Community
Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SSO of S/4HANA and Okta with SAP IAS as Proxy

Ipsita_Behera
Explorer
‎2023 Oct 30 10:17 PM
8,438
The SSO for S/4HANA Rise system for various connections can be a daunting task in the initial phase of a project.  The best practices for SSO in S/4HANA Rise environment can be found in this blog post  ,which describes various SSO approaches available for S/4HANA Rise (Private Edition )

In this blog we have consolidated various SAP knowledge resources and lesson learnt for connection of S/4HANA (Rise Private edition) with Okta using SAP IAS as Proxy.

1        System Considerations:



  • Backend is S/4HANA Rise Private Edition

  • SAP Cloud Identity Services ( SAP IAS/IPS)

  • SAP BTP ( In case auto provision of users is required from S/4HANA to SAP IAS)

  • Okta


2        Scenario



  • The below use case is IdP Initiated SSO for SAP Fiori using Okta




3        Process to Integrate S/4HANA to SAP IAS


The whitepaper for the process is mentioned in https://wiki.scn.sap.com/wiki/x/7YawHQ

Few considerations while performing the setups are

  • While creating the application in IAS, please upload the meta data of S/4HANA using web dispatcher /LB URL if they are in place as per architecture.

  • Add Fiori URL as one of the Assertion Consumer Service Endpoints in IAS tenant (This will be used in okta configuration as index number)



Example : https://<Load Balancer URL>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=<Client Number>&sap-language=EN

 

  • The Subject Name Identifier in IAS for the S/4HANA application should be set to email in case using the same in Okta for user identification





  • We can upload IAS meta data in S/4HANA instead of manually creating the trusted providers

  • Few parameters to make sure are present in S/4HANA SAML2 Config are


In Local Provider --> Service Provider Setting

 


In Trusted providers --> Identity Federation

User ID Mapping Mode is set to email in case okta is using email to verify the identity of the user

 


 

In Trusted provider -->  Signature and Encryption

 




  • In case of using any alias for Fiori URL, please change the login method for the alias also in sicf : In our case we were using /sap/bc/ui5_ui5/ui2/ushell/shells/abap as alias for /default_host/sap/bc/ui2/flp





  • For the sicf services, SAML should be the preferred method under Logon Procedure List as well




4        Connect Okta to Identity Authentication


Blog which can be followed to perform the initial setups is https://blogs.sap.com/2020/07/10/connect-okta-to-sap-cloud-platform-identity-authentication-service/

  • As our use case is IDP initiated the following URL can be used at Okta end


Single Sign on URL : https://<XXXXXX>.accounts.ondemand.com/saml2/idp/acs/<XXXXXX>.accounts.ondemand.com?sp=<ProviderName...

Request able SSO URLs : https://<XXXXXX>.accounts.ondemand.com/saml2/idp/acs/<XXXXXX>.accounts.ondemand.com

Recipient URL and Destination URL:

https://<XXXXXX>.accounts.ondemand.com/saml2/idp/acs/<XXXXXX>.accounts.ondemand.com?sp=<ProviderName...

Audience Restriction  :  https://<XXXXXX>.accounts.ondemand.com

 

https://<XXXXXX>.accounts.ondemand.com  :Tenent URL for SAP IAS ( Can be found under tenant setting -->  Identity provider setting --> Name )

sp=<ProviderName> :  This is the provider name in SAML2 config in S/4HANA which reflect under the application in IAS as well


index=1 : This index number is derived from the index number of Fiori UI in the Assertion Consumer Service Endpoints section of application in IAS

 



5        Make Okta as Corporate IdP for S/4HANA in IAS



  • Go to SAP IAS -->  Application --> Click on Application Name --> Conditional Authentication



With these setup, you should be able to create tile in okta which will provide SSO functionality to S/4HANA web based URL such as Fiori .

In a upcoming blog post, we can share how to auto provision users from S/4HANA to SAP Cloud Identity services .

 

Additional resources:

2689013: How to configure SAML2 with SAP Fiori Launchpad and Web Dispatcher

2943651: How to configure Okta as corporate identity provider with Identity Authentication

2693814: Service Provider does not match specified audience in the SAML2Assertion

2332686: SAML2.0 No RelayState mapping found for RelayState value