no option to log to SAP using user name. When you have SSO configured there is no window to put user name, am I right?
Hi Lukasz
That's why I proposed in my initial reply in this comment thread to activate in parallel the SAP Business One authentication service and create a new SAP Business One Authentication service user (as you apparently did according to screen capture above) and bind the user to your SAP Business One relevant user code, e.g. xdtw.
Once you do that, you will be able to sign-in using the SAP Business One Authentication service user "xdtw" and during sign-in process it will be mapped to the xdtw user code sign-in.
Hope it is now clearer,
Best Regards
Guy
I have bind my user DOMAIN\LUKASZ.BLOCH with SAP account so when i start SAP client there is no option to put username and password. Sop i am not able to change password for user I have created
so the option is to log in to OS as user that IS NOT SET UP and bind and then SAP will ask about username and password during login
Regards
Hi Lukasz
1. You have to make sure that your SAP Business One authentication service is activated (under Identity Provider tab) in parallel to Active domain Services IDP.
2. in case more than one IDP is activated in a landscape, you should be getting the following initial screen when opening SAP Business One:
3. In case you do not get this window, despite having 2 IDPs activated and instead you are automatically signed in with your Domain user - I suggest the following actions:
- temporary disable your Active Directory authentication service.
- finish setting up the needed SAP Business One authenitcation IDP users and bindings to relevant B1 User codes across all companies.
- Sign-in with the SAP Business One IDP users, you will be asked to set a new Password as part of the initial sign-in process.
- reactivate the Active Directory authentication service.
Hope this helps
Best Regards
Guy
This does not work.....
As soon as the Active Directory authentication service is re-enabled, the ability to enter a user code disappears again.
I'm sorry but this is horrendous.
This either forces us to disable Single-Sign-On for our customers who use it or it induces license sharing on the customer side, as sometimes it's necessary to use SBO on another machine.
Hi Joshua,
Sorry to hear about your experience.
The ability to enter a user code should when starting SAP Business One should still be available when Active Directory is enabled for users that do not have a corresponding Active Directory IDP user set for them in SLD.
In case there is a corresponding AD IDP user set in SLD, the user will be indeed automatically signed-in via Kerberos to provide a true SSO experience.
Best Regards
Guy
Hi Guy,
this is what our problem is. When I am working with a Windows user that is assigned to an SBO user then there is no way of using another SBO user on that machine, unless the whole windows user is changed.
And that is a huge step backwards.
Why don't just provide the option to uncheck "Single-Sign-On" to login with whatever SBO User you want. It was there before and should be there now.
Even when the checkmark is there, it still would be as you say "a true SSO experience". Just always leave the box checked by default.
I know this isn't on you personally but things like this really really frustrate me...
We have several customers who already are disappointed in all the huge bugs the last couple of releases brought with them (not to mention that FP2208 is unusable in german) and now I'm facing another issue where we have to explain to those customers that unfortunately they have to live with that limited functionality or that the users cannot use SSO anymore.
I really hope that you guys think about this and bring it back.
Regards,
Josh
Hi Joshua,
Thanks for providing the detailed scenario. I have a clear picture now of your specific setup and challenge with latest change introduced in FP 2208 in Sign-in scenarios.
-----------------------------------------------------------------------------------------------
Edited:
Another option you may consider in order to also fullfill some decent level of security when using a shared computer is to sign in to windows with a user that is not bounded to any B1 User code in SLD.
In this case, both users (User A bound to B1 authentication service and user B bound to Active Directory Domain Service) can sign in by typing their user credentials.
-----------------------------------------------------------------------------------------------
While we continue to review this internally - I highly recommend sharing this request also over our SAP Business One Customer influence site https://influence.sap.com/sap/ino/#/campaign/887
to get SAP Business One community take on this.
Thanks again for sharing this.
Best Regards
Guy
Okay I will try it there.
But from our experience, once it goes to customer influence it's a dead end most of the time anyway...
Thanks.
