- SAP Managed Tags
See as well:
- Summary: SAP Ariba, SAP Business Network, SAP Fieldglass SSO with SAP IAS
- Overview: SAP Ariba SSO with SAP Cloud Identity Services - Identity Authentication
- Identity Federation: SAP Fieldglass SSO with SAP Cloud Identity Services - Identity Authentication
- Identity Federation: Substitution of Subject Name Identifier in Identity Authentication
Table of Contents:
- SAP Fieldglass SAML Metadata Retrieval
- SAP IAS SAML Authentication Configuration
- SAP IAS SAML Metadata Retrieval
- SAP Fieldglass SAML Authentication Self-service Configuration
- SAP IAS User Setup
- SAP Fieldglass SSO Verification
- Validate the SAP Fieldglass SSO via Configuration Manager
- Validate the SAP Fieldglass SSO by accessing the SAP Fieldglass URL in the browser
- SAP Fieldglass without SSO
- SAP Fieldglass with SSO to SAP IAS
- SAP Fieldglass with SSO to External Identity Provider
SAP Fieldglass SAML Metadata Retrieval
Prerequisites:
- SAP Fieldglass user with Configuration Manager access
To download the SAP Fieldglass SAML Metadata for use with SAP IAS as the Identity Provider:
- enter the SAP Fieldglass tenant as a Configuration Manager User
- Login to SAP Fieldglass (i.e. https://xcore2.fgvms.com)
- navigate to the user menu -> Linked Accounts and click on the linked Configuration Manager user
- Click on the Single Sign On tile -> Actions -> Download SP Metadata
SAP IAS SAML Authentication Configuration
Prerequisites:
- SAP Fieldglass Metadata File
- SAP IAS user added as Administrator to SAP IAS (Users & Authorizations -> Administrators -> [Add])
To configure SAP IAS SAML Authentication with SAP Fieldglass:
- enter the SAP IAS Administration Console via https://<SAP IAS tenant id>.accounts.ondemand.com/admin
- navigate to Application & Resources -> Application -> [Create] to create Application for SAP Fieldglass as Service Provider (SP)
- Enter the Display Name, choose SAP Fieldglass solution as Type, SAML 2.0 as Protocol Type and hit [Create]
- load the SAP Fieldglass Metadata File you retrieved from SAP Fieldglass in the SAML 2.0 Configuration section within the Application
SAP IAS SAML Metadata Retrieval
To retrieve SAML Metadata from SAP IAS directly:
- enter the below SAP IAS URL into browser:
https://<SAP IAS tenant id>.accounts.ondemand.com/saml2/metadata?action=download - store the downloaded SAP IAS Metadata File
To retrieve SAML Metadata manually from SAP IAS application:
- go to Applications & Resources -> Tenant Settings -> Authentication -> SAML 2.0 Configuration
- click Download Metadata File
SAP Fieldglass SAML Authentication Self-service Configuration
Prerequisites:
- SAP Fieldglass user with Configuration Manager access
- SAP IAS Metadata File
To configure SAP Fieldglass SAML Authentication with SAP IAS as the Identity Provider:
- Upload the IAS metadata file from the previous step into SAP Fieldglass by clicking on the Single Sign On tile -> Actions -> Edit -> Identity Provider Details -> Upload
- OPTIONAL CONFIGURATION: SAML Identity Location
- The default configuration is to use the NameID in the SAML Response to authenticate the user against the Username field in SAP Fieldglass using SAML Identity Location as Subject.
- We can use a different attribute in the SAML Response for this purpose instead of the NameID by selecting Attribute as the SAML Identity Location and entering the value of that attribute.
- Sample SAML response below, where we will use the value in the custom FGUserID attribute instead of the NameID
- Complete the wizard by clicking Next through the remaining steps
- Under Applications & Resources -> Applications, select the application, then Subject Name Identifier. Select the attribute from the drop down list to use for authentication in SAP Fieldglass (Login Name in this example).
