Introduction

This blog post describes my experience in setting up an OpenID Connect (OIDC) connection between SAP Identity Authentication Service (IAS), part of SAP Cloud Identity Services, and an SAP S/4HANA ABAP system. The goal of this configuration was to enable secure user authentication for S/4HANA applications through IAS.

During my research through SAP Help resources (SAP S/4HANA Integration Scenario | SAP Help Portal), I noticed a lack of specific scenarios addressing this particular setup. Based on my experiments, I found that it is possible to implement an OIDC connection between SAP IAS and S/4HANA. In this post, I'll share the steps I followed and the results I obtained.

Please note that this content is based on my personal experience and testing. While I've made every effort to ensure accuracy, there may be aspects I've overlooked or misunderstood. I encourage readers to verify the information and adapt it to their specific environments. If you notice any inaccuracies or have additional insights, please feel free to share them in the comments.

Let's explore the process I used for this integration, keeping in mind that your mileage may vary depending on your specific system configuration and requirements.

OIDC (OpenID Connect) for ABAP Platform: Detailed Explanation

This section provides a detailed explanation of the OIDC concept on the ABAP Platform following this SAP Help(OpenID Connect for the ABAP Platform | SAP Help Portal).

1. What is OIDC?

OpenID Connect (OIDC) is an open standard built on top of the OAuth 2.0 protocol. It allows client applications to not only authenticate requests from users but also verify user identities.

2. OIDC in ABAP Platform

OpenID Connect in the ABAP Platform is a browser-based authentication framework that enables user authentication utilizing ICF services. If you'd like to the user authentication in the SAP GUI, you need to use another service.(SAP Secure Login Service for SAP GUI)

3. Participants in OIDC Authentication

OIDC authentication primarily involves the following participants:

• User: The individual accessing the S/4HANA system via a browser. The user's role is to initiate the access request to the system.
• Relying Party (RP): This is the component within the SAP S/4HANA system, specifically the ICF (Internet Communication Framework) services. The RP is responsible for receiving requests from users and authenticating them using OIDC protocols. In this context, SAP S/4HANA acts as the Relying Party.
• OpenID Provider (OP): The OP is the service responsible for authenticating users and issuing ID Tokens that verify the user's identity. In this scenario, the SAP Identity Authentication Service (IAS) functions as the OpenID Provider.

4. OIDC Authentication Flow

Let's explore how these participants collaborate to authenticate a user between SAP IAS and S/4HANA(ABAP).

1. User Accesses ICF Service: The user initiates access to an S/4HANA service (acting as the Relying Party, RP) via a web browser. This service is typically managed through the Internet Communication Framework (ICF) of the S/4HANA system.
2. RP Redirects to OP: To proceed with authentication, the S/4HANA system redirects the user's browser to the SAP Identity Authentication Service (IAS), which functions as the OpenID Provider (OP).
3. Authentication at OP: The user undergoes authentication on the IAS. This process can involve methods such as username/password login, multi-factor authentication, or other security measures provided by the IAS.
4. ID Token Issuance: Once authentication is successful, the IAS (OP) issues an ID Token. This token includes essential information about the user's identity, such as user attributes that are pre-configured within the IAS.
5. ID Token Sent to RP: The ID Token is then sent back to the S/4HANA system (RP), usually via the user's browser, as part of the redirect flow.
6. RP Verifies ID Token: Upon receiving the ID Token, the S/4HANA system verifies it to ensure it is valid and accurately reflects the user's identity, using the public keys provided by the IAS for signature validation.
7. Access Granted to ICF Service: Once the token’s authenticity is confirmed, the S/4HANA system grants the user access to the requested service, allowing them to engage with the system's functionality as authorized.

Set-up Steps

Prerequisites

Before you begin, ensure you have the following:

• An active SAP IAS tenant.
• An SAP S/4HANA ABAP system.
• Administrative access to both systems.

Configuration Steps

1. Configure IAS Application

Ensure you have configured an application within your IAS tenant representing your S/4HANA system.

1. Access IAS admin console, (https://<tenanturl>/admin)
   
   
   
2. Go to Applications tab
   Navigate to Application & Resources and click on "+Create".
   
   
   
3. Create new application configuration
   
   
   
4. Filling out parameter selecting
   Type : SAP on-premise solution
   Protocol Type: OpenID Connect
   
   
   
5. Configure the OpenID Connect Settings:
   In the defined SAP IAS-S/4HANA integration application, enter the following details:
   Name: <Whatever you want>
   URI: Set the URI to redirect, direct or via Web Dispatcher.(If you use it.)
   

    

6. Retrieve Application Information from SAP IAS:
   Go to Application APIs > Client Authentication > Client ID.
   
   
   
7. Add Secrets:
   Navigate to Secrets > Add and use the default settings. These information we'll use in the later setting.
   ClientID:~~~~
   Client Secret: ~~~~
   
   
   

    

8. Change Subject Name ID:
   Set the Primary Attribute to uniquely identify the user.
   Set the Fallback Attribute as an alternative if the Primary Attribute is unavailable.
   

    

2. Activate Required ICF Service

Before proceeding OIDC issuer setup, you need to check the prerequisities.

1. Open transaction code SICF
   
2. Ensure the necessary ICF Service is enabled on the S/4HANA side.
   Navigate to /default_host/sap/public/bc/sec/oidc/ and enable the ICF services.
   
   
   
3. If the text is grayed out, the ICF service is disabled. Enable logout, logoutbc, and redirect.
   

    

   
   
   
4. Verify the Three ICF Services:
   Ensure that redirect, logout, and logoutbc are enabled.
   

    

3. Configure OpenID Connect in S/4HANA

Let's try to configure following SAP Help.
Using OpenID Connect | SAP Help Portal

1. Execute Transaction Code SOIDC.
   
   
   
2. Define the IAS Tenant as the Issuer:
   Set the IAS tenant as the Issuer.
   Click on the create icon.
   URL: <IAS tenant>
   

    

3. Enter Issuer Configuration Details:
   Issuer: (e.g., https://<tenant_ID>.accounts.ondemand.com)
   Client ID: Enter the Client ID obtained in step 1-f.
   User Mapping Claim: Specify the claim to use for user mapping.
   User Mapping Mechanism: Define how to find the ABAP user using the extracted user information from the ID token.
   JWKS Download URL: Issuer + "/oauth2/certs" Enable Local Proxy Settings for RISE Environment:
   (e.g., https://<tenant_ID>.accounts.ondemand.com/oauth2/certs)
   

    

   
   
   
4. Enable Local Proxy Settings.(Only for Private Cloud like a AWS env)
   Check User Local Proxy.
   Proxy Host: proxy
   Proxy Port: 3XXX(Please communicate with Basis Admin)
   Save the settings.
   

    

   
   
   
5. Import Keys from Provider:
   Automatically download the JSON Web Key Set (JWKS) and obtain the public key required for ID token verification.
   
   

    

6. Enter Open ID Connect Mode Configuration:
   Select "Interactive" for browser-based authentication.
   
   Authorization Endpoint URL: Authorization endpoint of the OpenID Provider.
   (e.g., https://<tenant_ID>.accounts.ondemand.com/oauth2/authorize)
   
   Token Endpoint URL: Token endpoint of the OpenID Provider.
   (e.g., https://<tenant_ID>.accounts.ondemand.com/oauth2/token)
   Redirect URL: URL to which the OpenID Provider will redirect the user after authentication.
   

    

   
   
   
7. Enter the Client Secret Obtained in Step 1-g.
   

    

8. Perform a Simple Configuration Check:
   Click on the icon labeled "Check OIDC Configuration".
   
   

    

9. Ensure there are No warnings found. Enable Set Default Interactive Configuration:
   Click on the tab "Set Default Interactive Configuration" to specify the default Interactive OIDC mode settings for the entire system.
   Choose which configuration to use as the system-wide default if multiple configurations exist.
   
   
10. Verify User Information via SU01.

4. Testing the OIDC Connection

1. Access a Protected Resource

   Open a new browser session and access an S/4HANA application or service that requires authentication through IAS. This could be your Fiori Launchpad
   ex. URL: https://~~~~.devint.net.sap:44345/sap/bc/ui2/flp

2. Observe the Authentication Flow

   You should be redirected to the IAS login page. After successful authentication, IAS will redirect you back to your S/4HANA application.

Troubleshooting

• Review Error Logs:
  Check transaction ST22 in S/4HANA for any error messages related to OIDC authentication.
• Verify Configurations:
  Double-check all configuration details in both IAS and S/4HANA to ensure consistency. Pay close attention to URLs, client IDs, and client secrets.

References

• Using OpenID Connect | SAP Help Portal
• SAP Note 3105025 - OpenID Connect (OIDC): Enhancements for ABAP Platform 2021 (SAP BASIS 7.56)