Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
ondrej_pandoscak
Product and Topic Expert
Product and Topic Expert

See as well: 

Table of Contents:

  • Setup SAP IAS Identity Provider Proxy (IdP Proxy) as Identity Provider (IdP) for SAP Ariba
  • SAP IAS Identity Provider Proxy (IdP Proxy) SAML Metadata Retrieval
  • Corporate Identity Provider (Corporate IdP) SAML Configuration to SAP IAS
  • Corporate Identity Provider (Corporate IdP) Metadata Retrieval
  • Setup SAP IAS Identity Provider Proxy (IdP Proxy) Identity Federation to Corporate Identity Provider (Corporate IdP)
  • Federate SAP IAS Identity Provider Proxy (IdP Proxy) Application to Corporate Identity Provider (Corporate IdP)

Identity Federation.png

Setup SAP IAS Identity Provider Proxy (IdP Proxy) as Identity Provider (IdP) for SAP Ariba

SAP IAS Identity Provider Proxy (IdP Proxy) as Identity Federation is extension of Identity Provider (IdP) configuration itself. Therefore SAP Ariba acting as Service Provider (SP) Single Sign-On (SSO) needs to be setup as Identity Provider (IdP) with SAP IAS Identity Provider Proxy (IdP Proxy) as per the configuration described in the blog below:

SAP IAS Identity Provider Proxy (IdP Proxy) SAML Metadata Retrieval

To retrieve SAML Metadata from SAP IAS:

  • enter the below SAP IAS URL into browser:
    https://<SAP IAS tenant  id>.accounts.ondemand.com/saml2/metadata?action=download
  •  store the downloaded SAP IAS Metadata File

Corporate Identity Provider (Corporate IdP) SAML Configuration to SAP IAS

Using the retrieved SAP IAS Metadata File, the Corporate Identity Provider (Corporate IdP) authentication configuration needs to be setup. 

See THIS blog (and SAP documentation) for reference of the setup of Microsoft Entra ID as Corporate Identity Provider (Corporate IdP) with SAP IAS Identity Proxy.

See Microsoft Tutorial for reference of the setup to be performed in Microsoft Entra ID.

Corporate Identity Provider (Corporate IdP) Metadata Retrieval

Once the Corporate Identity Provider (Corporate IdP) SAML Configuration to SAP IAS setup (referenced above) is performed, download the Corporate Identity Provider (Corporate IdP) Metadata File

In case of Microsoft Entra ID, follow the step 9. from the Microsoft Tutorial to download the Corporate Identity Provider (Corporate IdP) Metadata File as Federation Metadata XML.

Microsoft Entra ID.png

 

 

Setup SAP IAS Identity Provider Proxy (IdP Proxy) Identity Federation to Corporate Identity Provider (Corporate IdP)

To setup the Identity Federation for SAP IAS Identity Provider Proxy (IdP Proxy) to Corporate Identity Provider (Corporate IdP😞

  • enter the SAP IAS Administration Console via https://<SAP IAS tenant  id>.accounts.ondemand.com/admin
  • navigate to Application & Resources -> Identity Providers -> Corporate Identity Providers -> [Create]

 

Corporate IdPs.png

  •  enter the Display Name and choose the Identity Provider Type

Corporate IdP.png

  •  navigate to SAML 2.0 Configuration -> [Browse...] and upload the Corporate Identity Provider (Corporate IdP) Metadata File

Corporate IdP SAML.png

  •  SAML 2.0 configuration is pre-set out of the uploaded Corporate Identity Provider (Corporate IdP) Metadata File
  • hit [Save]

Federate SAP IAS Identity Provider Proxy (IdP Proxy) Application to Corporate Identity Provider (Corporate IdP)

Once the Identity Federation between SAP IAS Identity Provider Proxy (IdP Proxy) and Corporate Identity Provider (Corporate IdP) is established, the Application representing the SAP Ariba Service Provider (SP) in SAP IAS Identity Provider Proxy needs to be setup to federate to this Corporate Identity Provider (Corporate IdP).

(The SAP Ariba Service Provider (SP) Application was created as part of the first chapter of this blog and referenced to the steps in Configuration: SAP Ariba SSO with SAP Cloud Identity Services - Identity Authentication.)

  • navigate to Application & Resources -> Application -> application representing SAP Ariba e.g. Ariba Tenant: <SAP Ariba tenant id> -> Conditional Authentication -> choose the Corporate Identity Provider (Corporate IdP) name 

Conditional Authentication.png

  •  hit [Save]

In case you are reading this line, you have successfully configured the Single Sign-On (SSO) between SAP Ariba as Service Provider (SP) and SAP IAS as Identity Provider Proxy (IdP Proxy) with Identity Federation to Corporate Identity Provider (Corporate IdP)!

See as well: