During the configuration of Task Connect, an integration between ServiceNow and SAP Task center, we devoted significant effort to addressing security concerns, particularly focusing on user authentication and user provisioning. Given the widespread use of Azure as an identity and token provider, we developed a method to synchronize users and groups across ServiceNow, SAP Task Center, and Azure.
In this document, you will find the scenario overview, related architectural diagrams presenting the different components and how they interact with each other and what are the steps to follow to configure the connection between ServiceNow, SAP Task Center and Azure.
1. Scenario overview
The starting point in this scenario is the user's authentication and access token issued by the SAP Cloud Identity tenant's authentication service (IAS), indicated as AT (IAS) APP in returned by step 2 in figure 1 below and following the notation <token type> (<issuer>) <audience>. The complete token exchange is orchestrated by the OAuth 2.0 and OpenID Connect (OIDC) authorization and authentication frameworks and their respective token types, which are access tokens (AT), refresh tokens (RT), and identity tokens (ID). Thus, AT (IAS) IAS is an access token, issued by the IAS tenant's OAuth 2.0 authorization server, with an audience set to the IAS tenant's client ID. All tokens except for refresh tokens are formatted as JWTs. Compared to the token exchange in the previous parts of this blog series (see part I, Interoperability and standards, for more details), SAML 2.0 - or more precisely the SAML assertion as an OAuth 2.0 authorization grant defined in section 2.1 of RFC 7522 - is no longer used in this scenario. Instead of transforming between different token formats (JWT to SAML and back to JWT), this scenario only uses JWTs for the token exchange. It is important to note that for this token exchange no direct trust relationship between the application on BTP and Azure AD is required. The application only has a trust relationship to the IAS tenant, and the IAS tenant maintains the trust relationship to the Azure AD tenant (and vice versa).
All authentication requests for the business application on BTP (SAP TASK CENTER) are forwarded by the IAS tenant to the Azure AD tenant which is configured as a corporate identity provider (IdP) in IAS. IAS acts as a proxy and delegates authentication to Azure AD in the role of the relying party to the corporate identity provider. The IAS tenant therefore requires an application registration in Azure AD.
Note: For the TaskConnect integration configuration to work, the SAP Task Center should be configured according to the following documentation: https://help.sap.com/docs/task-center/sap-task-center/initial-setup
2. Users authentication and token exchange
3. User provisioning - Azure SAP
Use SAP Cloud Identity Services - Identity Provisioning to provision users from Microsoft Azure Active Directory to SAP Cloud Identity Services - Identity Authentication.
4. User provisioning & SSO - Azure-ServiceNow
5. Technical service flow
You need to create integration user for SAP Technical connection and choose how SAP Task Center will authenticate when technical connection is used (delta jobs in SAP are using this technical connection)
For example, you can use Basic Auth or OAuth:
6. Register the applications in Azure AD for IAS tenant and SN OIDC provider to verify ID tokens.
The token exchange and OIDC proxy setup between the SN, IAS, and the Azure AD tenant, requires a trust relationship which is established by registering one application in the Azure AD tenant
“SAPIASTenant” represents the SAP Cloud Identity Service tenant.
Step 1
Login to Azure Portal (e.g. with your Microsoft 365 E5 developer subscription’s admin account) and select Azure Active Directory from the portal menu.
Select App registrations from the left-side menu.
Step 2
Click + New registration
Step 3
Enter "<SAP IAS Tenant>" for the Name of the new application registration.
Replace <SAP IAS Tenant> with your friendly name
Select "Web" from the dropdown list in the Redirect UR I section.
Enter your IAS tenant's redirect UR Iin the Redirect URI section's text field:https://<IAStenant name>.accounts.ondemand.com/oauth2/callback.Replace <IAS tenant name> with your tenant's name.
Click Register.
Step 4
Copy the newly generated Application (client) ID to a temporary text file. You will need it in the next step for deploying the sample application.
Step 5
Select Manifest from the navigation menu to edit the application registration's manifest file.
Change the value for the field "accessTokenAcceptedVersion" from null to 2.
Click Save.
7. Configure trust to the IAS tenant in Azure AD
Trust to the IAS tenant is configured in Azure AD with a new federated identity credential. In addition, a client secret is required for the initial token exchange in step 5 of figure 1. Both credentials will be configured for the application registrations in the following step.
Step 6
Select the SAPIASTenant app from the list. (created in step 3)
Select Certificates & secrets from the menu and switch to the Client secrets tab.
Click + New client secret.
Step 7
Enter "<SAPOIDCProxy>" for the Description.
Click Add.
Step 8
Click Copy to clipboard in the Value column and paste it to a temporary text file. You will need it later in the setup process.
