See as well:
Single Sign-On (SSO), Service Provider (SP), Identity Provider (IdP) and Identity Provider Proxy (IdP Proxy)
Single Sign-On (SSO) is an authentication and authorization process that allows an User to access multiple enterprise applications with a single set of login credentials (username and password). Service Provider (SP) hosts a service (e.g. SAP Ariba Buying) that User wants to access. This Service Provider (SP) trusts the Identity Provider (IdP) (e.g. SAP IAS or Microsoft Entra ID), which controls the User access. SSO supports various protocols like Security Assertion Markup Language (SAML) or OpenID Connect.
Identity Provider (IdP)
- System responsible for User authentication
- Uniquely Identifies the User
- Contains User Store with and additional User Attributes (name, mail, group membership, ...)
- Contains User Credentials (username/password)
- Issues additional User Attributes (name, mail, group membership, ...)
- Trusts one or multiple Service Providers (SPs)
Service Provider (SP)
- System delegating User authentication to Identity Provider (IdP)
- Relies on the User identity and User Attributes from Identity Provider (IdP)
- Trusts single Identity Provider (IdP)
SAP Cloud Identity Services is SAP product for authentication and Single Sign-On (SSO) in cloud referred as SAP IAS (Identity Authentication Service) as well.
To be compliant with the latest SAP Ariba "Next Generation" solutions (e.g. SAP Ariba Category Management, Supplier Profile Summary in SAP Ariba Supplier Lifecycle and Performance, ...) it is mandatory to have the SAP Ariba solutions' Single Sign-On (SSO) setup with SAP IAS (Test or Production).
SAP IAS can be setup as Identity Provider (IdP) or configured with Identity Federation to serve as Identity Provider Proxy (IdP Proxy) to another Identity Provider (IdP) -> Customer Managed IdP (e.g. Microsoft Entra ID IdP).
Identity Provider (IdP) - Authentication Scenario
This authentication scenario assumes the User Store and User Credentials persistence in Identity Provider (IdP) - SAP IAS. Thus the user information needs to be available, activated, with generated credentials in Identity Provider (IdP) - SAP IAS.
To establish the SSO:
- Metadata needs to be obtained from Service Provider (SP) - SAP Ariba
- Application representing the Service Provider (SP) - SAP Ariba needs to be created in Identity Provider (IdP) - SAP IAS using the metadata retrieved from Service Provider (SP) - SAP Ariba
- Metadata needs to be obtained from Identity Provider (IdP) - SAP IAS
- SSO needs to be configured in Service Provider (SP) - SAP Ariba using the metadata retrieved from Identity Provider (IdP) - SAP IAS
SSO execution (IdP initiated):
- User accesses Service Provider (SP) - SAP Ariba URL
- Service Provider (SP) - SAP Ariba will forward the authentication to Identity Provider (IdP) - SAP IAS
- Identity Provider (IdP) - SAP IAS login window asking for User credentials is shown
- User is authenticated by Identity Provider (IdP) - SAP IAS, based on the entered credentials and the response with User Identifier and User Attributes is send to Service Provider (SP) - SAP Ariba
For configuration details see:
Identity Federation with Identity Provider Proxy (IdP Proxy) - Authentication Scenario
Identity Provider Proxy (IdP Proxy)
- System responsible for User authentication, with conditional Identity Federation to Identity Provider (IdP)
- Uniquely Identifies the User or delegates it to Identity Provider (IdP)
- Can contain User Store and additional User Attributes or delegates it to Identity Provider (IdP)
- Can contain User Credentials or delegates it to Identity Provider (IdP)
- Issues additional User Attributes (name, mail, group membership, ...) or delegates it to Identity Provider (IdP)
- Trusts one or multiple Service Providers (SPs)
- Can trust one or more Identity Providers (IdPs)
Note: SAP IAS shall be configured as Identity Provider (IdP) also in case of Identity Federation authentication scenario, as Identity Federation as Identity Provider Proxy (IdP Proxy) is extension configuration of Identity Provider (IdP) itself.
This authentication scenario assumes the User Credentials persistence is outside SAP IAS in Customer Managed IdP (e.g. Microsoft Entra ID IdP). User Store (containing User Attributes) can be in SAP IAS or outside SAP IAS in Customer Managed IdP (e.g. Microsoft Entra ID IdP). No User Credentials needs to be maintained in SAP IAS as the authentication is forwarded outside SAP IAS in Customer Managed IdP (e.g. Microsoft Entra ID IdP).
