The SSO for S/4HANA Rise system for various connections can be a daunting task in the initial phase of a project. The best practices for SSO in S/4HANA Rise environment can be found in this
blog post ,which describes various SSO approaches available for S/4HANA Rise (Private Edition )
In this blog we have consolidated various SAP knowledge resources and lesson learnt for connection of S/4HANA (Rise Private edition) with Okta using SAP IAS as Proxy.
1 System Considerations:
- Backend is S/4HANA Rise Private Edition
- SAP Cloud Identity Services ( SAP IAS/IPS)
- SAP BTP ( In case auto provision of users is required from S/4HANA to SAP IAS)
- Okta
2 Scenario
- The below use case is IdP Initiated SSO for SAP Fiori using Okta
3 Process to Integrate S/4HANA to SAP IAS
The whitepaper for the process is mentioned in
https://wiki.scn.sap.com/wiki/x/7YawHQ
Few considerations while performing the setups are
- While creating the application in IAS, please upload the meta data of S/4HANA using web dispatcher /LB URL if they are in place as per architecture.
- Add Fiori URL as one of the Assertion Consumer Service Endpoints in IAS tenant (This will be used in okta configuration as index number)
Example :
https://<Load Balancer URL>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=<Client Number>&sap-language=EN
- The Subject Name Identifier in IAS for the S/4HANA application should be set to email in case using the same in Okta for user identification
- We can upload IAS meta data in S/4HANA instead of manually creating the trusted providers
- Few parameters to make sure are present in S/4HANA SAML2 Config are
In Local Provider --> Service Provider Setting
In Trusted providers --> Identity Federation
User ID Mapping Mode is set to email in case okta is using email to verify the identity of the user
In Trusted provider --> Signature and Encryption
- In case of using any alias for Fiori URL, please change the login method for the alias also in sicf : In our case we were using /sap/bc/ui5_ui5/ui2/ushell/shells/abap as alias for /default_host/sap/bc/ui2/flp
- For the sicf services, SAML should be the preferred method under Logon Procedure List as well
4 Connect Okta to Identity Authentication
Blog which can be followed to perform the initial setups is
https://blogs.sap.com/2020/07/10/connect-okta-to-sap-cloud-platform-identity-authentication-service/
- As our use case is IDP initiated the following URL can be used at Okta end
Single Sign on URL :
https://<XXXXXX>.accounts.ondemand.com/saml2/idp/acs/<XXXXXX>.accounts.ondemand.com?sp=<ProviderName...
Request able SSO URLs :
https://<XXXXXX>.accounts.ondemand.com/saml2/idp/acs/<XXXXXX>.accounts.ondemand.com
Recipient URL and Destination URL:
https://<XXXXXX>.accounts.ondemand.com/saml2/idp/acs/<XXXXXX>.accounts.ondemand.com?sp=<ProviderName...
Audience Restriction : https://<XXXXXX>.accounts.ondemand.com
https://<XXXXXX>.accounts.ondemand.com :Tenent URL for SAP IAS ( Can be found under tenant setting --> Identity provider setting --> Name )
sp=<ProviderName> : This is the provider name in SAML2 config in S/4HANA which reflect under the application in IAS as well
index=1 : This index number is derived from the index number of Fiori UI in the Assertion Consumer Service Endpoints section of application in IAS
5 Make Okta as Corporate IdP for S/4HANA in IAS
- Go to SAP IAS --> Application --> Click on Application Name --> Conditional Authentication
With these setup, you should be able to create tile in okta which will provide SSO functionality to S/4HANA web based URL such as Fiori .
In a upcoming blog post, we can share how to auto provision users from S/4HANA to SAP Cloud Identity services .
Additional resources:
2689013: How to configure SAML2 with SAP Fiori Launchpad and Web Dispatcher
2943651: How to configure Okta as corporate identity provider with Identity Authentication
2693814: Service Provider does not match specified audience in the SAML2Assertion
2332686: SAML2.0 No RelayState mapping found for RelayState value