Step 9
Create another one secret for ServiceNow
Enter "<ServiceNow>" for the Description.
Click Add.
8. Configure permissions and scopes in Azure AD
To request the Outlook calendar event on behalf of the user, the business application (SAPBTPGraphApp) requires the Graph API permission Calendars.Read. SAPBTPGraphApp also exposes the custom scope "token.exchange".This scope is referred to as a (downstream) API permission for the SAPIASTenant application registration and required for steps 7 and 8 in figure 1. For the initial token request to Azure AD (see step 5 in figure 1 and figure 2), the SAPIASTenant application exposes the custom scope "ias.access".
Step 10
Go to Expose an API in the navigation menu.
Click + Add a scope.
Step 11
Accept the default value for the Application ID URI.
Click Save and continue.
Step 12
Enter "ias.access" for the new Scope name. Provide an Admin consent display name and description.
Click Add scope.
Scope name:
ias.access
Admin consent display name:
IAS Tenant Access
Admin consent description:
Access to SAP Cloud Identity service Application
Step 13
Copy the full-qualified URI of the new scope (api://<client id>/ias.access) from the clipboard to temporary text file. It will be used in a later setup step.
Step 14
Add Optional claim to the token.
Navigate to Token configuration
+ Add optional claim
Token Type - ID
Select "email" and add
Step 15
If message about API permissions required appear
select the checkbox - Turn On Microsoft Graph email permission (required for claim to appear in token)
Click "add"
Step 16
Grant Admin Consent
Step 17
Navigate to authentication
Scroll down to Implicit grant and hybrid flows
Select the tokens you would like to be issued by the authorization endpoint:
Select the checkbox ID tokens
Click Save
9. Configure Azure as an OAUTH OIDC provider on ServiceNow
Step 18
Open the ServiceNow instance
Navigate to All > System OAuth > Application Registry.
Click New, click Configure an OIDC provider to verify ID tokens.
Step 19
Fill the form.
Field | Description |
Name | A unique name that identifies the OAuth OIDC entity. |
Client ID | The client ID of the application registered in Azure in step 4. The instance uses the client ID when requesting an access token. |
Client Secret | The client secret of the application registered in Azure in step 31. |
OAuth OIDC Provider Configuration | The OIDC provider (ADFS, Auth0, Azure AD, Google, Okta) can be used to validate the JWT token. Click the record of your OIDC provider configuration to validate the User Claim and User Field are set appropriately. If you check Enable JTI claim verification, the ServiceNow JWT token validation also validates the JTI sent by the provider. See next step for more details
|
Clock Skew | The number, in seconds, for the constraint to be considered valid. The default is 300. |
Comments | Additional information to associate with the application. |
Application | The name of the application containing this entity. |
Accessible from | Select an option to make it accessible from all application scopes, or this application scope only. (all scope by default) |
Enforce Token Restrictions | Select to only allow tokens to be used with APIs set to allow the authentication profile. You can set grant access using an API access policy. For more information, seeCreate REST API access policy. Default: Unselected. |
Active | Select the check box to make the OAuth application active. |
Redirect URL | The URL of the OAuth application for receiving the authorization code. (automatically added when save the application |
End Session Endpoint URL | The URL endpoint which enables after a session ends.(not required |
Enable force authentication | Option to enable force authentication for users. (not required) |
Step 20
OAuth OIDC Provider Configuration
Click on the search icon and then New
OIDC Provider - A unique name that identifies the OIDC provider
OIDC Metadata URL - the OIDC provider OpenID Connect metadata document (details in next step)
User claim: email
User Field: the field in SN which contain mail value
Enable JTI claim verification: Disable
Step 21
Navigate to azure application which created in step 3 - Overview - Endpoints - OpenID Connect metadata document
Step 22
Navigate to Oauth Entity Scope and add
offline_access,
Open id
Click Update.
Step 23
Navigate to the Oauth Entity Profiles which is automatically created when Save Oauth OIDC entity.
Verify that the Grant type is is Resource Owner Password Credentials and then add the OAuth Entity Scopes created in the above step.
Step 24
Add Auth Scope:
useraccount
Step 25
Navigate to the created in step 34 Oauth OIDC Entity and copy the redirect url
Step 26
Navigate to Azure App registered in step 3
Authentication
Add the url from the previous step. (do not remove or replace the url added in step 3 when create the application)
Save
10. Setup user provisioning - Azure >> SAP
Step 27
Launch a browser window and access your Azure portal using the URL: https://portal.azure.com/.
You will need to authenticate to your Azure AD using your admin credentials.
Step 28
Click Microsoft Entra ID.