- Test the connection using the SSO URL (https://<environment>/SSOLogin?TARGET=company%3D<BuyerCode>)
NOTE: Notice the URL differs to the standard SAP Fieldglass URL. This is required to indicate to the SAP Fieldglass application that we are using SSO. Using the standard SAP Fieldglass URL (i.e. https://www.fieldglass.net as opposed to https://www.fieldglass.net/SSOLogin?TARGET=company%3D<BuyerCode>), will route the user to the standard SAP Fieldglass login page.
SAP IAS User Setup
- After the SSO is enabled, SAP Fieldglass will authenticate the users credentials (passwords) stored in SAP IAS and not credentials (passwords) stored in SAP Fieldglass. Therefore SAP Fieldglass business users will need to be created in SAP IAS.
- The below configuration considers the default setting of SAML Identity Location set to Subject
- Set the value for the attribute to use for authentication. In the example below, we are using Login Name, which will need to match the users username in SAP Fieldglass. NOTE: the attribute to use for authentication from SAP IAS can be configured as described above, if required.
- ensure the users setup in SAP IAS have the Login Name set and matching to the SAP Fieldglass Username
- navigate to Users & Authorizations -> User Management -> and specific user SAP IAS Login Name needs to match user SAP Fieldglass Username
SAP IAS User Profile:
SAP Fieldglass User Profile:
In case you are reading this line, you have successfully configured the Single Sign-On (SSO) between SAP Fieldglass as Service Provider (SP) and SAP IAS as Identity Provider (IdP)!
- To verify the status of the SAP Fieldglass SSO Setup follow one of the options below:
- Validate the SAP Fieldglass SSO via Configuration Manager
- Validate the SAP Fieldglass SSO by accessing the SAP Fieldglass URL in the browser
Validate the SAP Fieldglass SSO via Configuration Manager
Prerequisites:
- SAP Fieldglass user with Configuration Manager access
To review existing SAP Fieldglass SSO setup:
- enter the SAP Fieldglass tenant
- sign in with a user with Configuration Manager
- click on the Single Sign On tile
- check the SAP Fieldglass SSO configuration for Test or Production
Validate the SAP Fieldglass SSO by accessing the SAP Fieldglass URL in the browser
Validate the SAP Fieldglass SSO setup by accessing the SAP Fieldglass URL via browser - accessing the business user access URL (https://<environment>/SSOLogin?TARGET=company%3D<BuyerCode>)
SAP Fieldglass without SSO
Reaching below SAP Fieldglass Login screen means, SAP Fieldglass SSO is not setup for the user and SAP Fieldglass requires the user credentials to be entered as stored in SAP Fieldglass
SAP Fieldglass with SSO to SAP IAS
Reaching below SAP IAS Login screen means, SAP Fieldglass SSO is setup with SAP IAS (directly, without further identity federation) and SAP Fieldglass site requires the user credentials to be entered as stored in SAP IAS
SAP Fieldglass with SSO to External Identity Provider (Example Microsoft Entra ID below)
Reaching below Microsoft Entra ID Login screen means, SAP Fieldglass SSO is setup with Microsoft Entra ID and SAP Fieldglass site requires the user credentials to be entered as stored in SAP Microsoft Entra ID
Note: You can achieve the usage of Microsoft Entra ID for SAP Fieldglass SSO via direct configuration to Microsoft Entra ID or via Identity Federation setup of SAP IAS, in case of Identity Federation, SAP Fieldglass SSO is setup to SAP IAS and SAP IAS delegates all the authentication requests to Microsoft Entra ID. Because of this we might not be able to recognize whether the SAP Fieldglass SSO is setup directly with Microsoft Entra ID or via SAP IAS Identity Federation.
See as well:
| User | Count |
|---|---|
| 21 | |
| 18 | |
| 11 | |
| 9 | |
| 8 | |
| 8 | |
| 7 | |
| 7 | |
| 5 | |
| 5 |
