• Overview
• Basic setup
• Postman test
• SAP Integration Suite setup
• Microsoft PowerPlatform test
• Troubleshooting

Overview

Basic setup

Start by checking that all required services are enabled in T-Code SICF.

• /sap/bc/webdynpro/sap/saml2
• /sap/public/bc/sec/saml2
• /sap/public/bc/sec/cdc_ext_service
• /sap/public/myssocntl
• /sap/bc/sec/oauth2/token

Open T-Code SAML2 and enable SAML support. Provider name could be any string, but must be URL compliant! It's best practice to use http://<SID><client>. Switch selection mode to automatic if you intent to use only one IDP.

Local provider is created. Download metadata needed for next steps.

Now go to EntraID and create Enterprise App of type "SAP NetWeaver".

On "Single sign-on" tab click "SAML". New blank configuration will be created. Use "Upload metadata file" button and select metadata file downloaded from SAP. This loads SAP's metadata into EntraID.

Edit "Reply URL" to point to Token service of OAuth2 and don't forget to set correct client in parameter "sap-client". "Sign on URL" could be any URL compliant string (ex. https://dummy.com).

Edit "Attributes & Claims". Click on "Unique User Identifier (Name ID)".

You have two options here, based on attribute that you like to use as user identifier.

1. If you don't have any email address assigned to more than one user in SAP and you use email as UPN in EntraID, you could match EntraID and SAP user based on email. In this case select "Name identifier format" = "Email address" and "Source attribute" = "user.userprincipalname".
2. Otherwise find source attribute that contains SAP username. Ex. sAMAccountName. For this scenario choose "Name identifier format" = "Unspecified".

Save and return to "Single sign-on" tab of your Enterprise App configuration. In "SAML Certificates" section download the certificate and federation metadata.

Go back to SAP backend and open T-Code SAML2. Switch to "Trusted Providers" tab and select "OAuth 2.0 Identity providers" under the "List of Trusted providers". Add a new provider using the metadata you just downloaded from EntraID.

In the next step, upload the certificate downloaded from EntraID. In the "Provider" and "Signature and Encryption" steps, click "Next" and then "Finish".

Edit the new trusted IDP and select the name format "Unspecified" or "E-mail", depending on the user mapping scenario. Scenario 1 is "E-mail", scenario 2 is "Unspecified".

Set the "User ID Mapping Mode" according to the scenario. For scenario 1 "email" or "Logon ID" for scenario 2.

Save and enable the configuration.

Open EntraID again and create new App registration (not Enterprise app) that will be used as client.

On "Authentication" tab, section "Platform configurations" click "Add a platform" and select "Web". Set "Redirect URIs" = "https://localhost:44326/signin-oidc" and select both tokens to be issued.

On "Certificates & secrets" tab generate new client secrete. Save the content of "Value" field as you can't access it later!

Next, on "API permissions" tab add a permission "Microsoft Graph" as delegated. Select "openid" (Sign users in).

On "Expose and API" tab add a scope. URI should be predefined. After clicking "Save" new configuration panel will be shown. Fill there "Scope name" = "user_impersonation" and switch consent to "Admins and users". Set some display name and description. Finally click "Add scope".

On the same tab add a client application. Set "Client ID" = "6bee4d13-fd19-43de-b82c-4b6401d174c3" and set our scope in "Authorized scopes". This fixed client ID is identifier of SAP OData connector in PowerApps platform.

Copy "Application (client) ID" from "Overview" tab.

Now switch to App registration (not Enterprise app) that corresponds to the server part (same name as our Enterprise app defined in the beginning). Go to "Expose and API" tab and add a client application. Add there copied client ID and set scope.

One again switch to SAP system. Create technical user for impersonation. This user must be type B (System) and has correct permission role assigned. You need these permissions:

• S_RFC: RFC_TYPE=Function group, RFC_NAME=SYST, ACTVT=Execute
• S_SCOPE: OA2_CLIENT=SOAUTH2 (set same as ID of technical user), OA2_SCOPE=<required_scopes> (start with "*" for testing and restrict later)

Call T-Code SOAUTH2. On the screen click "Create". Set ID of technical user as "OAuth 2.0 Client ID" and write some description.

In "Grant Type Setting" step select our trusted IDP from the list and set "Refresh Allowed".

In "Scope Assignment" step set some service that you'd like to expose.

Postman test

It's time for first test. You could use attached Postman collection. Edit variables of the collection.

Please also change service name and parameters in request number 4 based on your use case (if not calling BP OData service as in example).