Regards,
Josh
Hi Guy,
does the new IAM solution support integration with OKTA?
Regards
Greg
Hi Greg,
With FP 2208 we officially support Azure AD and ADFS as external IDPs (via OIDC).
OKTA & additional IDPs are planned to be supported in future releases.
Best Regards
Guy
If you want to renew the certificate used for the Authentication Service, check out my blog post:
How to renew your SAP B1 Authentication Service Certificate | SAP Blogs
Hope it is helpful!
Best regards,
Joerg.
Hi Joerg Aldinger
Thanks for taking the time to share this tip on certificate renewal, great Blog!
One short comment to this:
Certificate renewal and DB user configuration changes can be done in the same procedure as before - during Reconfiguration of SAP Business One
Here are some mockups from my SQL based environment:
Hope this clarifies how to handle certification refresh in SAP Business One landscape.
Kind Regards
Guy
Hi Guy, !
Thanks for sharing the info. I am of course aware that the reconfiguration is possible.
However, it is not well suited for automated execution, although it might actually be possible to execute unattendedly.
When using Letsencrypt.org certificates they expire every 90 days (and renew every 60), so an admin would have to "constantly" run the reconfiguration to update the certificates.
Our renewal script goes into a cronjob (or scheduled task on Windows) and is executed weekly. Only when a renewed certificate is available is it actually substituted, and the service restarted.
Also, the reconfiguration is much more "invasive" in my opinion, since it revalidates and restarts every single service. The procedure I shared takes just seconds to execute, vs. at least 3 minutes, probably up to 10, when done using the reconfiguration wizard.
I hope this explains why we don't use the reconfiguration procedure for that purpose (unless a certificate password change or other "major" modification is actually required).
Best regards,
Joerg.
Hello,
we are facing issues with this new FP regarding the new SSO configuration that lead us to a rollback when we tried to upgrade in FP2208.
The current functionning is clearly not adapted to a relatively large scale organization, what are you planning regarding this ? we are currently stuck for our upgrades with FP 2202 because of this SSO issue, or we have to comlpletly disable SSO and migrate to 2208
+1
Exactly the same scenario here
Hi Victor,
Thanks for sharing your experience.
Let me try to clarify the existing behavior / status for both points you mentioned;
My comment: in the above configuration (both IDPs are set as active) In case you are logged in to Windows with a Domain user that does not exist under 'users' tab in SLD, when opening SAP Business One client, you will be prompted with the option to sign-in with your SAP Business One Authentication IDP user.
In case you experience a different behaviour, please report an incident on component "SBO-BC-IAM" with a step-by-step description of the scenario and supporting screen captures of your settings under "Identity Providers" and "Users" tabs in SLD.
My Comment: Thanks for this important feedback, we are aware about this temporary limitation which was introduced in 2208 FP (documented as well under the Identity and Authentication management how to guide under behavior change chapter) and can assure the option to bind users from SAP Business One client will be re-introduced in upcoming versions.
Best Regards
Guy
Hi Guy,
Thank you for your answer
Concerning those two points :
Best Regards
Hi Victor,
Thanks for sharing info, let's continue the follow up with Support teams via the incident.
As for user binding from B1 client, I can confirm it is on the roadmap with high priority, cannot commit on ETA at this point.
Best Regards
Guy
Hi Guy,
Are you able to share information on how to connect to the Service Layer when the Active Directory Domain Services IDP is enabled? In my initial tests, the old method (https://hostname:50000/b1s/v1/Login) returns a 502 proxy error.
I was able to make an initial connection using https://hostname:50000/b1s/v1/ssob1s, but subsequent calls using the session ID provided returned a 401 error stating "Invalid session or session already timeout."
Any information or resources would be greatly appreciated.
Thanks,
Glenn
Hi Glenn,
Thanks for reaching out. Did you have a chance to review the required changes needed to adopt extensions for IDPs?
https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/88dcdfca3a11492da0acdbbbcc07c770.html?q=ssob1s
Hopefully that does the trick.
