Identity and Authentication Management in SAP Business One
With 10.0 FP 2208, SAP Business One introduces the Identity and Authentication Management (IAM) service, allowing users to authenticate with their Identity Provider’s (IDP) user when Signing-in to SAP Business One.
Connecting SAP Business One with an Identity provider can help you manage user access in a secured manner without compromising on user experience during sign-in to SAP Business One.
What are the main benefits from using IAM solution in SAP Business One?
- Single sign-on (SSO) experience.
- Reduce Password fatigue – users do not need to remember an excessive amount of passwords.
- Enhance security during sign-in by utilizing IDP’s Multi Factor Authentication and reduce potential attack surface.
- A central user management solution, allowing Landscape administrators to setup IDP users (under one or more IDPs), bind them to SAP Business One company users and manage users from across all company databases in one place.
Identity Providers Management
IAM can be activated by configuring IDPs and Users under newly added ‘Identity Providers’ and ‘Users’ tabs in SAP Business One System Landscape Directory (SLD) control center.
After upgrading to 10.0 FP 2208, The following Identity Providers appear by default under ‘Identity Provider’ tab in SLD:
- SAP Business One Authentication Server – Built-in Authentication Service
- Active Directory Domain Services – Built-in Authentication Service
It is also possible to add OIDC (Open ID Connect) IDP by clicking on ‘Add’
- OIDC (Open ID Connect)Note: with 10.0 FP 2208, it is possible to register ‘AD FS‘ or ‘Azure Active Directory‘ as external identity providers in OIDC.
By default, to preserve backward compatibility, IDPs are set to ‘inactive‘ after upgrade. There is no change to the Sign-in experience for SAP Business One users unless an IDP is activated.
Before an IDP is activated, there are a few important prerequisites that need to be fulfilled:
- There must be at least one corresponding Landscape Admin user configured under ’Users’ tab in SLD.
- IDP users created and bound to SAP Business One company users across all companies.
- IDP property for add-ons was adopted.
The newly added ‘Users’ Tab in SLD, acts as a ‘one stop shop’ for:
- Adding / removing IDP users.
- Binding IDP users to SAP Business One users across company databases.
- Central user management solution: change PwD and activate / deactivate unified users (users created under SAP Business One Authentication Server IDP), assign users with Landscape Admin role.
Note: The licenses assigned to SAP Business One company users remain unchanged after enabling the identity and authentication management.
Sign-in to SAP Business One with an IDP
Watch the quick demo below on how to setup Microsoft Azure as an identity provider in SAP Business One and Sign-in to SAP Business One Web client with an Azure account.
As IAM has a noticeable footprint on user’s Sign-in journey in addition to behavioral changes in SAP Business One, it is highly recommended reviewing ‘Identity and authentication management in SAP Business One‘ How-to-guide to learn more about the following topics:
- IAM Setup and Configuration
- Recovery / Reset of IAM
- Behavior changes
- Supported SAP Business One Components in 10 FP 2208
- Extension adaptations
Roll out plan
The Identity and authentication management service is planned be rolled out in a phased manner.
With 10.0 FP 2208, IAM is supported by the following SAP Business One Products:
- SAP Business One
- SAP Business One, version for SAP HANA
Please note that with 10.0 FP release, The IAM service is not supported by existing SAP Business One Cloud versions. It is planned to be supported in SAP Business One Cloud in later versions.
Hope this Blog was useful to you as an introduction to SAP Business One’s Identification and Authentication Management service. I’m looking forward to hear about your experience from working with IAM in SAP Business One, be sure to leave your feedback in the comments section below.