Technology Blog Posts by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Identity Federation: SAP Ariba SSO with SAP Cloud Identity Services - Identity Authentication

ondrej_pandoscak
Product and Topic Expert
Product and Topic Expert
‎2024 Apr 11 9:54 AM
3,192

See as well: 

Table of Contents:

  • Setup SAP IAS Identity Provider Proxy (IdP Proxy) as Identity Provider (IdP) for SAP Ariba
  • SAP IAS Identity Provider Proxy (IdP Proxy) SAML Metadata Retrieval
  • Setup in Corporate IdP
  • Corporate Identity Provider (Corporate IdP) Metadata Retrieval
  • Setup SAP IAS Identity Provider Proxy (IdP Proxy) Identity Federation to Corporate Identity Provider (Corporate IdP)
  • Federate SAP IAS Identity Provider Proxy (IdP Proxy) Application to Corporate Identity Provider (Corporate IdP)
    • Conditional Authentication
    • Subject Name Identifier
    • Attributes

ondrej_pandoscak_0-1720597889240.png

Setup SAP IAS Identity Provider Proxy (IdP Proxy) as Identity Provider (IdP) for SAP Ariba

SAP IAS  Identity Provider Proxy (IdP Proxyas  Identity Federation   is extension of  Identity Provider (IdP) configuration itself. Therefore SAP Ariba acting as Service Provider (SP) Single Sign-On (SSO) needs to be setup as Identity Provider (IdP) with SAP IAS Identity Provider Proxy (IdP Proxy) as per the configuration described in the blog below:

SAP IAS Identity Provider Proxy (IdP Proxy) SAML Metadata Retrieval

To retrieve SAML Metadata from  SAP IAS:

  • enter the below  SAP IAS  URL  into browser:
    https://<SAP IAS tenant  id>.accounts.ondemand.com/saml2/metadata?action=download
  •  store the downloaded  SAP IAS Metadata File

Setup in Corporate IdP

Setup in Corporate IdP system is necessary, which is required for the identity federation between SAP IAS Identity Provider Proxy (IdP Proxy) and Corporate Identity Provider (Corporate IdP) to work.

As this setup is Corporate IdP specific setup, it is not covered in this blog.
Below needs to be setup on Corporate IdP site:

  • Service Provider representing SAP IAS Identity Provider Proxy (IdP Proxy) needs to be created
  • SAP IAS Identity Provider Proxy (IdP Proxy) configuration needs to be setup via metadata to be uploaded
  • Definition of Subject Name Identifier to be used for Service Provider out of the Corporate IdP User Properties
  • Definition of Attributes to be used for Service Provider out of the Corporate IdP User Properties

For more details about e.g. Microsoft Entra ID Corporate IdP setup see Configure Microsoft Entra ID and Microsoft Tutorial.

Note: Although there is no restriction on the name of the Attributes to be passed from Corporate IdP, it is recommended to use SAP IAS default attribute names (e.g. first_name, last_name, ...).
For more details see Configuring User Attributes from the Identity Directory.

Corporate Identity Provider (Corporate IdP) Metadata Retrieval

Once the Corporate Identity Provider (Corporate IdP) SAML Configuration to SAP IAS setup (referenced above) is performed, download the Corporate Identity Provider (Corporate IdP) Metadata File

In case of Microsoft Entra ID, follow the step 9. from the Microsoft Tutorial to download the Corporate Identity Provider (Corporate IdP) Metadata File as Federation Metadata XML.

ondrej_pandoscak_1-1720597889231.png

Setup SAP IAS Identity Provider Proxy (IdP Proxy) Identity Federation to Corporate Identity Provider (Corporate IdP)

To setup the Identity Federation for SAP IAS Identity Provider Proxy (IdP Proxy) to Corporate Identity Provider (Corporate IdP)

  • enter the SAP  IAS Administration Console via https://<SAP IAS tenant  id>.accounts.ondemand.com/admin
  • navigate to Application & Resources -> Identity Providers -> Corporate Identity Providers -> [Create]

ondrej_pandoscak_2-1720597889244.png

  •  enter the Display Name and choose the Identity Provider Type

ondrej_pandoscak_3-1720597889260.png

  •  navigate to SAML 2.0 Configuration -> [Browse...] and upload the Corporate Identity Provider (Corporate IdP) Metadata File