🙂
Best Regards
Guy
Thanks Guy,
Connections to the Service Layer have never been considered to be extensions. Has this changed with FP2208 then? This will mean rewriting the authentication for any application connecting to the Service Layer if that's the case. Are there any examples available showing the connection method using Postman to clarify what needs to happen?
Cheers,
Glenn
Hi Guy,
Can we have an idea the priority of IAM for Cloud? Is it within a year? 2 years? SSO for public cloud comes up very often for us from a requirements perspective.
Thanks for all that you do!
Cheers
Jay
Hi Jay,
Thanks a lot for sharing this important question.
I can assure you that we're working on bringing IAM into SAP Business One Cloud (Cloud Control Center) as one of our higher priority items (cannot yet publicly commit on timelines).
Let me share some insights on this;
Looking at current customer journey when working on SAP Business One in Cloud (Hosted using Cloud Control Center) we need to consider the dependency we have on RDP in order to consume SAP Business One Desktop Client, using Active Directory Domain users.
This therefore requires a different approach compared with IAM featured implementation in FP 2208 to make sure we offer a consumable solution that cloud Providers can utilize for this use case and truly benefit from IAM capabilities in this context.
For Web Client and other web interfaces hosted on Cloud - a similar approach to FP's 2208 IAM can be taken.
Hope this providers some insights into our planned IAM implementation for Cloud.
Kind Regards
Guy
We are unable to use the reconfiguration wizard to renew the certificate. We are unable to complete the process of renewing the security certificate. When using the Components Wizard it gets to the Service Databases and the options are Keep Current Scheme which is the default - B1AS. After clicking next it says Scheme [B1AS] is not a valid Authentication Service Schema. There is an OK button and this returns to the Wizard and we cannot continue. We have opened a case with SAP but no progress yet.
With this new functionning,using the SLD, there's no check of validity anmore when adding new users (before that, when we added a user in ActiveDirectory, the system checked the existence of said user), is there a way to control the mappings done in the SLD ?
Furthermore, as we strive to manage a regular inventory of our users and licences affectation we would like to be able to make regular check up of the users mapped in the SLD to verify
is there a way to retrieve the data in the "user" tab of the SLD ?
Thanks
Hi David,
Thanks for your comments and insights;
I understand you are looking for an online verification (currently does not exist as of FP 2208) of user's existence as a valid Domain User in the following scenarios:
1. Adding a new AD based IDP User in SLD.
2. A routine check for existing AD based IDP users that are already registered in SLD.
In addition, from your last point, I understand you would like to have some traceability in SLD (under users) to evaluate whether your B1 licensed user codes are still active.
It would be interesting from your (or community's) point of view how you would envision - what defines an Active user.
e.g. User that signed in in last X days ?
I fully agree that all 3 points make sense and bring noticeable value to Lifecycle management of SAP Business One.
I would kindly suggest to raise these points via CIS (Customer Influence) https://influence.sap.com/sap/ino/#/campaign/887 Let's see how our community votes on this idea.
Thanks once again for sharing these great ideas!
Best Regards
Guy
HI, Guy.
When I was referrign to an "active" account, I was talking about its status in the Active Directory.
As of now, a user that doesn't exist anymore in the ActiveDirectory is still existing on the SLD configuration. Which means that as time passes, we might have some serious issue of SLD records being polluted by accounts that do not exist anymore.
This behaviour is harder to treat for 2 main reasons :
Consequently, this makes our user auditing processes harder than it already was...
Hi Guy,
we upgraded our customer to 2208 HF1 and afterwards the windows logon will no longer be recognized? This means when staring sbo the logon window appears. then the user have to click logon without entering anything. then afterwards the the domain login window appears and they can login by entering there credentials.
So any ideas why the windows credentials are no longer retrieved?
Any held would be greatly appreciated. SAP Support is already contacted, but no response so far.
