Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
dvankempen
Product and Topic Expert
Product and Topic Expert

Microsoft Azure AD as Identity Provider (IdP), SAP Identity Authentication Service as Proxy IdP and SAP BTP Cloud Foundry as Service Provider (SP)












SAP Partner Innovation Lab and SAP HANA Academy have published a series of video tutorials on the topic of SAP Business Technology Platform security.

In this blog post you will find the videos embedded with references and additional information.

For the related blog post, see

Questions? Please post as comment.

Useful? Give us a like and share on social media.

Thanks!













As recently announced, the SAP Cloud Platform portfolio brand is no longer being used to avoid confusing with the SAP Business Technology Platform (BTP).

As it will take some time before the user interfaces and documentation is updated, for the time being we will continue to use both terms.



Hands-On Video Tutorials


SAP ID service is the default identity provider of the SAP Business Technology Platform. However, with a few clicks we can configure the platform to use a custom identity provider to provide authentication and authorisation for our business applications hosted in the Cloud Foundry environment. This is a one-to-one mapping.

For more flexible and demanding scenarios, SAP recommends that you use SAP Cloud Identity Services - Identity Authentication as a hub, especially if your business users are stored in multiple corporate identity providers.


 

You can watch the video tutorial in a little over 10 minutes. What you learn is

  • How to establish the SAML trust between Azure AD and SAP Cloud Identity Service (and vice versa)

  • How to establish the SAML trust between SAP Cloud Identity Service and SAP Cloud Platform Cloud Foundry environment subaccount (and vice versa)

  • How to configure a service provider as enterprise application in Azure AD

  • How to configure a service provider as application in SAP Cloud Identity Service

  • How to configure the user attributes in Azure AD

  • How to configure the user attributes in SAP Cloud Identity Service

  • How to assign a shadow user to a role collection

  • How to create a role mapping between an IdP provider role and an XSUAA role collection


How to configure the mapping between the identity provider user groups and the XSUAA role collections is covered below.




Using Azure AD as Identity Provider and SAP Cloud Identity Services as Proxy


Tutorial Video


In this video tutorial, we show how we can configure Azure AD as identity provider (IdP), SAP Cloud Identity Services - Identity Authentication as proxy, and a SAP Cloud Platform Cloud Foundry environment tenant as service provider (SP).

This requires the exchange of SAML metadata on both sides with modifications of the user attributes.

https://youtu.be/4qo8acsxRgU

0:00 - Introduction

2:20 - Create new Enterprise application in Azure AD

3:00 - Configure User Attributes & Claims

3:30 - Download federation metadata XML (IdP)

4:00 - Create new Corporate IdP in SAP Identity Authentication Service and upload IdP metadata 4:25 - Update Identiy Provider Type

4:30 - Download IAS metadata (IdP Proxy)

4:55 - Upload IAS metadata in Azure Ad

5:15 - Create net Trust Configuration in SAP Cloud Platform and upload IAS metadata (IdP Proxy) 5:40 - Download service provider (SP) metadata

5:55 - Create new application in SAP Identity Authentication Service and upload SP metadata

6:15 - Configure Default Name ID Format, SAML Assertion Attributes, and Conditional Authentication 6:50 - Assign user to application in Azure AD

7:15 - First test (fails with SAML error)

7:55 - Download federation metadata XML from Azure AD and upload for the IdP in SAP Identity Authentication Service

8:15 - Second test succeeds on authentication

8:25 - Shadow users

8:50 - Third test with myappsec sample appliation: Forbidden

9:20 - Option 1: Assign shadow user to role collection

10:15 - User authorization concepts

11:05 - Map role collection to Azure AD group


Tricky Bits


SAML Claims and Assertion Attributes


For the role mapping to succeed, the claim attributes need to correspond. Note the Groups with an uppercase G.




Mapping Groups


For the role mapping to succeed, you need to create the corresponding groups in the Identity Provider and assign these groups the service provider entry (enterprise application in Azure AD).


The object ID is used to map the role collection for the attribute: Groups.




Additional References


SAP HANA Academy YouTube Playlist and Code Repository


To bookmark the playlist on YouTube, go to

How to build the sample application myappsec is covered in the post

SAP Developer Center Mission


For a step-by-step description of the procedure, see the tutorial mission

SAP Discovery Center


For information about SAP Cloud Identity Service, visit the entry in the service catalog of the SAP Discovery Center. Here you also find links to the documentation, tutorials, and the SAP Community topic area

Documentation


The topic is documented, in generic terms (not specific to Azure AD or SAP Cloud Identity Services under Security Administration: Managing Authentication and Authorization of the SAP Business Technology Platform guide.




Share and Connect


Questions? Please post as comment.

Useful? Give us a like and share on social media.

Thanks!

If you would like to receive updates, connect with me on

For the author page of SAP PRESS, visit








Over the years, for the SAP HANA Academy, SAP’s Partner Innovation Lab, and à titre personnel, I have written a little over 300 posts here for the SAP Community. Some articles only reached a few readers. Others attracted quite a few more.

For your reading pleasure and convenience, here is a curated list of posts which somehow managed to pass the 10k-view mile stone and, as sign of current interest, still tickle the counters each month.


7 Comments