cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP BTP Identity Services logon against SAP ECC or S4 backend?

Go to solution
ELion
Explorer

on ‎2024 Sep 25 9:59 PM

2,184

Howdy!

So I have a requirement to setup an external facing WorkZone (Cloud Fiori Launchpad) which houses a few Fiori apps that connect to our SAP ECC EHP8 system (soon to be S4).  My requirement is that when a user access our WorkZone the logon page should authenticate against our SAP ECC system instead of the default BTP Open ID provider.

I've scoured the web and believe to have come across a few posts that seem to alude to a solution but even then I'm not sure.  For example, I've read some blogs/documents about activating the SAML 2.0 service on SAP and hooking that up to BTP identity services.  I've walked through these steps but it won't work; even then, it just doesn't feel like the right approach.  I've considered user propagation as a potential solution but haven't tried to implement it as I'm not even sure I'm headed in the right direction.

If anyone has any experience here I'd greatly appreciate some validation or success stories.  Much appreciated!

Labels

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Tommy_Tran
Explorer
‎2024 Sep 25 11:36 PM
Yes, you can do this. You will need to setup the cloud connector to use the Principal Type X.509 Certificate. Then on the the back end ABAP, setup icm trusted reverse proxy, with verifying the client cert enabled and certificate mapping rulebased enabled. After that, assumming that you have web dispatcher sitting infront of the ABAP instance, you have to also se up the icm forward cert hearder to forward the x.509 received from the cloud connector to your ABAP instance.
junwu
SAP Champion
SAP Champion
‎2024 Sep 26 1:33 AM
I don't think this is what OP wants, he wants the ecc to be user store during the authentication process, not sso to ecc using principal propagation.
ELion
Explorer
‎2024 Sep 27 11:51 PM
0 Kudos
Junwu is spot on. My user store HAS TO BE my on premise SAP ECC system. This is really the crux of my issue.
ELion
Explorer
‎2024 Sep 29 2:25 PM
0 Kudos

@tongzheng: Thank you for that concise and knowledge packed response. Given all these options, I think option #3 would deliver in simplicity and requirements. Not to mention, we don't have a JAVA server (Thankfully).  

So my next step is to figure out how to delivery:
(3) You can setup ECC system as the source of Identity Provisioning and replicate all ABAP users into Identity Directory of Cloud Identity Service. In this case the authentication will happen entirely on BTP but users can login using their ECC user credentials.

I don't need a step by step guide, but a high level description of what I need to do would be greatly appreciated.  I believe the replication is done via the Identity Provisioning Service, configure the target system as my ECC destination and map the fields?  I would really just appreciate a line of sight on the major steps needed and we can wrap this thread up.  Points will be awarded.  Thanks!

Accepted Solutions (1)

Accepted Solutions (1)

tongzheng
Product and Topic Expert
Product and Topic Expert
‎2024 Sep 29 10:10 PM
0 Kudos

@ELion:

You will need to configure ECC as the source system in Identity Provisioning service: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-application-server-aba...

and SAP Build Work Zone, standard edition as the target system https://help.sap.com/docs/build-work-zone-standard-edition/sap-build-work-zone-standard-edition/conf...). This is a pretty standard setup for on prem/cloud integration for users. When cloud users come in to WorkZone, they will be redirected to Cloud Identity authentication page and get authenticated based on user data replicated from ECC. Refer to the help documentation on specific details you need to work out when integrating SAP Cloud Identity Services and Work Zone.

SAP Build Work Zone, standard edition
SAP Build Work Zone, standard edition
Software Product
SAP Cloud Identity Services
SAP Cloud Identity Services
SAP Business Technology Platform
Show replies
Show replies
ELion
Explorer
‎2024 Sep 30 5:20 PM
0 Kudos
This looks like a path forward! Marking this as solution and will give this go. Thank you for the support.

Answers (4)

Answers (4)

Tommy_Tran
Explorer
‎2024 Sep 26 1:54 AM

I would try to stay away from using back end ecc user store for authentication and use x.509 SSO whenever possible. Users on the backend ECC still have to have proper authorizations in order for apps to work.

I would focus on letting Identity Provider handling the authentication work and ECC only have to worry about the apps and data once it gets past the authentication.

Show replies
Show replies
Tommy_Tran
Explorer
‎2024 Sep 26 1:57 AM

By the way, Elion, it was proven to work fine. I’ve set it up and tried it with different roles and authorization. Authentication process remained the same. access on the back end was changed when users don’t have proper authorization.

 

ELion
Explorer
‎2024 Sep 27 11:42 PM
0 Kudos

Unfortunately the backend has to be my user store.  My other comment for more details.  First timer!

