How to configure Azure AD for Principal Propagatio...

former_member213660 · ‎01-24-2019

Hello Everyone

This blog aims to assist anyone that is trying to configure Principal Propagation scenario between SAP Cloud Platform and a backend system, but uses Azure as the Identity Provider.

The Principal Propagation method is very popular among customers and several times they use a custom IdP, like Azure.
When this happens, there are some adjustments that need to be made in order to properly send the attributes in the SAML that the SAP Cloud Connector will be able to recognize and use it to generate the X.509 certificate, used to authenticate the user in the backend.

What you will need:

SAP Cloud Platform account
- (Optional) SAP Cloud Platform Identity Authentication tenant

Microsoft Azure AD

SAP Cloud Connector

Backend system (in this case we are going to use an ABAP)

Before you start:

Make sure that your SAP Cloud Platform account is configured to trust the Azure AD or the Identity Authentication tenant (that trusts the Azure AD)

Make sure your SAP Cloud Connector is synchronized with your SAP Cloud Platform account and also is synchronized with the Azure AD.
Configure Trusted Entities in the Cloud Connector

Configuration Steps:

Add a new claim under User Attributes & Claims

Test to see if the new parameter is now included on the SAML

Follow the Principal Propagation configuration

1 - Add a new claim under User Attributes & Claims

As we can see in the help page (Configure a Subject Pattern for Principal Propagation), the SAP Cloud Connector expects four types of attributes when performing the Principal Propagation. They are the following:

name

mail

display_name

login_name

So, when we are configuring a scenario like this, we need to make sure that at least one of the attributes above will be present in the SAML sent by the IDP.

In order to make the Azure include this attribute in the SAML, you need to do the following:

In your Azure account, go to Azure Active Directory -> Enterprise Applications

All Applications -> SAP Cloud Platform Identity Authentication OR SAP Cloud Platform (depending if you are using the IAS tenant or the SCP directly)

Single sign-on -> User Attributes & Claims

Click on Add new claim

Set the Name with one of the four values that the SAP Cloud Connector accepts (name, mail, display_name and login_name) and set the Source Attribute accordingly, then press Save

2 - Test to see if the new parameter is now included on the SAML

Open your SAP Cloud Platform account

Go to Services -> Web IDE Full-Stack

Open the developer tools of the Chrome (F12)

Select the SAML tab

Click on Go to Service

You will be redirected to the Azure login page.
Login with your user and password from Azure

You should be able to see the SAML traces recorded on the Chrome's DevTools.

The attribute you included on Azure AD(in this case, login_name) should now be visible in the SAML as follows:

3 - Follow the Principal Propagation configuration

Now you have everything you need to go through the Principal Propagation configuration.

There is a good blog about it already, check it out: How to Guide – Principal Propagation in an HTTPS Scenario

You can also follow our official documentation:
Configure Principal Propagation to an ABAP System for HTTPS

Just remember the following differences:

When synchronizing the IdP for Principal Propagation, remember that you will need to syncronize with your custom IDP (Azure AD)

When configuring the certificates on SAP Cloud Connector, in the Principal Propagation section, use the attribute created on step 1 (the one you customized on Azure AD to include in the SAML).

That is it!

Feel free to leave any comments or questions. I will be happy to answer.

Error messages for discoverability:

Unable to generate authorization token for user <user> on system <system>:<port>

Cheers,
Augusto Ferreira
Support Engineer, SAP Product Support

ErvinSzolke · ‎02-02-2019

Great blog, Augusto! Thanks for sharing!

former_member213660 · ‎02-04-2019

Thanks Ervin! 😄

pjcools · ‎02-08-2019

Thanks augusto.ferreira - really nice blog but it is missing one of the major pieces - the groups/roles the user is assigned to then assert the security in SAP Cloud Platform. For me, this has been seriously tricky in MS Azure as compared to SCIAS (SAP Cloud Platform Identity Authentication Service) or MS ADFS so would be good if you could include this.

If you could add this please then I would feel it is more complete. Thanks!

former_member213660 · ‎02-11-2019

Hi Phil

Thank you for the feedback.
In this blog post, I'm focusing on the minimal configuration to integrate the Azure with SAP Cloud Platform/SAP Cloud Connector in order to enable the principal propagation.

The idea is to detail and explain what is necessary to make this work.

But anyhow, this is a good idea for another blog post.

