Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

With Microsoft Azure AD as Identity Provider (IdP) and SAP BTP as Service Provider (SP)

SAP Partner Innovation Lab and SAP HANA Academy have published a series of video tutorials on the topic of SAP Business Technology Platform security.

In this blog post you will find the videos embedded with references and additional information.

For the related blog post, see

Questions? Please post as comment.

Useful? Give us a like and share on social media.


As recently announced, the SAP Cloud Platform portfolio brand is no longer being used to avoid confusing with the SAP Business Technology Platform (BTP).

As it will take some time before the user interfaces and documentation is updated, for the time being, we will continue to use both terms.

Hands-On Video Tutorials

SAP ID service is the default identity provider of the SAP Business Technology Platform. However, with a few clicks we can configure the platform to use a custom identity provider to provide authentication and authorisation for our business applications hosted in the Cloud Foundry environment.

You can watch the video tutorial in a little over 10 minutes. What you learn is

  • How to configure Azure AD to trust a SAP Cloud Platform subaccount as service provider

  • How to configure your SAP Cloud Platform subaccount to trust Azure AD as identity provider

How to configure the mapping between the identity provider user groups and the XSUAA role collections is covered below.

Using Azure AD as Identity Provider

Tutorial Video

In the first video, we show how we can configure Azure AD as identity provider (IdP) and SAP Cloud Platform Cloud Foundry environment tenant as service provider (SP).

This requires the exchange of SAML metadata on both sides with some modifications of the user attributes.

0:00 - Introduction

0:40 - Create an enterprise application for SAP Cloud Platform in Azure AD

2:30 - Set up single sign-on with SAML

3:30 - Download SAML metadata from service provider

4:00 - Upload metadata and add sign on URL

4:30 - Configure user attributes and claims

5:45 - Download SAML metadata from identity provider 

5:50 - Create new trust configuration and upload metadata

7:00 - Test single sign-on for the service provider

7:50 - Grant user access to the application (service provider)

8:45 - Showcase sample application using SAP ID services and Azure ID

9:50 - SAP BTP authorisation with roles and role collections

11:00 - Disable SAP ID service as default identity provider

Exchanging SAML Metadata

Three parameters are required. two of which are populated by uploading the SAML metadata file from the service provider, i.e. the SAP Cloud Platform subaccount.

To establish the mutual trust, download the federation metadata XML file and upload it to SAP Cloud Platform subaccount.

Updating Attributes and Claims

User attributes and claims need to be modified configuring e-mail as unique attribute and adding a group claim.

Configuring Role Collection Mappings

In previous videos of this series we covered how the design-time artifacts Scope relates to Role Template and how this maps to the platform runtime attributes Role and Role Collection, as defined in xs-security.json (or mta.yaml).

SAP Business Application Studio | Design-time Configuration

Azure AD | Groups

To illustrate this concept, we have created two groups. For clarity, we used the same name for the group but this can be any name you want as the mapping is made using the group object ID.

SAP Cloud Platform | Role Collection Mappings

Using the Security > Trust Configuration menu of the SAP Cloud Platform cockpit, selecting the custom identity provider we created, Azure AD, provides access to a menu to create role collection mappings.

  • Role Collection: select the role collection from the list (as defined in xs-security.json)

  • Attribute: as configured in Azure AD "Groups"

  • Value: corresponding object ID of the group created for the service provider (enterprise application)

Create Role Collection Mapping

List Role Collection Mappings for the custom identity provider

Security > Role Collections shows the user group mapping.

Details = True

When two or more identity providers are available for user logon, a default selection screen is displayed with the default identity provider SAP ID service (sap.default) with the custom identity provider(s) with the link text as defined when the trust was created.

The URL of the page is

Appending config?action=who&details=true to the URL returns information about about the SAML context, including the object ID for the SAML groups.

Additional References

SAP HANA Academy YouTube Playlist and Code Repository

To bookmark the playlist on YouTube, go to

For the code snippets, see


The steps are documented in generic terms (any SAML Identity Provider) in the documentation for the SAP Cloud Platform.

The configuration guide from the Microsoft Documentation provides some information but not all as it covers the Neo environment and not Cloud Foundry.


For an earlier blog post on the topic, see

Share and Connect

Questions? Please post as comment.

Useful? Give us a like and share on social media.


If you would like to receive updates, connect with me on

For the author page of SAP PRESS, visit

Over the years, for the SAP HANA Academy, SAP’s Partner Innovation Lab, and à titre personnel, I have written a little over 300 posts here for the SAP Community. Some articles only reached a few readers. Others attracted quite a few more.

For your reading pleasure and convenience, here is a curated list of posts which somehow managed to pass the 10k-view mile stone and, as sign of current interest, still tickle the counters each month.