ELion
Explorer
‎2024 Sep 27 11:43 PM
0 Kudos
Using the backend as the user store is my requirement. Our BTP implementation is but a very small part of a large on-premise solution. Suffice to say, it's a limitation on my end. I should mention that SAP ECC 8.0/S4 does have a SAML2 module that is included and can be activated. I tried this route, but was unsuccessful in having SAP Identity Services leverage that SAML server as a user store.
Tommy_Tran
Explorer
‎2024 Sep 28 5:50 PM
0 Kudos
Elion, based on one of your responses, it seems that you want to use ECC as Identity Provider for others. I might be wrong but I don’t think it is possible. ECC is not meant to be Idp.
junwu
SAP Champion
SAP Champion
‎2024 Sep 28 4:51 PM
0 Kudos

just some idea

https://help.sap.com/docs/SAP_COMMERCE_CRM/ceb87e45786c470494b445728cd1d8b8/3f4e8a6ca5024080a08a7264...

netweaver java can be setup as identity provider and it(netweaver java) can use ecc server as user store, probably you can give it a try.

Show replies
Show replies
tongzheng
Product and Topic Expert
Product and Topic Expert
‎2024 Sep 26 4:58 AM
0 Kudos

Hi,

As other replies have pointed out the recommended approach should be to use authentication service of Cloud Identity (or any SAML/OIDC identity provider) and configure principal propagation to the ECC backend. Technically it is not possible to use ECC WebGUI logon page for BTP cloud applications simply because ECC/ABAP system is not a SAML Identity Provider. BTP applications including WorkZone require SAML/OIDC Identity Provider to authenticate for federated SSO. The SAML configuration on ABAP is for Service Provider only. 

Regards,

Tong

Show replies
Show replies
ELion
Explorer
‎2024 Sep 27 11:47 PM
0 Kudos
Thanks for your response! I'm not trying to use the ECC logon page as an authentication mechanism, but rather use SAP ECC as the central user store. My initial approach was to activate the SAML2 module in SAP ECC, and then use SAP CLOUD Identity Services to leverage this SAML2 server as the system to authenticate against. This didn't go very far after I followed a couple blogs (check https://community.sap.com/t5/technology-blogs-by-sap/enabling-saml-single-sign-on-for-sap-s-4-hana-a...). However, I wasn't able to progress much here, I feel like either the blog post mis-represents what its trying to do or my limited SAML2 knowledge won't let me get a working solution. That said, is it your understanding that I should be able to activate SAML2 in SAP ECC and use it through SAP Cloud Identity Services?
tongzheng
Product and Topic Expert
Product and Topic Expert
‎2024 Sep 29 4:08 AM
0 Kudos
If the requirement is to use ECC system as user store for Cloud Identity this is a little bit complicated. You have several options here: (1) If you are still on BTP Neo, there is the option to connect ECC to a NW Java system and Cloud Identity on BTP Neo can use Java UME as corporate user store via Cloud Connector https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/corporate-user-store-neo-e... On NW Java system you can configure UME to use any ABAP system as user store. (2) If you are on BTP Cloud Foundry (as most customers), the only corporate user store supported is Microsoft AD. If you can setup a user replication from ECC to AD that would work too. (3) You can setup ECC system as the source of Identity Provisioning and replicate all ABAP users into Identity Directory of Cloud Identity Service. In this case the authentication will happen entirely on BTP but users can login using their ECC user credentials. (4) You can also setup SAP SSO 3.0 as the on premise SAML identity provider. In this case SAP SSO is deployed on NW Java and leverages Java UME. Like option (1) NW Java UME can be configured to use ABAP system as user store so SAP SSO will be able to authenticate based on ECC user credentials. Once SAP SSO is setup you can configure Cloud Identity Service to proxy SAML authentication to SAP SSO system and cloud users will be authenticated directly on SAP SSO logon page.
ThienPHAM
Participant
‎2024 Sep 26 3:55 AM
0 Kudos

Hi ELion,

There are some guides already in the community and SAP document, so I keep this short by assuming you are using the WZ standard edition:

- Follow this for setup and troubleshooting: https://help.sap.com/docs/SUPPORT_CONTENT/asjava/3361376259.html 

- You can check this SAP mission, which will give you practical insights: https://discovery-center.cloud.sap/missiondetail/3283/3378

as per your requirement, you should set up a principal propagation between BTP and ECC via Cloud Connector and maintain common name attributes according to your requirement. However, logging on to BTP with your ECC credential is impossible. To achieve that, you must configure the authentication via your own IDP: SSO to ECC and SSO to BTP via your custom IDP.

Hope it helps.

Show replies
Show replies
Ask a Question