Note: In case User Store is required in SAP IAS (e.g. for SAP Ariba SAP Task Center or SAP IAS Group membership access restriction), the users needs to be imported into SAP IAS. One possible way is using automated solution via Identity Provisioning (SAP IPS - SAP Identity Provisioning Service).
To establish the SSO with Identity Provider Proxy (IdP Proxy) :
- Steps from above Identity Provider (IdP) - Authentication Scenario chapter needs to be in place to setup the SSO between Service Provider (SP) - SAP Ariba and Identity Provider Proxy (IdP Proxy) - SAP IAS
- Metadata needs to be obtained from Identity Provider Proxy (IdP Proxy) - SAP IAS
- Identity Provider Proxy (IdP Proxy) - SAP IAS needs to be created as Service Provider (SP) in Customer Managed IdP using the metadata retrieved from Identity Provider Proxy (IdP Proxy) - SAP IAS
- Metadata needs to be obtained from Customer Managed IdP
- Corporate Identity Provider representing the Customer Managed IdP needs to be created in Identity Provider Proxy (IdP Proxy) - SAP IAS using the metadata retrieved from Customer Managed IdP
SSO execution with Identity Provider Proxy (IdP Proxy) (IdP initiated):
- User accesses SAP Ariba Service Provider (SP) - SAP Ariba URL
- Service Provider (SP) - SAP Ariba will forward the authentication to Identity Provider Proxy (IdP) - SAP IAS
- Identity Provider Proxy (IdP Proxy) - SAP IAS (based on optional condition) forwards the authentication request to Identity Provider (IdP) - Customer Managed IdP
- Identity Provider (IdP) - Customer Managed IdP (e.g. Microsoft Entra ID IdP) login window asking for User credentials is shown
- User is authenticated by Identity Provider (IdP) - Customer Managed IdP, based on the entered credentials and the response with User Identifier and User Attributes is send to Identity Provider Proxy (IdP Proxy) - SAP IAS
- User authentication with User Identifier and User Attributes is further send from Identity Provider Proxy (IdP Proxy) - SAP IAS to Service Provider (SP) - SAP Ariba
For configuration details see:
Service Provider (SP) vs Identity Provider (IdP) Initiated Authentication
User can access the resource represented by Service Provider (SP) via one of below approaches
Service Provider (SP) initiated authentication
- Service Provider (SP) and Identity Provider (IdP) needs to have the signing certificates (part of the metadata) exchanged
- User accesses the Service Provider (SP) URL
(e.g. https://<SAP Ariba tenant id>.procurement.ariba.com) - Service Provider (SP) forwards the authentication to Identity Provider (IdP)
- Identity Provider (IdP) authenticates the User and redirects to Service Provider (SP)
Identity Provider (IdP) initiated authentication
- Service Provider (SP) needs to have signing certificate of Identity Provider (IdP) (part of the metadata) configured
- Signing certificate of Service Provider (SP) is not required to be configured in Identity Provider (IdP) in case of IdP initiated authentication
- IdP Initiated Authentication needs to be enabled in Identity Provider (IdP)
- User accesses the Identity Provider (IdP) URL with Service Provider (SP) identifier passed
(e.g. https://< SAP IAS tenant id>.accounts.ondemand.com/saml2/idp/sso?sp=<service provider name>) - Identity Provider (IdP) authenticates the User and redirects to Service Provider (SP)
SAP IAS Landscape Review and Recommendations
Review of Available SAP IAS Systems in Customer Landscape
Customer can review his SAP IAS landscape via S-User in SAP for Me (https://me.sap.com) -> Systems & Provisioning -> Systems -> Public Cloud Systems
To be compliant with the latest SAP Ariba "Next Generation" solutions (e.g. SAP Ariba Category Management, Supplier Profile Summary in SAP Ariba Supplier Lifecycle and Performance, ...) it is mandatory to have the SAP Ariba solutions' Single Sign-On (SSO) setup with SAP IAS (Test or Production).
Above means that SAP Ariba Test tenant SSO shall be established with SAP IAS Test and SAP Ariba Production tenant SSO shall be established with SAP IAS Production!
Review of SAP IAS System Customer Administrators
Customer can review his SAP IAS landscape via S-User in SAP for Me (https://me.sap.com) -> Systems & Provisioning -> Systems -> Public Cloud Systems -> navigate to specific system link
Process of New SAP IAS System Provisioning
In case customer does not have SAP IAS of type Test provisioned yet, follow the Obtain SAP IAS Tenant procedure.
See as well: