- SAP Managed Tags
In my previous blog, I laid the groundwork for configuring Single Sign-On (SSO) using SAP Identity Authentication Service (IAS) and highlighted the crucial role of various Identity Providers (IdPs) in this process. I emphasized IAS's function as a proxy identity provider and discussed how integrating with Azure, Google, AWS, and Active Directory can simplify access to multiple applications within the SAP ecosystem..
In this Part 2 post, I dive into troubleshooting tips and solutions for common SSO and IAS challenges that arise during customer deployments. Presented in a Q&A format, this guide offers practical insights to help streamline your own SSO implementation journey.
Questions and Answers (focus on resolving various issues):
1. When using SAP Identity Authentication Service (IAS) as a hub (proxy) for Identity services, which tenant's SAML 2.0 metadata XML should be imported to the S/4HANA system to establish SAML 2.0 trust?
Answer: To configure SAP IAS as a hub (proxy) for Identity services with S/4HANA, only the SAML XML metadata of the IAS tenant should be uploaded to the S/4HANA system to establish SAML 2.0 trust. Then, the SAML XML response from S/4HANA should be imported back into the IAS application for the appropriate environment tier.
The setup requires:
- Uploading the IAS tenant's SAML XML metadata to the S/4HANA system.
- Importing the S/4HANA-generated SAML XML metadata response into the corresponding IAS application for that tier, completing the two-way trust for SAML-based Single Sign-On (SSO) setup.
2. How can we resolve the "Domain is not trusted" error message when trying to log in to our SAP Fiori app integrated with SAP IAS?
Answer: Add the domain or the server’s name (the DNS name) you are “connecting to” in your IAS Tenant “Trusted Domains” section as below to prevent that error:
In the IAS tenant go Single Sign-On > Trusted Domains then add your FQDN:
To ensure a smooth setup and resolve potential errors, follow these steps:
- If required, enable third-party cookies in your browser to prevent issues during authentication.
- Verify that the correct identity provider (IdP) configuration is set up in your IAS tenant.
3. Upon entering a corporate email address from our Google tenant when logging in to our ABAP instance via the link deployed in the IAS app, we encountered the error "account.google.com refused to connect." How can we troubleshoot and resolve this issue?
Answer: To troubleshoot and resolve the error, consider the following steps:
- Enable Browser Error Logs: If you using google you can use the Chrome Developer Tool to enable error logging. This will provide detailed information about the error and help pinpoint the root cause.
- Reproduce the Error: Log in to your ABAP instance via the IAS app using the Google IdP credential, then observe the Developer Tool for error details.
Check for X-Frame Errors: In similar cases, X-Frame-related issues can originate from the Fiori page, preventing Google from connecting. Look for any "X-Frame-Options" errors in the console, as these may indicate blocked content.
- Install Browser Extensions: If X-Frame issues are confirmed, consider using a Chrome extension that allows cross-frame content, like "Ignore X-Frame Headers." Ensure to enable the extension for "All Sites" to allow content from Google to load correctly.
- Verify IAS and Google Configuration: Double-check that IAS is configured correctly to use Google as an Identity Provider (IdP) and that redirect URIs match across configurations. This ensures seamless communication between IAS and Google Workspace.
- Test Connection Across Browsers: Sometimes, browser-specific settings may interfere with SSO connections. Test the setup in different browsers to rule out any browser-specific issues.
4. Is it accurate to say ,once we've established trust between the S/4 HANA app in IAS and the ABAP NetWeaver system, then adding a new IdP tenant (domain) in IAS and configuring its SAML2 trust is sufficient to establish SSO? Are there no adjustments required on the S/4 side or any IAS apps associated with the previous IdP to enable this new IdP?
Answer: Yes, that is true, after the trust between IAS and S/4 set up , for any new IdP (a new tenant domain) you only need to create that in IAS corporate IdP section and then only add the IdP email domain in “Conditional Authentication” of the desired App in IAS without touching S/4 or the related app configuration or SAML in IAS.
5. I've set the Fiori link (provisioned through the internal Load Balancer in the S/4 landscape) as the default "URL for Browser Flow" in my IAS S/4 application. Now, when I try to access the WebGUI link directly, it always redirects me to the Fiori page instead. Is there a workaround to access WebGUI without being redirected to Fiori?
Answer: If you want to use WebGUI alongside Fiori access (deployed through your Load Balancer) in an S/4 system with IAS SSO, one approach is to use the ABAP Central Instance (CI) server link in the IAS application. This setup allows you to specify your WebGUI path directly in the URL you access before reaching the Fiori page.