Best whishes
Sebastian
Hi Sebastian,
Thanks for sharing this issue. Sorry to hear about this behavior drawback.
Please let me know the incident number so I can follow up with Support accordingly to find out more about this case. As you wrote and also experienced in earlier version FP 2208, when signing in with an AD IDP user, the user should not be required to type his user credentials, instead SSO should take place - users should be signed in automatically (via Kerberos authentication).
Let's further evaluate this over the incident.
Best Regards
Guy
Hi Guy,
We upgraded to FP2208 and try to login in in SBO, but get the following error:
We have enabled the Identity Provider "Active Directory Domain Services" and added a user in the System Landscape Directory with an active SBO account.
Best Regards,
Yvette
Hi Yvette,
Thanks for sharing this issue. Seems that there's some failing point in your environment that stops you from being able to SSO using Active Directory.
It is hard to say what could be the cause without proper evaluation of the setting and your environment. It would be interesting to check whether you're able to sign in to SLD with an Active Directory user or you receive the same error as you do in the SAP Business One Client.
In any case, I recommend to report this incident to support for further investigation.
Hope this gets resolved soon.
Best Regards
Guy
Hi Guys,
Need Help!
We upgraded SAP B1 HANA 10.00.170 to SAP B1 HANA 10.00.201 FP 2208 HF2. In previous version we was using Active Directory SSO functionality.
When we click on Login Button it asking for Domain Windows credentials .
In the previous version no credentials was asking.
Hi Reza Rehman
Sorry to hear about your experience.
I highly recommend contacting support, they should be able to provide you with a manual fix to get the SSO working smooth again under the latest Hotfix. I am working with Development to further evaluate this issue and provide a fix if needed in the next FP.
Hope this helps,
Best Regards
Guy
We just set up Azure as an identity provider and users have to log in twice - once to get into B1 and once to load the Fiori cockpit. I just opened a ticket with SAP support about this but curious if this is normal. I also have to SAP identity provider enabled, and the same happens when I make a user there and bind with the same B1 user and log in that way.
Hi Bryant,
Thanks for sharing this. Does not sound to me like a normal behavior, there shouldn't be a duplicated Sign-in process. Were you able to find a possible root cause for this together with Support?
I remember experiencing such issue in some 'internal' version, however this was not yet under an officially released version as far as I'm aware. if this occurs under one of our recently released FPs we definitely need to look into this further together with Support and our Dev Teams.
Best Regards
Guy
No. They said it's a bug and will be fixed in FP2305, which is very unfortunate if true. They also are very vague on the scenario details. This happens for me for a customer without OIDC too once I change the SLD and authentication service URLs to the FQDN for web client external access. For that customer, we can't use the web client for their sales reps even though we want to because it will cause double sign-in requests for local users. https://me.sap.com/notes/3314556
We have the same issue.
Super annoying.
Hi Guy,
in FP2208 HF2 some users get the following error message on the login screen or when SBO locks:
"Cookie not found. Please make sure Cookies are enabled in your browser."
Cookies are enabled in the systems default browser. Why is the SAP Business One Client Login dependent on browser cookies in the first place?
This new IAM creates more and more problems the more we use it.
SBO locked itself. Then this came.
Hi Joshua Brodowsky
Thanks for sharing this issue. Seems we may need further details to analyze this behavior I would therefore appreciate if you reported this as an incident and share incident # in the post.
When working with IAM the traditional Lock Screen threshold that existed earlier is not longer visible on screen and applicable. Please refer to https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/eb57986eb4644d03a6c03c47ca7d88e8.html
for further details.
However, as a security measure, there is a default timeout defined for a Session.
Once this time expires, the Session is no longer active and any roundtrip call to server should revoke access. In the screen capture you shared, seems the message itself may not be optimal, we therefore need to further examine this over an incident. You also mentioned this message may occur during initial login, which clearly requires further analysis, I'd therefore appreciate your follow up with an incident.
Thanks!
Best Regards
Guy