SAP S/4 ABAP SAML2 SSO with Cloud Identity Services (BTP)

In this blog I explain how to setup Single Sign On for a (On Premise) S/4 HANA system with SAP Cloud Identity Services on BTP using SAML2. You can use this SSO for your Fiori Apps and other http services, e.g. WebGUI, not for SAP GUI.

We use Azure AD as a Corporate Identity provider in Cloud Identity Services. There are already some good blogs about this, e.g. Connecting SAP IAS as a proxy to Azure AD using OpenID Connect.

In our case we only do Single Sign On. The users in our system are already there and will not be created through Identity Propagation.

1. Get the SAML Metadata of your Cloud Identity Services Tenant
2. Get the “Signing Certificate”In the same view you have to display the “Signing Certifcate”. Please copy the “Certificate Information” String and put it in a text file, e.g. my_tenant_signing_cert.cerIt would really be nice if SAP could deliver a “Get public key” button to get the needed information.
3. Export the public key of the “Signing Certificate”, open the text file (double-click in Windows) and export the public key of the certificate (choose the first option “DER coded…”), filename e.g. public_key_my_tenant_signing_cert.cer.
4. Enable the ABAP Platform as an SAML Service Provider

   Call Transaction “SAML2” in your S/4 system

   

   As a provider name choose what you want or system and client name e.g. SYS_100

   
   You should choose Selection Mode Automatic if you only have one Identity Provider connected, because you do not want to choose an Identity Provider every time.

   

   Now you can download your Metadata of your SAML2 configuration in the S/4 client.

   

5. Create an “Application” for your S/4 HANA System

   

   Now you have to upload the metadata.xml of your S/4 configuration to your SAML2 configuration in BTP Cloud Identity Service.

   

   Please set all switches to ON.
   
   In the section “Subject Name Identifier” please choose Email because we user Email for authentication.
   
   In the section “Conditional Authentification” pleas choose your Coporate Identity provider
   

    

6. Please continue in your SAML2 configuration in S/4 and add your Identity Provider. You do this by uploading the XML-file you saved from your “Tenant Settings” in Cloud Identity Service.

   

   For Metadata Verification please upload your public key.

   
   Please enter an Alias for your provider which is shown when you should choose an Identity Provider. In our case this is not necessary because we only have one Identity Provider and switched on automatic selection before.

   
   For better security choose SHA-256 instead of SHA-1

   

   Please enter the “Supported NameID Formats” with the “Add” button. Choose “Uncpecified” and as “User ID Mapping Mode” Email. Please disable “Allow Identity Provider to create NameID” because in our case the users have you be already created in the system and we do not want that users without roles get created.

   

   Please enable your “Trusted Provider”.

   

For troubleshooting please follow the guided answers under SAML 2.0 configuration or SAML 2.0 authentication does not work as expected. How can I troubleshoot it?