Set the ABAP CI link in IAS’s “URL for Browser Flow.” This bypasses the default Load Balancer (LB) or Web Dispatcher layer, enabling direct access to WebGUI.
This approach provides WebGUI access without depending on Web Dispatcher or any LB in front of Fiori, ensuring direct access when needed. One drawback is that you won’t be able to leverage the benefits of a Web Dispatcher or any front-facing load balancer.
Your “URL for Browser Flow” in IAS APP can be like:
#https://vh***ds4ci.hec.yourdomain:44300/sap/bc/gui/sap/its/?sap-client=100&sap-language=EN
Then you can have access to WebGUI directly by using a link similar to below in your browser without going to the Fiori page:
Then you can have access to WebGUI directly by using a link similar to below in your browser without going to the Fiori page:
6. How can we configure a dynamic attribute approach for SSO in SAP IAS to allow flexibility in using different attributes for authentication in the future?
Answer: In your App in IAS, for Subject Name Identifier you can choose “Advanced configurations” option to be able to use dynamic attribute enabled:
7. If we use SAP IAS as a proxy, is it necessary to provision an Azure IAS app in Azure Entra ID?
Answer: No, provisioning an Azure IAS app in Azure Entra ID is unnecessary when IAS acts as a proxy. Instead, you only need to establish a federation trust between IAS and Azure AD. This can be managed using the Fiori App on the Azure side.
8. When separate tiles are deployed on the Fiori launchpad for SAP applications like SuccessFactors and Ariba, do all tiles use a similar SSO session with IAS after the initial Fiori login? Or does each tile initiate its own SSO authentication flow through IAS?
Answer: Yes, when users connect to different SAP SaaS or PaaS applications through tiles on the Fiori Launchpad, each tile typically initiates its own logon flow through IAS upon being clicked. After a user successfully authenticates via the initial Fiori login and accesses the Fiori dashboard, each tile should have an equivalent application configured on the IAS side to ensure seamless access.
Upon clicking a tile, the logon request passes through IAS and the designated Identity Provider (IdP). Once verified by the IdP, the user is granted access to the specific application linked to that tile.
In some cases, tiles may throw errors if there’s an issue with the corresponding app configuration in IAS or if there is a disruption in authentication with the IdP. Additionally, deploying multiple SaaS applications with SAP Identity Authentication Service (IAS) enables to publish of individual SSO links for each application within a custom company (cloud) dashboard, enhancing user convenience across apps.
9. When we try to log in to the SSO Fiori link, we receive a 404 error (as shown in the snapshot below). What might be causing this issue?
Answer: I recommend first reviewing the error logs on both your Identity Provider (IdP) and the Identity Authentication Service (IAS) to gain more insight into this error. This issue often occurs when the attributes on the IdP side, including the unique identifier, do not match the corresponding configuration in IAS or in S/4HANA.
To resolve this, cross-check each assertion attribute across all systems, paying particular attention to the unique identifier to ensure it is configured correctly.
10. Is it necessary to manually add our application to the "Trusting Applications" section in IAS within our Corporate IdP every time for the new application to connect?
Answer: No, if you successfully authenticated through your IdP login, the application name will appear in the “Trusted Applications” section, even if you haven't logged in successfully to the application itself yet.:
11.While troubleshooting a login error when accessing the SSO link in the browser, we encountered a message in IAS similar to the one below. What possible solutions can we explore to resolve this issue?
Cause
The cause of the error is that there is a time difference between the corporate identity provider (for example AD FS Server) and IAS (proxy).
For example in the error, see this entry: IssueInstant: Tue Jul 07 08:07:54 UTC 2020Curent time: Mon Jul 06 23:17:17 UTC 2020.
The cause is that IssueInstant and Current time are different.
Answer: This issue typically arises when your new cloud or Hyperscaler tenant is set to a different time zone than your IAS tenant. To resolve this, you should adjust one of the tenants so that their time zones are consistent.
12. As a customer, we need to address the absence of a specific feature in the SAP Identity Authentication Service (IAS) that is essential for our business. Who should we contact for support regarding this issue?
Answer: You can click on the user icon at the top of the main page in the IAS console. This will open a popup window where you can select “Submit Improvement Request” to provide your feedback or request new features:
Or you can follow the link below:
13. We are experiencing an issue with Single Sign-On (SSO). When SSO is enabled, we do not receive the prompt to log in to the Identity Provider (IdP); instead, we are allowed to enter our password directly. After doing so, we encounter an error (as shown below). What could be causing this problem, and how can we resolve it?
Answer: This issue is likely due to the Conditional Authentication settings in your app within IAS. You may have overlooked adding the new corporate Identity Provider (IdP), or the IdP may not yet be created in the "Corporate Identity Providers" section of IAS.
14. We are trying to access a Fiori link that is set up in the Load Balancer of our SAP landscape in Azure for the IAS app (URLs for browser flow), but we are encountering an error and cannot access the Fiori domain. What could be causing this issue?
Answer: There are two types of Load Balancers for SAP on hyperscalers like Azure that can be provisioned for Fiori links:
- External Load Balancer (LB): This type is used when accessing Fiori links from the public internet. For example, if you're in a public place like Starbucks and want to connect to your company's Fiori link, you would use an External LB.
- Internal Load Balancer (LB): This type is used when you are within your company's network, typically connected via a VPN. You would access the Fiori link using the Internal LB while on your corporate network.
In the context of the S/4HANA application in SAP Identity Authentication Service (IAS), if you use a Fiori link provisioned through the Internal LB, it will only work within your company network. Conversely, if you use a Fiori link provisioned through an External LB (Application Gateway in Azure), you can access it from anywhere on the public internet, including locations like Starbucks.
15. We are using S/4HANA Private Edition as part of RISE with SAP. How can we restrict access to the S/4HANA system so that only users from our corporate Active Directory (AD) can connect from within the company network, using SAML 2.0 integrated with SAP Identity Authentication Service (IAS)?
Answer: If you utilize the "vh" name path from the ABAP Central Instance (CI) or a Fiori link deployed on an internal load balancer within your hyperscaler, end users must be connected to the corporate network to access S/4HANA. This is because the DNS name can only be resolved within the company’s VPN or network.
16. What are the best steps to troubleshoot and resolve SSO issues with SAP Identity Authentication Service (IAS)?
Answer: When it comes to tracing errors and finding resolutions for SSO issues, I recommend the following approach:
- Use Browser Developer Tools: Open your browser's Developer Tools (e.g., Chrome) and install a SAML tracing extension, such as “SAML WS-Federation.” This will help you gain detailed insights into your SSO issue and identify the root cause.
- Check IAS Logs: Access the logs in the Identity Authentication Service by navigating to Monitoring & Reporting > Troubleshooting Logs. This can help identify errors specific to the IAS.
- Guided Answers: Utilize the IAS Guided Answers Decision Tree available in SAP support to help identify common issues and potential solutions.
- Certificate Validity: Confirm that the correct certificates are being used. Sometimes, the IAS may reference an inactive certificate in the metadata, which can lead to SSO failures.
- Examine Target Application Logs: For applications like S/4HANA, enable the SAML2 log by following SAP Note 2960670. This will allow you to view logs related to SAML assertions and possible failures.
- Use SAP Support Log Assistant: Import your logs into the SAP Support Log Assistant. This tool analyses your logs and provides insights along with relevant SAP Notes for further troubleshooting.
For more detailed information, please refer to my previous blog on this topic: How You Can Troubleshoot Errors in IAS Related to SSO and S/4 HANA. - Contact Support: If issues persist, consider reaching out to your SAP IAS Admin or opening an SAP support case for more tailored assistance.
17. Is it necessary to deploy a Fiori app in Azure for each S/4HANA tier to set up Single Sign-On (SSO) with SAP Identity Authentication Service (IAS) and access it through a browser?
Answer: The short answer is NO. To connect to each S/4HANA tier with Single Sign-On (SSO) via a browser, you only need to deploy the Identity Authentication Service (IAS) app for that system and follow the necessary steps to enable SAML2. Next, you will establish a trust relationship between the S/4HANA system and IAS. As long as the required Identity Provider (IdP) for that tenant is already created in IAS, this setup will be sufficient for facilitating the connection to your S/4HANA system through a browser.
However, if you want to publish an S/4HANA app in your cloud Identity Provider (like Azure) for access as a published app, you will need to create a Fiori app to represent your S/4HANA tier. For example, in Azure, you will need to upload your S/4HANA SAML2 XML configuration into this new Fiori app to enable users to access it as an Azure app.
18. How can we update a signing certificate in Azure for our corporate Identity Provider (IdP) that is about to expire?
Answer : When you add a new application from the Azure gallery, Microsoft Entra will automatically generate a new SAML certificate for your app, which will be valid for three years. You can follow the link below to learn how to renew a self-signed certificate at no cost:
19. How can I allow duplicate email addresses for users in SAP Identity Authentication Service (IAS)?
Answer: In the IAS administration console, navigate to Logon Alias under Application & Resources / Tenant Settings.
To allow users in the IAS tenant to share the same email addresses, turn off Allow Login and uncheck the Unique column for the email setting.
If you later wish to enable email login again, simply check the Unique box and then turn on Allow Login.
20. When is it necessary to migrate IAS or IPS if the tenant is on the Neo environment?
Answer: The Identity Provisioning Service (IPS) operates on the shared infrastructure with the SAP Cloud Identity Services, specifically the Identity Authentication Service (IAS). To ensure optimal service and user experience, SAP recommends migrating your IPS tenant to the unified SAP Cloud Identity infrastructure.
Please note that the SAP Business Technology Platform (Neo environment) will be sunset on December 31, 2028. After this date, you will no longer have access to your existing Neo tenant. For more details, refer to SAP Note 3351844.
Migrating to the SAP Cloud Identity infrastructure offers significant benefits, including enhanced feature development, improved connector availability, and a better overall user experience. The migration process is straightforward. Please refer to the resources below for guidance:
- Go for your quick win! Migrate Identity Provisioning tenants to SAP Cloud Identity infrastructure
- Migrate Identity Provisioning Bundle Tenant
- Video: Migrating Identity Provisioning Bundle Tenant
You can contact the IPS migration team via the email address for further detail: ipsmigration@sap.com
21. How can I check where my user data is stored in relation to my IAS rejoin?
Answer: If you have access to IAS tenant link, you can find out the region and its detail by logging with your s-user to the link below:
https://iamtenants.accounts.cloud.sap/
Here is the related note:
https://me.sap.com/notes/0002954065
For Region Availability follow the link below:
https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/regional-availability
22. What is the relationship between IAS and Cloud ALM in terms of user management and authentication?
Answer: To align with SAP best practices, users are recommended to authenticate through the Identity Authentication Service (IAS) for accessing SAP Cloud ALM. Role collections can be assigned to users, enabling them to perform role-based tasks within Cloud ALM. Therefore, it's essential to maintain users in the SAP IAS tenant.
While users can log in to Cloud ALM using their S-user ID and password, the preferred method is to utilize IAS. This approach also allows users to receive a password reset email if they select the “Forgot Password” link on the login page.
When requesting to provision a Cloud ALM tenant via “SAP for Me,” the provisioning software will check for the existence of a productive IAS tenant to which Cloud ALM can be assigned. If no productive IAS tenant exists, the system will create one and assign it to Cloud ALM, including the addition of users in IAS.
23. How can I connect my SuccessFactors instance to an existing Identity Authentication Service (IAS) as recommended by SAP?
Answer: After the SuccessFactors 2H 2020 release (also known as the b2011 release), customers have the option to choose which Identity Authentication Service (IAS) tenant to use, including the option to create a new one. SAP recommends mapping one IAS tenant to each SuccessFactors instance using the “Change SuccessFactors Identity Authentication Service” feature.
For further information please check below SAP note:
https://userapps.support.sap.com/sap/support/knowledge/en/2791410
24-How does IAS backup work?
Answer: For detailed information about how IAS backup functions, please refer to SAP Note 3127192
25- Is there a method to bulk delete users in the Identity Authentication Service (IAS) without having to manually remove each user through the IAS Administrator console?
Answer: Yes, you can delete users in bulk using either the Identity Provisioning Service (IPS) or the SCIM REST API. For more detailed information, please refer to SAP Note 2986601.
Here are some useful links that may be helpful:
How troubleshoot errors in IAS related to SSO and S/4 HANA
How to resolve "Your Domain is not trusted. Please contact your system Administrator"
SAP Cloud Platform Identity Authentication Service - Guided Answers
SAP Cloud Platform IAS: Guided Answers
SuccessFactors onboarding FAQ and IAS
Your Domain is not trusted. Please contact your system Administrator
SAP Note: 3428381 - How to reset security questions and answers in IAS
SAP Note: 3443106 - IdP-Initiated SSO for IAS Administration Console
SAP Note: 3333762 - Identity Authentication Services – FAQs
Share with others and Connect with us!
Please leave your comment if you have anything to add!
If you would like to ask questions, please use the community Q&A.
Give us a like and share on social media if you feel it was useful!
You can follow me in People SAP @Amin_Omidy
Thanks!
Bluesky| User | Count |
|---|---|
| 12 | |
| 6 | |
| 6 | |
| 6 | |
| 6 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 |