Thanks,
Augusto

pjcools · ‎02-16-2019

Hi augusto.ferreira no problems and yeah I understand the intention of the blog post. Another blog showing the group/roles claims and how they are set up would be good as this is not simple with Azure for some strange reason. I have implemented this quickly for SCIAS and MS ADFS but Azure has not been as straightfoward.

Will look forward to it!

Thanks!

Phil

lucasvaccaro · ‎02-18-2019

Hi Phil,

there is another blog post with instructions on how to configure Azure AD as Application Identity Provider on SAP CP:

https://blogs.sap.com/2017/09/27/how-to-guide-integrate-microsoft-azure-active-directory-to-sap-clou...

Feel free to provide feedback!

There is a page in the Microsoft docs too:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial

Best Regards,
Lucas

pjcools · ‎02-19-2019

Thanks Lucas, but have the same feedback on this blog post. It covers the main set up requirements but just does not cover the assertion group aspect which is really important. I've set up Microsoft Azure AD as the identity provider to SAP Cloud Platform so know the steps, assertion of the groups though has never been documented - well properly anyway. This is my feedback.

Thanks

Phil

lucasvaccaro · ‎02-19-2019

Hi Phil,

We can create an article about it. I'd like to know the most common business scenario. Did you configure the groups claim with their object ID’s?

Lucas

ravi_joseph · ‎03-29-2019

Hello Augusto, am encountering the similar error ... Unable to generate authorization token for user <user>

Any advise ?

former_member213660 · ‎04-03-2019

Hi Ravi

There is a KBA about this issue. Look for the KBA 2727260 – SAP Cloud Connector – Principal propagation: “CN is not available in context”.

Anyway, this error is caused because the SAML token coming from the identity provider does not contain the SAML assertion which is mapped in Cloud Connector to the client certificate common name field.

The cloud connector only accepts mail, last_name, first_name and login_name.
You need to verify which one you have set your cloud connector to use and validate if it is inside the SAML.

In this blog post, I used the login_name as example, so in the cloud connector, you just need to use the login_name as parameter to generate the x.509.

Thanks,
Augusto

former_member611606 · ‎05-22-2019

Hi Augusto

We want configure this same procedure between Azure AD and SCP.

In step 3.1 BASIC CONFIGURATION XML ,,,, where can we find the correct paths for (Sign on url , identifier, and reply url f)ields?

Thanks for your blogs

Best Regards

former_member213660 · ‎05-31-2019

Hi Franciso

This configuration is not related to the Principal Propagation itself.

But, you can find more details about it here: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial

Regards,
Augusto

former_member617993 · ‎09-11-2019

Hi Augusto,

Thank you for sharing this great blog. I am wondering if it is possible to setup two SAML in Azure AD. I am about to try it out but there is already SAML configured in our Azure AD but it is pointing to SAP Cloud Platform subaccount.

Regards,

Florence

former_member213660 · ‎09-16-2019

Hi Florence

I'm not sure I understand your question.
The idea of this blog is to explain how to set the necessary user attributes in the SAML sent by the Azure to the SAP Cloud Platform.

I'm not sure why you would need to configure another SAML for the SAP Cloud Platform... You can just add more parameters to the SAML you are already sending, if you need something different for another application running on SCP.

Thanks,
Augusto

former_member182290 · ‎09-29-2019

SAP Note https://launchpad.support.sap.com/#/notes/0002727260 highlights now we can use

custom patterns.

Since 2.12.0.1 version the attribute name can be adjusted in the subject pattern configuration, see the online help Configure a Subject Pattern for Principal Propagation.

Tried mapping “uid” as per doc ${uid} custom pattern, in CC I was seeing below error

The variable ‘uid’ needed for object CN is not available in context.

it did not work me, I had to map in SCP cockpit -> Trust ->Assertion to Principal mapping to work.

Again this only worked when I was accessing the app from FLP.

This did not work if I try to access my backed via Web IDE to get OData services ..(Try to create an App via Template)

former_member617993 · ‎10-01-2019

Hi Augusto,

I am configuring SSO for another SAP Cloud Platform subaccount. As I could see, on the current SAML the Sign On URL is pointing to another Cloud subaccount.

Regards,

Florence

former_member646389 · ‎03-12-2020

Hi Augusto,

I have confused. I want to connect to the Azure Active Directory with cpi using cloud connector. When I configure the destination with LDAP protocol I can not choose the saml2 authantication. How is the configuration in sap cloud connector for connection between sap cloud connector and azure active directory?

Sincerely,

Ceren.