Now open first call of the collection and send request. Ignore output and open console (bottom left corner). Copy whole link (without GET keyword) and paste it in the web browser. After successful EntraID login blank error page will be shown. Go to the address bar and copy content of parameter "access_token". Open request number 2 and paste token to the "assertion" parameter.

After sending request number 2 you should see "access_token" in the output. Open request number 3 and send it. If successfull you would get new (short) "access_token" and also "refresh_token" and correct "scope".

Finally open and send request number 4. You should see data from your service.

SAP Integration Suite setup

In order to use this setup from internet / public cloud you have to expose SAP AS over SAP Cloud Connector.

In case that you don't have SAP Integration Suite BTP subaccount already added in SAP Cloud Connector, please use official guide to add it: SAP Help Portal | SAP Online Help

Now go to the Cloud Connector subaccount and select "Cloud to On-Premises" in the left menu. On "Access Control" tab add new system (Mapping Virtual to Internal System). Backend type is "ABAP System", protocol "HTTPS". Fill in hostname and port of SAP AS.

Use same values for virtual host and port. Disable Principal Propagation and Certificate Logon as you don't need these in this scenario. Host in request header should be Virtual Host. Set SID (ex. I4A) as System ID.

Expose services (your OData) in "Resources" section. On this example I'm exposing whole system (don't do this with productive SAP AS!).

Open SAP Integration Suite and begin with setup there. In left menu select Configure -> APIs and select "API Providers" tab.

Create new provider. Fill some meaningful name on "Overview" tab. Switch to "Connection" tab and set "Type" = "On Premise", "Host" = <AS_ABAP_HOST>, "Port" = <AS_ABAP_PORT>, leave "Authentication" = "None". Set "sap-client" = <AS_ABAP_CLIENT> in Additional Properties.

Save provider and test connection. It should return "System is up and reachable. However, the ping check responded with code : 404; Message : Not found". That's correct state because we're calling base URL and not any reachable service.

Go to "Policy Templates" tab and import definition that's available in SAP Business Accelerator Hub. This policy needs some mapping. So switch to "Key Value Maps" tab and create new mapping (ex. name "I4ACLNT400_EntraID"). Use table bellow as an example.

Finally switch to "API Proxies" tab and create new proxy. Select your API Provider, set URL to OData service that you have in the scope. Define some name and title of proxy. API Base Path could be anything you like - it's simply prefix for OData calls to this service (ex. /sap/utility/odata).

Ignore error "Unable to fetch metadata" - it's normal as we didn't applied policy yet.

In the new API provider click "..." in top right corner and select "Policies". Again in top right corner click "Policy Template" -> "Apply". Select policy that you downloaded earlier and apply it. You should now see it under target endpoint's post flow.

Now go step by step through the policy. In second step (MapVariables) replace value of "mapIdentifier" with the name of your value map (ex. I4ACLNT400_EntraID). In steps "RefreshSAPToken", "fetchSAPOAuthToken" and "GetCSRFToken" change value of tag "APIProvider" from "PM1-via-SCC" to your provider name (ex. I4ACLNT400_NOAUTH).

Click "Update", "Save" and "Deploy".

Microsoft PowerPlatform test

Login to Microsoft PowerApps at Power Apps and switch to correct environment (if using more). In the left menu click "Flows" and create new cloud flow "Instant cloud flow". Fill some name and choose "Manually trigger a flow".

Add new step with connector "SAP OData", action "Read OData entity".

Set authentication type "Microsoft Entra ID Integrated (with APIM)". OData base URI is URL of you API Proxy service (ex. https://******.test.apimanagement.******.hana.ondemand.com/sap/utility/odata/BusinessPartner), Entra ID resource URI is API scope of client app (ex. api://b20e44f0-d88a-4558-8a53-b34484425e3f/user_impersonation). Set "API Key Name" = "APIKey (constant), "API Key Value" = <Client_secret> (ex. HZ48Q~NDBD38a4XW~************) and SAP's client name / password.

You should see Entra ID popup for login. After that service should be authenticated and entities readable.

Troubleshooting

In case you're struggling with the basic setup (Postman testing), start T-Code SEC_DIAG_TOOL_VIEWER and capture the login traffic. You can find errors there and search SAP for Me. Always double check that user calling API (your business user, not SOAUTH2) is valid and has correct permission assigned (check SU53 for errors).

If calling OData API from PowerApps fails immediately with authentication error, check EntraID tenant log for errors associated with your registered client app.

Sometimes it fails later in login process and this could be debuged on Integration Suite. Open definition of your API Proxy, click "Debug" (top right corner) and "Start Debug" (bottom right corner). Now call API from PowerApps, refresh debugged window and check for errors.