cancel
Showing results for 
Search instead for 
Did you mean: 

SSO Configuration documentation.

0 Kudos
4,239

Hi, 

Can anyone share the documentation to configure SSO for S4HC.

Regards

Hem

Accepted Solutions (1)

Accepted Solutions (1)

Amith_Nair
Product and Topic Expert
Product and Topic Expert

Hi sean.durr1

Yes, your understanding is right, 2FA is an additional security layer to protect user accounts and is independent of SSO effort which is set up at the Org level. I mentioned 2FA if customer dont prefer to use any SSO authentication.

Now, the blog shared above gives a Great insight and can potentially serve as a reference document. SAP Cloud Connector is needed as for any cloud Application to communicate with the On premise, we need Cloud Connector that act as 'tunnel' between two different landscape( on premise and Cloud)

The blog highlights Cloud 4 Customers as an example, but with S4HANA Cloud the approach is the same: you should have access to cloud Application for S4HANA Cloud in IAS. I have attached part of what is needed on the S4HC and you can refer back to the blog to complete the set up.

Thank you!

Amith Nair

sean_durr1
Explorer
0 Kudos

Hi‎ Amith,

Thanks for your feedback so far, it's been very helpful.

Can you just confirm in a S4HC environment where SSO has been configured to use a corporate IDP (e.g. Windows ADFS), what happens when the user does not exist in ADFS. As an example, a Business User has been created in S4HC for a 3rd party consultant, but he won't exist as a user in the corporate IDP (ADFS), so what happens when he tries to log into S4HC?

Regards,

Sean.

Amith_Nair
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi sean.durr1

This is usually achieved using a feature in IAS called Conditional Authentication, where you could set up your rules either by email domain, user types( employees, partner etc.) IP address etc. .

For Example, in my internal test Tenant: I have classified my user as a partner, and every time a user with user type 'Partner', tries to login to the respective cloud application( say in my case S4HANA Cloud), it will prompt me into 2 factor Authentication.

You can navigate to Conditional Authentication by logging into IAS and choose the application of you want to configure and then you will see Conditional Authentication at the botoom, upon clicking, you will be able to set rules based on the Company choice of IdP you have set up.

https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/0143dce88a604533ab5ab17e639...

Hope this helps!

Thank you!

Answers (7)

Answers (7)

chandan_jha72
Discoverer
0 Kudos

Hi Guys,
Would someone help with a document to enable Okta with Sap S4Hana cloud , it would be much appreciated, we have been struggling to get correct information and moreover we are new to SAP world. thank you

Amith_Nair
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi sean.durr1

I also have run into a similar issue using the trial Account(MS Azure) since the trial account does not let you change/display domain name of specific email address i.e. ‎@seanedurrgmail.com( refer Page # 10)

Because this user Sean_test@seanedurrgmail.onmicrosoft.. is not a valid user in your IAS tenant.

Once you have a Licensed Account, this could be modified, and you could test the application from Azure.

But that should not stop from testing to see if the users are routed via Azure account successfully and get into the target application like S4HANA Cloud.

Also, from your slide page 19, I would turn ‘ON’ Allow Identity Authentication users only.

Please find the attached doc for your reference.

Thanks!

sean_durr1
Explorer
0 Kudos

Hi Amith, i am now trying to configure SSO for one of my customers using Azure AD (free trial for testing) as the corporate IdP but after initial set up on Azure AD side and IAS, i try to login using a test user (created on Azure AD only) and get an error (as per attached doc).

The attached doc also shows the config i have set up so far and the error i get is at the bottom.

Any ideas as the error indicates a permissions, but as per my docs it looks OK to me.

Any help appreciated.

Regards,

Sean.

sean_durr1
Explorer
0 Kudos

Hi Amith,

Just out of curiosity, if Conditional Authentication is not configured at all, but SSO using a corporate IDP (ADFS) is used, what happens if a user tries to access the S4HC system that does not have a user in ADFS. Would they get an error or would they just be prompted to enter a password for their user?

I don't want to overly complicate the setup of SSO if i don't have to.

Regards,

Sean.

Amith_Nair
Product and Topic Expert
Product and Topic Expert
0 Kudos

Yes, for those users who are not part of the ADFS directory and you have not set up Conditional Authentication, then they will be prompted to enter their user credentials. .

this will be the case for External consultants(contractors) working on short term projects.

thanks!

sean_durr1
Explorer
0 Kudos

Amith,

Before i start reading through all of the documentation for setting up SSO that you have mentioned in this post, can you just answer a couple of simple questions (hopefully).

1. Can i assume that Windows AD (i.e. ADFS) can be used as a customers corporate IDP for setting up SSO for S4HC?

2. If a customer does not have their own corporate IDP solution, is it a mandatory requirement for setting up SSO for S4HC or is there another method that can be used for setting up SSO?

Regards,

Sean.

Amith_Nair
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Sean,

Please find the response to your question below:

1. Can i assume that Windows AD (i.e. ADFS) can be used as a customers corporate IDP for setting up SSO for S4HC?

Ans: Yes, MS Azure/ADFS, okta are few vendor of customer's choice.

2. If a customer does not have their own corporate IDP solution, is it a mandatory requirement for setting up SSO for S4HC or is there another method that can be used for setting up SSO?

It is not mandatory per say and this is purely based on customer business requirement , instead we could use two factor authentication that could be enabled via Identity and Authentication service.

https://blogs.sap.com/?p=545

Hope this helps!

thanks!

Amith Nair

sean_durr1
Explorer
0 Kudos

Hi Amith,

If the customer wants to use SSO, then 2FA is not the way to go, as this is just a different method/level of authentication as opposed to a different method for SSO. Would you agree?

So, if the customer is to use their own on-premise ADFS system for SSO, then the following article seems to include the steps we need to follow:

https://blogs.sap.com/2018/10/03/single-sign-on-for-sap-cloud-applications-using-active-directory-cr...

Could you have a quick scan of the article and let me know if that more or less covers what would be needed, including whether Cloud Connector is mandatory for the solution to work.

If you have any other diagrams/articles that would be relevant for setting up SSO using an on-premise IDP then that would also be helpful.

Regards,

Sean.

FDias
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Hem,

In addition to what Amith has mentioned, please also look at the following links and they should get your SSO/SAML2.0 setup working for S/4HANA Cloud:

1. Configure your IDP as Corporate IDP on the SCP IAS side - https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/33832e58695345eea2cd91a2cc8...

2. Configure the IAS tenant as a trusted application (Service Provider) at your corporate IDP

3. Configure your application to use the Corporate IDP as default IDP - https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/e9d82742d42b4f769c2d0f16d8e...

Hope this helps.

Fabian

Amith_Nair
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Hem,

Please find the link below to the documentation on SSO Configuration for S4HANA Cloud.

https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/99403403d2dc41eca20a7854869...

Unfortunately, the Help portal is been down since today morning, so I am not able to access the content to guide you better.

Also, please note that for SSO Configuration for your application-S4HANA Cloud, you should have a Admin access to SAP Cloud Platform Identity provider and Authentication, as all configuration are performed here and not on S4HANA Cloud tenant as such.

Good Luck!

Amith Nair