Introduction:
SAP Cloud Platform Identity Authentication can use an OpenID Connect identity provider as an external authenticating authority. SAP Cloud Platform Identity Authentication acts as a proxy to delegate authentication to the external corporate identity provider. The requests for authentication sent by the relying party will be forwarded to the corporate identity provider.
Note: Currently only Microsoft Azure Active Directory (Azure AD) is supported as OpenID Connect corporate identity provider.
To use SAP Cloud Platform Identity Authentication as a proxy to delegate authentication to an external OpenID Connect corporate identity provider, it is required to configure trust with that corporate identity provider.
Scenario:
Authentication Scenario
Prerequisites:
1) SAP Cloud Platform Identity Authentication is enabled for SAP SuccessFactors solution Check SAP blog to enable SAP Cloud Platform Identity Authentication through Upgrade Center
https://blogs.sap.com/2020/09/25/integrate-sap-successfactors-solutions-with-sap-cloud-platform-iden...
2) Get below information from customer:
- Client ID
- Tenant ID
- Secret
- Tenant Issuer
3) You can retrieve the information by calling the discovery endpoint of the corporate identity provider:
https://login.microsoftonline.com/TENANTURL/.well-known/openid-configuration
Put above URL in browser and retrieve Issuer as below
4) Configure the callback endpoint of the SAP Cloud Platform Identity Authentication tenant as Redirect URI
https://<IAS tenant_id>.accounts.ondemand.com/oauth2/callback
How-to configure OpenID Connect Corporate Identity Provider?
Step 1: Login into SAP Cloud Platform Identity Authentication as an Administrator
Step 2: Navigate to Application and Resources - > Select Talent Settings -> select OpenID Connect Configuration from right side panel
Step 3: Provide OpenID connect details for MS Azure setup
Step 4: From left hand panel select Identity Providers -> Corporate Identity Provider
Step 5: Create Identity Provide and give a name
Step 6: Select newly created Identity Provider and in right hand side panel select Identity Provider Type
Step 7: Select OpenID Connect Complaint as Identity Provide Type
Step 8: Select OpenID Connect Configuration option from right hand side panel and maintain Issuer, Client ID and Client Secret and validate it.
Once it is successfully validated, save it.
Check Prerequisite 3 for issuer
Step 9: Navigate to Identity Providers - > Corporate Identity Providers -> Select Subject Name Identifier and select Email option.
Step 10: Navigate to Application and Resources -> Applications -> Select the correct SuccessFactors system from middle panel
And maintain Protocol as SAML 2.0 and Subject Name Identifier as Login Name
Step 11: Navigate to Application and Resources - > Select the correct SuccessFactors system from middle panel -> select Conditional Authentication from right panel
Step 12: In
Conditional Authentication maintain
MS Azure as
Default Identity Provider
Note: To authenticate some users like external users from SAP Cloud Platform Identity Authentication enable the option “Allow users stored in Identity Authentication service to logon and use the URL for external users.
Step 13: Once trust configuration is done with the corporate identity provider, whenever user login into SuccessFactors it will redirect user to MS Azure for authentication
Conclusion:
With this process users would be authenticated by Microsoft Azure, when they login into SAP SuccessFactors solutions.
Thanks for the read! I will be happy to address any further question in the comments.
See you soon with a new blog!