The SSO for S/4HANA Rise system for various connections can be a daunting task in the initial phase of a project.  The best practices for SSO in S/4HANA Rise environment can be found in this blog post  ,which describes various SSO approaches available for S/4HANA Rise (Private Edition )

In this blog we have consolidated various SAP knowledge resources and lesson learnt for connection of S/4HANA (Rise Private edition) with Okta using SAP IAS as Proxy.

1        System Considerations:

• Backend is S/4HANA Rise Private Edition
• SAP Cloud Identity Services ( SAP IAS/IPS)
• SAP BTP ( In case auto provision of users is required from S/4HANA to SAP IAS)
• Okta

2        Scenario

• The below use case is IdP Initiated SSO for SAP Fiori using Okta

3        Process to Integrate S/4HANA to SAP IAS

The whitepaper for the process is mentioned in https://wiki.scn.sap.com/wiki/x/7YawHQ

Few considerations while performing the setups are

• While creating the application in IAS, please upload the meta data of S/4HANA using web dispatcher /LB URL if they are in place as per architecture.
• Add Fiori URL as one of the Assertion Consumer Service Endpoints in IAS tenant (This will be used in okta configuration as index number)

Example : https://<Load Balancer URL>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=<Client Number>&sap-language=EN

• The Subject Name Identifier in IAS for the S/4HANA application should be set to email in case using the same in Okta for user identification

• We can upload IAS meta data in S/4HANA instead of manually creating the trusted providers
• Few parameters to make sure are present in S/4HANA SAML2 Config are

In Local Provider –> Service Provider Setting

In Trusted providers –> Identity Federation

User ID Mapping Mode is set to email in case okta is using email to verify the identity of the user

In Trusted provider –>  Signature and Encryption

• In case of using any alias for Fiori URL, please change the login method for the alias also in sicf : In our case we were using /sap/bc/ui5_ui5/ui2/ushell/shells/abap as alias for /default_host/sap/bc/ui2/flp

• For the sicf services, SAML should be the preferred method under Logon Procedure List as well

4        Connect Okta to Identity Authentication

Blog which can be followed to perform the initial setups is https://blogs.sap.com/2020/07/10/connect-okta-to-sap-cloud-platform-identity-authentication-service/

• As our use case is IDP initiated the following URL can be used at Okta end

Single Sign on URL : https://<XXXXXX>.accounts.ondemand.com/saml2/idp/acs/<XXXXXX>.accounts.ondemand.com?sp=<ProviderName>&index=1

Request able SSO URLs : https://<XXXXXX>.accounts.ondemand.com/saml2/idp/acs/<XXXXXX>.accounts.ondemand.com

Recipient URL and Destination URL:

https://<XXXXXX>.accounts.ondemand.com/saml2/idp/acs/<XXXXXX>.accounts.ondemand.com?sp=<ProviderName>&index=1

Audience Restriction  :  https://<XXXXXX>.accounts.ondemand.com

https://<XXXXXX>.accounts.ondemand.com  :Tenent URL for SAP IAS ( Can be found under tenant setting –>  Identity provider setting –> Name )

sp=<ProviderName> :  This is the provider name in SAML2 config in S/4HANA which reflect under the application in IAS as well

index=1 : This index number is derived from the index number of Fiori UI in the Assertion Consumer Service Endpoints section of application in IAS

5        Make Okta as Corporate IdP for S/4HANA in IAS

• Go to SAP IAS –>  Application –> Click on Application Name –> Conditional Authentication

With these setup, you should be able to create tile in okta which will provide SSO functionality to S/4HANA web based URL such as Fiori .

In a upcoming blog post, we can share how to auto provision users from S/4HANA to SAP Cloud Identity services .

Additional resources:

2689013: How to configure SAML2 with SAP Fiori Launchpad and Web Dispatcher

2943651: How to configure Okta as corporate identity provider with Identity Authentication

2693814: Service Provider does not match specified audience in the SAML2Assertion

2332686: SAML2.0 No RelayState mapping found for RelayState value