Hello @MartinRaepple,

Thank you for the guide. I tried setting it up, but I'm getting an Access Denied error when trying to access BAS. I think the attributes from Azure are not being accurately sent to SAP BTP.

Are my settings in IAS correct?

Here’s what I have:

• Application Settings:
• Subject Name Identifier: Corporate Identity Provider -> ${corporateIdP.mail}
• Default Name ID Format: Email
• Attributes: Corporate Identity Provider -> ${corporateIdP.mail}, ${corporateIdP.groups}, ${corporateIdP.givenName}
• Corporate Identity Provider Settings:
• Subject Name Identifier: Email
• Subject Name Identifier: Use Identity Authentication user store=OFF, Allow Identity Authentication users only=OFF

Also, Shadow User is enabled in SAP BTP.

In SAP BTP, the users appear like this

this-default-was-not-configured.invalid

Could you please advise me on what might be causing the issue?

Many Thanks

Well detailed , Thanks for putting this together.

Hi @tskwin ,

I checked my settings im IAS and they are as follows:

Application Settings of the BTP subaccount:

• Subject name identifier: Identity Directory, Email
• Attributes: email, email_verified, family_name, given_name, user_uuid -> all sourced from Identity Directory, only groups comes from the corporate IDP as described in the blog

Corporate Identity Provider:

• Subject name identifier: None (sub claim is the identifier)

I created a fresh BTP trial account and IAS trial tenant for this tutorial and did not change any of the default settings for the subject name identifiers and attributes. Only the groups attribute is added as described.

You may also want to go this path, or change your settings accordingly. Let us know if it works.

Best regards

Martin

Thank you for your post I do believe this is open for discussion regarding specific use cases.  I look forward to discussing further.

Great post @MartinRaepple, thanks therefore 🙂

@MartinRaepple Great guide, and looking forward for the upcoming ones. Especially looking for the "deeper" integration which also populates SAP Cloud Identity's identity directory, in line with our strategic direction (see CIO guide).

A detail: I see you only add OIDC scope "offline_access" to the trust between IAS and Entra. I suggest adding the standard OIDC scopes "profile" and "email", to make sure BTP gets the typical user attributes in the standard token claims.

@MartinRaepple  Hi, is it possible to use SAML between IAS and EntraID and OIDC between IAS and BTP? 

@sam_venkat Yes, IAS handles the "protocol translation". Yet for curiosity: Why do you prefer SAML (between IAS and Entra)?

@H_Ettelbrueck Thanks. It is not a preference thing but trying to minimize number of changes as we are operating this way for several years now. Is it easy to transition from SAML to OIDC for the setup between Entra and IAS?  Would it mpact the various BTP, SaaS applications that use IAS as a proxy?

@sam_venkat Regarding switching the protocol, please check https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/switch-protocols-for-corpo.... My personal impression: It's definitely doable, yet it's a very sensitive change as it affects all applications connected to IAS in a fundamental way (=> if broken, it's effectively an outage).

With an existing tenant already integrated with Entra and already used with some applications, I don't see a strong urgency to switch immediately. Just keep in mind every new application increases the hurdle to switch later, but that might be ok. With a new tenant, or no existing integration with Entra yet, I'd rather start immediately with OIDC.

@H_Ettelbrueck  Thanks for the suggestions.

Hi @MartinRaepple and @H_Ettelbrueck,

As I understand it,  OIDC is recommended for the setup between IAS and cloud applications. What protocol would you recommend for the integration between Entra ID and IAS?

Many Thanks

@tskwin For most SAP scenarios, I think it's up to your personal preference for either SAML or OIDC. I just tend towards OIDC for two reasons:

• There are a few SAP scenarios which require OIDC between IAS and Entra ID. Usually this is about principal propagation between MS and SAP "worlds", which works best when just exchanging OAuth/OIDC tokens. From that perspective, OIDC has an advantage over SAML because it covers something that SAML doesn't.
• Afaik, but without deeper insights, my understanding is that Entra ID supports some features only with OIDC. @MartinRaepple Can you shed some more light on this?

First off, great article and I was able to get it to work with an SAP Trial Account and MS Entra Trial Account with Id Governance trial.

One issue was Step 20. For some reason in both Chrome and Edge the Download of the Signing Certificate didn't work. I had to view the Certificate, Copy the Certificate Information and paste that into a text file. Then add the BEGIN and END certificate lines to the first and last line. That imported into Entra just fine. 

I had played a bit with CIS before starting this article and had created my own groups in CIS. That causes the groups attribute to already exist. I ended up having to delete the attribute, then add it back in with both Corporate ID and Identity Directory entries. 

Thank you for a great article!

@sam_venkat : Yes, you could also configure IAS as a SAML proxy to Entra ID, and add the groups attribute to the SAML assertion issued by Entra ID. Please find more details here.

Thank you for testing the scenario and your feedback @Brian_Stempien!

I've checked step 20 and now also saw the same issues with the Download button for all common web browsers (Edge, Chrome, Firefox). So I've added your workaround to the description of this step. Thanks for making us aware.

@H_Ettelbrueck : Can you possibly check if there is an issue with the Download of the OIDC signing cert? I remember 3 weeks ago the download worked. 

Hi @MartinRaepple,

Thank you very much for your response/support. Can you please explain how the user attribute transfer (under OpenID) works?

How are user attributes transferred to SAP BTP under OpenID (user is not present in IAS)?

I have defined attributes in IAS like this

 but when I log into SAP BTP, it looks like this:

Do the attributes need to be assigned to the app in Azure?

I don't understand how attributes are transferred under OpenID. Where should the attributes be maintained?

How can I transfer for exymple attributes like employee_id?

Many Thanks

Best Regards

@tskwin

I have added the claims "family_name" en "given_name" in Entra app registration for SAP Cloud Identity Services. 

And requested in addition to what is mentioned in the blog the following scopes in the Corporate Identity Provider "email" and "profile":

Hope this helps...

Regards,

Guido

@MartinRaepple  Yes, the download button is not working, it just adds the error "Uncaught TypeError: this.onDownloadButtonPressed is not a function" to the dev console. 

So I manually downloaded the OpenID certificate in step 20 and uploaded it to Entra ID. However during the verification (step 34-36) I got the error: Failed to receive tokens from URI [https://login.microsoftonline.com/xyz/oauth2/v2.0/token]. Received response error [401 Unauthorized: "{"error":"invalid_client","error_description":"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: 'A42...E9',

I found that the signing certificate under "SAML 2.0 Configuration" in the IAS is the one used for this request. When I download this from the IAS SAML 2.0 Configuration and upload it to the Entra ID App registration then the validation is working fine. 

@H_Ettelbrueck Why is the IAS using the SAML certificate to sign the client assertion? 

UPDATE: Just verified this with a third tenant: It looks like upon creation the same certificate is added to the saml and openID section, so you do not notice a problem. When you renew the OpenID certificate, it differs from the SAML one, however IAS will use the SAML certificate to sign the OpenID requests. To verify this, you can recreate the OpenID certificate. Then delete the old one in Entra ID and upload the new one and it should not be working anymore. 

I connected two IAS tenants to the same Entra ID with OpenID Connect (two App registrations). On one of them it is working (despite the strange certificate thing I wrote about before), on the other one I get the message "Invalid JWT." during the validation. When I check the json under Raw Response in "Step 2 - Token" and compare it with the working one, they look almost identical, of course some IDs are different.

So I don't know why the one JWT should be invalid. There is nothing in the Troubleshooting Logs, is there any other way to check why the JWT is invalid? 

How to bring in SAP GRC Access Control User access requesting with Entra ID, so that we can send the request to SAP GRC AC for SoD checks.

for this scenario, we also may need to bring in BRM defined business roles to Entra ID, so that provisioning scenario can check SoDs in GRC. 

Hi @MartinRaepple,

Thanks a lot for this great post and detailed step-by-step guide!

How will this work with the new Authorization Management Service that SAP "generally recommends for newly built applications" (https://community.sap.com/t5/technology-blogs-by-sap/authorization-management-service-in-sap-cloud-i...) and that requires users to be replicated to the Identity Directory Service? 
I guess this is also what @H_Ettelbrueck mentioned with "especially looking for the "deeper" integration which also populates SAP Cloud Identity's identity directory, in line with our strategic direction."
Is this already planned to be released in the near future or when is this expected to work? Currently, it seems to me like two approaches that unfortunately do not fit together (yet?).

Thanks a lot for the clarification,
Nico

Hello Experts

@MartinRaepple, @Guido_Jacobs @H_Ettelbrueck  - Many Thanks for support.

I have completed the configuration with ODIC. It works. Thank you for the guide.

I have one question: When users log in to SAP BTP, the email address is populated in the "User Name" field. How can I populate a different attribute, such as UPN from Azure, into the "User Name" field in BTP?

Many Thanks

Best Regards

Thank you.

@ncktz Picking up your point:

How will this work with the new Authorization Management Service that SAP "generally recommends for newly built applications" (https://community.sap.com/t5/technology-blogs-by-sap/authorization-management-service-in-sap-cloud-i...) and that requires users to be replicated to the Identity Directory Service? 
I guess this is also what @H_Ettelbrueck mentioned with "especially looking for the "deeper" integration which also populates SAP Cloud Identity's identity directory, in line with our strategic direction."
Is this already planned to be released in the near future or when is this expected to work? Currently, it seems to me like two approaches that unfortunately do not fit together (yet?).

I assume your point is: This blog "only" describes the federation approach, where users and their assignments are only stored in Entra ID, and IAS acts as pure proxy, propagating the information received from Entra ID to BTP. This works for "traditional" BTP applications that use the SAP Authorization and Trust Management service (XSUAA) which supports this federation approach, and not for newer applications which natively use SAP Cloud Identity service and specifically its Authorization Management service. That's because the latter requires users to exist in the Identity Directory of Cloud Identity, and assignments being stored there, too.

My answer is twofold then:

• The federation approach is also planned for the Authorization Management service, since heading for feature parity (+ some advantages, of course). See the following roadmap entry: https://roadmaps.sap.com/board?PRODUCT=73555000100800000287&range=CURRENT-LAST#Q1%202025;INNO=15836D...
• Strategically, I definitely recommend to still populate the Identity Directory with all relevant users, because there's a growing amount of applications and scenarios that require this data to be available for different reasons. In general, our vision for SAP Cloud Identity services is to become a central integration hub for IAM between your corporate IAM and the whole SAP cloud landscape, and handle the integration between Cloud Identity and the applications more and more by SAP ("SAP-managed" setup). That means, it's not about establishing yet another target for your user provisioning, but to reduce the whole number you have today by ideally just a single one, namely your Cloud Identity tenant.

@MartinRaepple Seems like we should also describe this "provisioning" case, replicating original users, groups, and assignments, from Entra ID to the Identity Directory 😉

Hello everyone,

@MartinRaeppleThanks again for this blog!

I have two questions:

1. Question: In IAS, I have set the "Subject Name Identifier=Corporate Identity Provider=email". However, I cannot log in to BAS using my email address, only with the UPN. If I set the Subject Name Identifier=Corporate Identity Provider=upn", I get the error message "Configuration Error". Why can't I log in using my email address?

2. Question: I have deleted all attributes for the BTP application in IAS and left only Group=Corporate Identity Provider=${corporateIdP.groups}. In Azure, under "App Registration / My App / Token Configuration / Optional Claims", I have defined the attributes family_name, given_name, groups, email, and upn. @Guido_Jacobs thanks for the tip! These attributes are then transferred to BTP. If I delete these attributes in Azure, no attributes are transferred to BTP.  So, does it not matter which attributes are defined for IAS/Bundled Applications (ODIC)? Are only the attributes defined in Azure transferred?

Many Thanks

Best regards

@ncktz, @H_Ettelbrueck ,

good news 😉: Just finished part II of this blog post series which covers user provisioning in a hybrid scenario using Entra Cloud Sync, Entra ID Governance, SAP Cloud Identity Service Provisioning Service, & SAP Cloud Connector.

Hope you enjoy it and please let me know if you have any questions/comments/suggestions for improvements etc.

@MartinRaepple @H_Ettelbrueck Hi, trying to set up a new IAS tenant with OIDC integration with Entra ID following this blog.  In IAS Admin Console, Application > System Applications > Administration Console shows "Protocol Type: SAML2.0".    How to change it to OIDC?

This setting is only for the authentication between IAS and the Admin interface and I don't think you can change this as it is a system application. 

For the OIDC integrations between IAS and Entra ID you have to go to Identity Providers > Corporate Identity Providers and create your Entra ID provider here with Type OIDC like Martin showed above from step 8 on. 

This setting is only for the authentication between IAS and the Admin interface and I don't think you can change this as it is a system application.

Or to put it more clearly: There's not even a need to change the protocol for this application. The protocol is chosen separately for each application and each corporate IdP, and IAS "translates" between them as required.

@H_Ettelbrueck Following this blog we set up  authentication as follows: 

Entra ID - (OIDC)- IAS - (OIDC) - App.    This set up works .  

But for Admin Console are you suggesting  to configure Entra ID - (SAML) - IAS admin console system application in IAS?  Is it possible to have both OIDC and SAML against the same EntraID Enterprise App registration? 

@sam_venkat There is no direct integration between Entra ID and the IAS admin console (system application). It's rather:

Entra ID - (any protocol, SAML or OIDC) - IAS - (SAML) - IAS admin console system app

Or generically, since the admin console is just like all the other applications in this regard:

Entra ID - (protocol chosen by customer) - IAS - (protocol chosen by app) - application

So no need to integrate IAS and Entra ID twice with two different protocols. Just once, with whatever protocol you prefer.

The good thing about SAML is that you can use "Allow users stored in Identity Authentication service to log on" option when the protocol between IAS and the application is SAML and you have configured the corporate provider to be used by default but not all app users have a user there. With OIDC this is not possible according to the documentation. 

@markus_fugger_de In general, IAS has a similar feature also with OIDC, just not IdP-initiated, but SP-initiated. In any case, the user gets a URL which contains two pieces of information: The targeted application and the desired (corporate) IdP. This just works a bit differently with OIDC.

More concretely: You open an OIDC application by its URL, and this URL contains the desired corporate IdP. The application propagates this information to IAS, which then routes you to the respective corporate IdP (resp. authenticates you locally at IAS).

IAS documentation: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/create-url-to-access-saml-...

Currently there's still the challenge that adoption by applications is quite low. Yet, as a positive example, SAP approuter already supports it, so you can use it in custom BTP applications.

Hello @H_Ettelbrueck , 

Thanks for your reply!

Yes, I know this parameter, but does it really offer the same functionality? I know you can control which one of the identity provider in the BTP subaccount it should use if you have more than one configured in your subaccount. For Example your subaccount is connected to IAS and Entra External ID you can control which one is used. How would I create a URL to tell the application to use the IAS as identity provider but that it should not forward the request to the Corporate Identity provider that is configured as Default Authenticating Identity provider for the application but use its own user directory? 

For example this URL will always use the Default Authenticating Identity Provider for the btp-platform application:
https://emea.cockpit.btp.cloud.sap/cockpit/?idp=yourtenant.accounts.ondemand.com#/globalaccount/<UID> 
The login_hint does not help to change this. You could only use rules to work around that but in my opinion rule are not very nice because users have to enter their mailaddress manually and I Ranges are hard to configure correctly. 

For SAML you had the default URL (e.g. https://www.successfactors.com/yourtenant) with SSO for the major part of the users and this URL for the few users that only exist in IAS, no rules were required: https://yourtenant.accounts.ondemand.com/saml2/idp/sso?sp=https://www.successfactors.com/yourtenant&...  

Or did I miss anything on this parameter? 

Best regards,
Markus 

@H_Ettelbrueck  Thanks for clarifying. the Admin Console SSO works fine now with SAML2 configuration between IAS and Admin console app.

@markus_fugger_de Your question touches exactly what I meant by this statement:

Currently there's still the challenge that adoption by applications is quite low.

Afaik currently you can use it with custom BTP applications if they authenticate directly with IAS and not via Authorization and Trust Management service (XSUAA). In that case, only your custom application needs to propagate the desired corporate IdP (which you'll usually achieve by having an own approuter as part of the application). Documentation for direct usage of IAS with BTP applications: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/integrating-service-with-i...

For SAP Build Work Zone, which has the option for direct IAS authentication only, this is a known requirement and I think it's planned.

Most BTP applications currently don't integrate directly with IAS yet, so this option doesn't work for them so far. I'd be very happy to be able to support propagation also in the longer chain, from application over XSUAA to IAS. However, unfortunately I have no way to get it into the near-term development backlog at this point.

Proposal: Open an influence request on https://influence.sap.com/sap/ino/ and then let's collect demand there.