In this blog, we will discover how to integrate SAP Cloud Identity Services with Microsoft Entra ID. By integrating these two platforms, you can:

• Manage access to SAP Cloud Identity Services directly from Microsoft Entra ID.
• Enable seamless, automatic sign-in to SAP Cloud Identity Services using Microsoft Entra accounts.
• Consolidate account management into a single centralized location.

Requirements

1. Configure Microsoft Entra SSO in SAP SF IAS.
2. Conditional Authentication for internal employees using both Microsoft accounts and external credentials.

Step 1 - Download the Metadata file from IAS

The metadata file from Identity Authentication Service(IAS) can be downloaded as below:

• Sign in to the SAP Cloud Identity Services administration console. The URL has the following pattern - https://<tenant-id>.accounts.ondemand.com/admin

• 

  In the Single Sign-On tab, go to SAML 2.0 Configuration, click the Download Metadata File button to download the metadata, and use it later in the Entra side configuration.

  

• "Download Metadata File" will be available. Click on the button and the file will be generated.

  This metadata file needs to be shared with Microsoft Entra admin.

Step 2 - Configure Microsoft Entra SSO

• Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
• Browse to Identity > Applications > Enterprise applications > SAP Cloud Identity Services > Single sign-on.
• On the Select a single sign-on method page, select SAML.
• On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

•  Click on the 'Edit' button. You will get an option to upload the metadata file. Upload the metadata file received in part 1 from IAS.

• After the metadata file is successfully uploaded, the Identifier and Reply URL values get auto-populated in the Basic SAML Configuration section.
• You might need to update Sign-on URL manually. Sign-on URL will be(please note "tenant id" name can be checked from tenant settings): https://<tenant-id>.accounts.ondemand.com/saml2/idp/sso/<tenant-id>.accounts.ondemand.com 
• Click on Save.
• On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Metadata XML.

Step 3 - Assign the Microsoft Entra test user

Test users needs to be assigned to authenticate via SSO.

• Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator

• Browse to Identity > Applications > Enterprise applications > SAP Cloud Identity Services.
• In the app's overview page, find the Manage section and select Users and groups.
• Select Add user, then select Users and Groups in the Add Assignment dialog.
• In the Users and groups dialog, select all required employees from the Users list, then click the Select button at the bottom of the screen.
• If you expect a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see the "Default Access" role selected.
• In the Add Assignment dialog, click the Assign button.

Step 4 - Configure SAP Cloud Identity Services SSO

• Under Identity Providers, choose the Corporate Identity Providers tile.

•  Create a new identity provider, and give a display name. Update Identity Provider Type = Microsoft ADFS/Entra ID (SAML 2.0) and Click on the Create button.

•  Once created, Click on Application, Go to Trust -> SAML 2.0 Configuration, and click on Browse to upload the Metadata XML file which we have downloaded from the Entra configuration (step 2). Click Save.

• Update Identity Federation settings for User Store.

Step 5 - Conditional Authenctication Rules

As per the business requirements, only employees should authenticate via SSO, and contractors should authenticate via password. This can be achieved as follows:

• Navigate to Applications & Resources -> Applications -> Click on SAP SuccessFactors system -> Conditional Authentication

•  Create a condition to authenticate via a specific identity provider. Please note the default is still IAS.

  

  

• This condition can be set up by either email domain/User Type/User Group. for demo purposes, an SSO group is created where accounts have been added to authenticate via SSO. All others who are not part of this group will authenticate via the default provider which is IAS.

  

This can be automated to assign users to authenticate via SSO using custom solutions and setups.

Conclusion

By following the steps outlined in this blog, we can successfully integrate SAP Cloud Identity Services with Microsoft Entra ID, providing a seamless and secure Single Sign-On (SSO) experience for different users. This integration allows us to manage access to SAP Cloud Identity Services directly from Microsoft Entra ID, enabling automatic sign-ins and centralized account management.

Additionally, implementing Conditional Authentication ensures that internal employees can use their Microsoft accounts for SSO, while external accounts authenticate with credentials.

In summary, the integration of Microsoft Entra ID with SAP Cloud Identity Services, coupled with Conditional Authentication, optimizes the SAP SuccessFactors environment, making it more secure and user-friendly.

Hope this helps 🙂 Happy Learning!

Please feel free to drop a comment if you have any other ideas or solutions that helped customise the business needs 🙂

Please do not hestiate to reach out if you have any questions or queries!