Step 29
Click App Registration >> New registration.
Step 30
Specify a name for your app and click Register
Step 31
Click API permission >> Add a permission.
Step 32
Select Microsoft Graph.
Step 33
Click Application permissions.
Step 34
From the list of API permissions, expand User and select User.Read.All.
Step 35
From the API list also select Group >> Read.All and Directory >> Read.All. Click Add permissions at the bottom of the screen once done.
Step 36
The permissions are not granted by default. To grant the permissions, click Grant admin consent for Default Directory.
Step 37
Click Yes on the popup message and confirm that all permissions are granted.
Step 38
Click Overview from the left panel. Make a note of the Application (client) ID. You will need this later when creating the source system in IPS. Click Add a certificate or secret.
Step 39
Click New client secret.
Step 40
Specify a description and expiry time for the client secret.
Step 41
You should have client secret added successfully. Make a note of the value field as you will need it later when creating the source system in IPS.
Step 42
Navigate to the main overview page of Azure AD and make a note of your Primary domain. You will need this value when creating the source system in IPS.
Step 43
Follow the blog https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-... and specific hint on filtering users by a group in Identiy Provisionning Source system Properties, add aad.group.filter=displayName eq '<group_name>':
11. Establish trust between task sub account and IAS
Step 44
Go to BTP Cockpit->Security->Trust Configuration
Step 45
Select "Establish trust" and choose the IAS
Step 46
Select "Establish trust" and choose the IAS
Note: This creates an OIDC application in IAS for the subaccount
NB: Task Center/Service Now integration works only with OIDC trust between Task Center subaccount and IAS
Step 47
This would create an application in iAS
For more information, you can check: https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-betwee...
12. Setup the corporate identity provider and OIDC proxy in SAP Cloud Identity tenant
Step 48
Login as an administrator to your SAP Cloud Identity service administration console at
https://<IAStenant name>.accounts.ondemand.com/admin
Step 49
Go to Identity Providers > Corporate Identity Providers and click Create.
Enter a Display name(e.g. "Azure Active Directory") and click Save.
Step 50
Click on Identity Provider Type from the Trust settings of the new corporate identity provider.
Step 51
Select OpenID Connect Compliant from the list.
Click Save.
Step 52
Click on OpenID Connect Configuration from the Trust settings of the new corporate identity provider.
Step 53
Enter your Azure AD tenant's OIDC Discovery URL (https://login.microsoftonline.com/<AAD tenant ID>/v2.0) Click Load.
The Issuer field gets populated from the loaded Azure AD tenant's OIDC metadata.
Step 54
Enter the SAPIASTenant's client ID in the Client ID field. In the Client Secret field, enter the value of theOIDCProxysecret copied in step 8.
Click Validate.
Step 55
Verify a successful validation of the OIDC configuration.
Click OK.
Step 56
Click + Add
Step 57
Copy and paste the full-qualified URI of the SAPIASTenant application's custom scope (api://<client id>/ias.access) copied in step 13 for the new scope.
Click Save.
Step 58
Click+ Add again and add the scope:
"email"
"openid"
"offline_access"
Click Save.
Step 59
Click Save.
Step 60
Go to Applications & Resources > Applications
Select the application from "Establish trust between Task subaccount and IAS" step – step 47
Click Attributes
Step 61
Navigate to Attributes and add
Name: "xsuaa-persist-corporate-idp-token"
Source: Expression
Value: true
Save
Step 62
Select "Conditional Authentication"
In the "Default Identity Provider", choose the Azure provider configured in steps 48-59, Click Save
13. Configure destinations for SAP in the BTP sub-account
SAP Task Center uses destinations to connect to Service Now task provider
Client Specific configuration:
Step 63
Go back to the SAP BTP Cockpit and navigate to your CF subaccount.
Select Connectivity > Destinations from the navigation menu.
Click New Destination.
Step 64
Enter the following values for the first destination:
Refer to 6. TECHNICAL SERVICE FLOW
Click Save.
Step 65
Repeat steps 63 and 64 with following values for the second destination:
Refer to 10. CONFIGURE AZURE AS AN OAUTH OIDC PROVIDER ON THE SERVICENOW , step 21.
AuthnContextClassRef = urn:oasis:names:tc:SAML:2.0:ac:classes:X509
clientKey = token service password=client secret
Token service user = client id
Task Center documentation for Third Party destination setup: https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task...
Click Save.
14. Test the scenario
Step 66
Use SAP Task Center Administration app to check the status of the configured connector destination, following: https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-app
Step 67
Use SAP Task Center Web app, to validate that tasks from the new destination are seen by business users (for more information, see: https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
7 | |
6 | |
5 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 |