ondrej_pandoscak_4-1720597889297.png

  • SAML 2.0 configuration is pre-set out of the uploaded Corporate Identity Provider (Corporate IdP) Metadata File
  • navigate to Identity Federation -> choose the User Store configuration as per your business requirements
    • Use Identity Authentication user store
      • If disabled - SAP IAS Application will use Subject Name Identifier and Attributes as passed from the Corporate IdP
      • If enabled - SAP IAS Application will use Subject Name Identifier and Attributes mappings as defined in SAP IAS Application configuration
    • Allow Identity Authentication users only
      • If enabled - SAP IAS Application authentication will be successful only in case users authenticated by Corporate IdP will exist in SAP IAS User Store as well
        Note: Users needs to exist in SAP IAS in case this option is enabled and user provisioning is required.
    • Apply Application Configurations
      • If enabled SAP IAS Application custom authentication configurations will be applied (e.g. Risk-Based-Authentication, which allows access only for Users assigned to specific Groups) 

ondrej_pandoscak_5-1720597889252.png

  • hit [Save]

Federate SAP IAS Identity Provider Proxy (IdP Proxy) Application to Corporate Identity Provider (Corporate IdP)

Once the Identity Federation between SAP IAS Identity Provider Proxy (IdP Proxy) and Corporate Identity Provider (Corporate IdP) is established, the Application representing the SAP Ariba Service Provider (SP) in SAP IAS Identity Provider Proxy needs to be setup to federate to this Corporate Identity Provider (Corporate IdP).

To establish the federation from your SAP IAS Identity Provider Proxy to Corporate IdP for given SAP IAS Application, you will need to configure Conditional Authentication, Subject Name Identifier and Attributes of SAP IAS Application to be federated.

Note: In case of Corporate IdP, Subject Name Identifier and Attributes configurations in SAP IAS Application will be considered only when Use Identity Authentication user store option is enabled in the Corporate IdP configuration of Identity Federation.

Follow below steps for each of the SAP IAS Application required to federate the identity to Corporate IdP (e.g. SAP Ariba Service Provider (SP) Application which was created as part of the first chapter of this blog and referenced to the steps in Configuration: SAP Ariba SSO with SAP Cloud Identity Services - Identity Authentication)

Corporate IdP Federation - Conditional Authentication

  • navigate to  Application & Resources  ->  Application  -> application representing SAP Ariba e.g. Ariba Tenant: <SAP Ariba tenant id> -> Conditional Authentication -> choose the Corporate Identity Provider (Corporate IdP) name 

ondrej_pandoscak_6-1720597889348.png

  •  hit [Save]

Note: Consider to define various Authentication Rules as per the business needs in case the identity federation shall not always be done by default, but rather conditional. For more details see Authenticating Identity Provider for an Application.

Corporate IdP Federation - Subject Name Identifier

Note: In case of Corporate IdP, Subject Name Identifier and Attributes configurations in SAP IAS Application will be considered only when Use Identity Authentication user store option is enabled in the Corporate IdP configuration of Identity Federation.

  • navigate to  Application & Resources  ->  Application  -> application representing SAP Ariba e.g. Ariba Tenant: <SAP Ariba tenant id> -> Subject Name Identifier -> in the Primary Attribute, choose the name of the Attribute as sent from the Corporate IdP, matching the value to be used as Subject Name Identifier
  • keep the Fallback Attribute value configuration for the scenario without Corporate IdP, when the Subject Name Identifier is taken from user property of SAP IAS User Store

ondrej_pandoscak_7-1720597889354.png

Note: In the example configuration from the above screen, the expectation is that the Corporate IdP is setup to pass the user identifier in the value of the Attribute with name SubjectNameIdentifier

Corporate IdP Federation - Attributes

Note: In case of Corporate IdP, Subject Name Identifier and Attributes configurations in SAP IAS Application will be considered only when Use Identity Authentication user store option is enabled in the Corporate IdP configuration of Identity Federation.

  • navigate to  Application & Resources  ->  Application  -> application representing SAP Ariba e.g. Ariba Tenant: <SAP Ariba tenant id> -> Attributes -> assign the name of the Attribute sent from the Corporate IdP, matching the SAP IAS Application defined Attribute name

ondrej_pandoscak_8-1720597889265.png

Note: In the example configuration from the above screen, the expectation is that the Corporate IdP is setup to pass the user properties in the values of the Attributes with names first_namelast_namemailuser_uuid.

In case you are reading this line, you have successfully configured the  Single Sign-On (SSO) between  SAP Ariba  as  Service Provider  ( SP ) and  SAP IAS  as  Identity Provider Proxy  ( IdP Proxy ) with Identity Federation to Corporate Identity Provider ( Corporate IdP )!

See as well: