Introduction
There is a common requirement from the business to use the existing Active Directory for maintain the credentials for the employees and it is encouraged to use the same Active directory for any authentication and authorization purpose.
SAP Cloud applications uses its own authentication tool which is called as SAP Identity Authentication Provider to authenticate the user access.
In this case there will be two different places where the credentials of the employees need to be maintained and synchronized. It is difficult for the user to remember the credentials for cloud applications separately and it is essential to maintain the credential at single place and to avoid duplication of data.
To avoid the above scenario, it is essential to maintain the user credentials at a single place i.e. Current Active Directory and SAP Identity Authentication should act as a proxy to retrieve the credentials from On Prem directory.
Let's see what needs to be done to achieve the requirement.
Assumption: The scenario covered in this document refers to connection between SAP Identity Authentication and Microsoft On-Premise Active Directory. The Microsoft AD should be using LDAP protocol.
Prerequisite:
- Access as an administrator for SAP Identity Authentication( IdP) admin console.
- Access as an administrator for SAP Cloud Platform.
- Access as an administrator for SAP Cloud Connector.
- Access as an administrator for Cloud application – C4C.
- Access to Microsoft Active Directory(On-Prem).
Architecture: SAP Cloud Platform cockpit has an Identity Authentication Service Addon as a service, the addon enables an application named proxy and the application is provided by an SAP Cloud Platform subaccount named sci. This subaccount and proxy details can be seen while creating an OAuth in SAP Cloud Platform Cockpit.
The proxy application on SAP Cloud Platform uses the OAuth authentication mechanism when communicating with Identity Authentication. The connection between SAP Cloud Platform and the corporate user store is carried out with an SAP Cloud Platform Connector. The Authentication and Single Sign On is based on SAML.
Below diagram is the overview for the different authentication and authorization aspects of the scenarios and configurations required across different On-premise and Cloud applications.
Steps to perform for setting up the SSO for SAP Cloud Applications.
The settings need to be maintained at different applications. Before the configuration to be started check if the Service SAP Identity Authentication Addon is activated or not.
This setting can be checked under the Subaccount in SAP Cloud Platform. Please refer the below screenshot.
Navigate to Subaccount->Services->Search for service Identity Authentication Add-On.
If this service is not activated, please raise the ticket with SAP to enable this add-on.
Once the Addon is activated it is good to start with the settings.
Download the Metadata file from Admin Console of Identity Authentication. Navigate to Applications and resources->Tenant Settings->SAML 2.0 Configuration->Download Metadata file.
Save the file for future use.
Navigate to Subaccount->Security->Trust.
Click on Local Service Provider->Edit.
Select Custom as Configuration Type and Principal Propagation as Enabled.
Save the file for future use.
Navigate to Subaccount->Security->Trust.
Click on Local Service Provider->Edit.
Select Custom as Configuration Type and Principal Propagation as Enabled.
Once the metadata file is uploaded, the fields will be populated automatically. Save the changes and make the recent added IdP as default.
Next step is to create an OAuth Settings in SAP Cloud Platform. These settings are required to build a authentication medium between SAP Cloud Platform and SAP Identity Provider.
Click on Security->OAuth->Clients.
Click on Register New Client an enter the details as above. Please keep the note of ID, secret. If you keep the Token Lifetime as blank, then the secret( password) is valid for infinite days. Make a note of the region where the account is hosted and the subaccount. Region and subaccount can be seen in the URL.
The above data will be used later for settings to be made in Administrator Console of Identity Authentication.
Now the setting needs to be done at Cloud Connector. Cloud Connector acts as a tunnel between cloud applications and the on Premise applications. Therefore, in our case in the cloud connector, settings to expose the Active Directory will be made.
It is important to note that the initial setup for cloud connector should be done. If it is not done, then please follow the help.sap.com for the setup information. Add the new subaccount in cloud connector-
Enter the region( which is mentioned in the SAP Cloud Platform), Subaccount(it will be the account where the SAP Identity Authentication Addon is added) Subaccount User( S User ID) and Password.
Details such as HTTPS Proxy, System Certificate and Tunnel information will be provided by the Network team from Client side.
Once the setup is done the screen will be shown as below:
Now we have to setup the LDAP connection in Cloud Connector. This connection will be used to link the cloud connector with SAP Cloud Platform.
Click on Cloud to On Premise->Access Control. Please provide the Mapping Virtual To Internal System.
After the details provided the entry should look like the below-
Please note that once the connection is made check if the connection is reachable or not.
Once the above settings is completed please check if the cloud connector is shown up in SAP Cloud Platform under the same subaccount which is used for Identity Authentication.
Once the above settings can be seen the setup for Cloud Connector and SAP Cloud Platform is completed.
Next setup needs to be done in SAP Cloud Application. We will take SAP C4C as an example;
Open SAP C4C as an admin. Navigate to Common Tasks-> Configure Single Sign On. Upload the metadata file of Identity Authentication. Download the metadata file for C4C as well. C4C metadata file will be used to upload in SAP Identity Admin Console.
Create the Business user same as it is available in Microsoft Active Directory and assign user roles. Make sure that the password field should be SSO enabled.
Open the new browser and login into SAP Identity Authentication Admin console. Create a new application. Navigate to Application and Resources->Applications->Add
Enter the name of the application and click on SAML 2.0 Configuration. Upload the Metadata file which was downloaded from C4C system.
With the above settings the new cloud application in Identity Authentication is been added to be used for SSO.
Till now we have not added the SAP Cloud Platform details in SAP Identity Administration Console. Therefore, we have to add the details under Tenant Settings->Corporate User Store.
Please enter the details for Data Centre – Data centre name can be found from the SAP Cloud Platform URL.
Account – The account name which is used to enable the Identity Authentication Addon.
Client ID – Copied from SAP Cloud Platform.
Client Secret – The password maintained in SAP Cloud Platform.
Once all the setting are maintained we are good to test the application using SSO Microsoft Active Directory.
Please note that there are couple of settings required in Microsoft Active Directory which needs to be done by the Networking team from Client side.
With the above settings we can use Microsoft Active Directory as a Authentication application instead of SAP Cloud Identity Provider. The users need not be migrated in SAP Authentication Admin console as it will be automatically created.
Conclusion
Once the user is in client network and tries to login for the first time in cloud application, the new user will be created in Identity Authentication Admin Console and hence he will be logged into cloud application