Scribd
Upload
398 views

Configure SAML SSO For SAP Cloud Platform Using An External Identity Provider - SAP Blogs PDF

Uploaded by

vikas_anne_1
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
398 views

Configure SAML SSO For SAP Cloud Platform Using An External Identity Provider - SAP Blogs PDF

Uploaded by

vikas_anne_1
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Community

Ask a Question Write a Blog Post

Alper AKBAL
April 13, 2017 5 minute read

Con gure SAML SSO for SAP Cloud Platform Using an


External Identity Provider
Follow RSS feed Like

17 Likes 29,835 Views 10 Comments

Overview

SAP Cloud Platform (formerly SAP HANA Cloud Platform) supports Identity Federation and Single Sign-on
with external Identity Providers (i.e. SAP SSO, SAP Cloud Platform Identity Authentication, Active Directory
Federation Services etc.). By default SCP is connected to SAP ID Service(accounts.sap.com)

In the example below, I demonstrate how to con gure your SCP account to support SAML SSO with
SSOCircle IdP.

Scenario Description

Below illustration shows how a user is authenticated, when she/he wants to access SAP Cloud Platform.
Authentication part is handled by Identity Provider.

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 1/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Flow is not di erent, if you use any other IdP(i.e. ADFS). Scenario can be enriched by adding Two-factor
authentication which is supported by SAP SSO.

Prerequisities

In order to test SAML authentication, I’ve developed a small application which is a simple “Hello World” app
that extracts and displays UserID part of SAML token. Details of how to develop a similar application can be
found in “Create a basic Java app in SAP Cloud Platform” Tutorial Part 1, Part 2, and Part 3.

Then I’ve deployed this application to SCP via Eclipse. You can export your project from Eclipse and deploy it
to SCP using .war le as well.

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 2/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Con guration

1- Con gure SCP as a Service Provider

First of all, SAP Cloud Platform (SCP) must be enabled to act as a ServiceProvider.

Login to SCP Cockpit, Go to  Security –>  Trust and click on Edit

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 3/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Con guration Type can be set to 3 di erent values:

Default: SAML authentication is active and SAP ID Service is used as IdP


Custom: SAML authentication is active and Custom IdP will be used
None: There won’t be any trust between Service Provider and any Identity Provider.

Change Con guration Type to Custom

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 4/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Local Provider Name is populated automatically, if not, use a URI as the local provider name.
Then click on Generate Key Pair

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 5/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Signing Key and Signing Certi cate will be generated automatically. These certi cates are self signed and
valid for 10 years.If you want to generate your own certi cates, please follow Guidelines for Using External
Key and Certi cate.

Set Principal Propagaion to Enabled and Force Authentication to Disabled. Detailed information for these
settings can be found at SAP Help Portal.

Then click on Save and click on Get Metadata to export Service Provider metadata.xml

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 6/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Save this le which will be used to establish trust between SP and IdP.

2- Con gure IdP and Establish Trust

For the scenario, we need an Identity Provider. SAP SSO can provide this functionality and supports many
more scenarios such as Kerberos support,  X.509 Client Certi cates, Two-factor and Risk-based
authentication.

In this example I will use SSOCircle, which is a public IdP that provides free limited usage and integration to
your service providers. It’s very easy to con gure and use. Additional features like tracing, unlimited logins
can be used with premium accounts. Details of integration can be found at SSOCircle How-To .

I skip creating new user part in this example. You can follow this link, to create an account.

After logging in to SSOCircle, go to Service Provider Import Page

Enter FQDN of the Service Provider, which is samlssoi068593trial.hanatrial.ondemand.com in my case.


Choose attributes which you want to add in SAML token. I’ve selected all of them. With SAP SSO or
ADFS, you can include much more speci c attributes in the token, such as phone number, group
memberships, security settings etc.

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 7/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Copy and paste metadata le, which is downloaded at the end of service provider con guration

Then click on Submit

You will get a success message after submitting SP details, if not please check your metadata le.

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 8/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Then go to https://idp.ssocircle.com/ and save its content as an XML le. This is SSOCircle IdP metadata
le.

Now go back to SCP Cockpit –> Security –> Trust and click on Application Identity Provider tab and then
click on Add Trusted Identity Provider

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 9/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

New window will be opened and click on Browse then select IdP Metadata you saved couple steps before.

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 10/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Input boxes are lled, but we need to make some changes

Change Assertion Consumer Service from Application Root to Assertion Consumer Service. SSOCircle
and ADFS do not send the SAML assertion to unknown URLs to them, hence we have to set it to Assertion
Consumer Service.
Change Signature Algorithm from SHA-1 to SHA-256 to harden security
Change User ID Source from subject to attribute and set Source Value to EmailAddress.
IdP’s send di erent values as NameID source. You can con gure whatever NameID or attributes you want
in SAML token. This con guration is done in IdP.
For SSOCircle NameID value is a string and it’s not legible. Therefore I set User ID source to e-mail
address.

Save the changes

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 11/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Select SSOCircle as Default Identity Provider

Restart Java Application

3- Test SAML SSO

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 12/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Paste your application URL in the browser and click on Enter.

You will be redirected to SSOCircle webpage for authentication. Enter your username and password and
click on Log In

After successfull authentication, you will receive a SAML assertion and be redirected back to your app.

As you can see below screenshot, My e-mail address is extracted from SAML assertion and displayed on the
screen.

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 13/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Further Information on SAML assertion

You can check the details of SAML token in any browser using Developer Tools. I prefer to use Mozilla Firefox
and its SAML Tracer add-on which is very easy to use.

Below is the part of the SAML assertion, I received from SSOCircle IdP. As I mentioned above, NameID part
is not a logical value, if you do not change the con guration in SSOCircle. NameID part can be set to
di erent values in SAP SSO or ADFS.

Moreover, rst name, last name and e-mail values are added to respective attributes in the SAML message.

In the screesnshot below, You can see these attributes.

Alert Moderator

Assigned tags

SAP Cloud Platform | SAP Single Sign-On | Security |

Related Blog Posts

AppToAppSSO between SAP Cloud Platform and SAP HANA DB


By Arvind Barathwaj , Dec 19, 2019
Implementing a user self-registration scenario using Work ow and Business rules in SAP Cloud Platform – Part 6
By Murali Shanmugham , Aug 10, 2017

What the SAP Cloud Platform extensibility foundation is doing to enable simple SAML SSO for SAP SuccessFactors extension
applications
By Colin Kraczkowsky , Aug 07, 2017

Related Questions

 
SSO between SAP Cloud Platform(SCP) and S/4 hana On premise
More Information
By Yamini Thakur , Nov 20, 2018

SSO with Hana Cloud Platform Trial Instance


SCP Identity and Access Management
By Former Member , Dec 05, 2016
IDCloud
SAP Federation
Platformwith the Corporate
and Identity Identity Provider
Federation
By SSOCircle How-to 
Devys Zardini , Jun 12, 2018

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 14/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

10 Comments

Alexander Wan

April 18, 2017 at 7:40 pm

Useful information..

Within the SAML token that is passed, is it ok to pass a di erent attribute other than email (for example a
username) to SAP Cloud Platform and how does Cloud Platform know whether that username exists to
check the token against?

Our SSO scenario is for a HANA trial account.

Thanks

Like (0) | Reply | Alert Moderator

Alper Akbal | Post author

April 19, 2017 at 6:29 am

Hi Alex,
Yes you can pass as much as attribute you want. These attributes should exist in your IdP. You can use
UserID to di erentiate users as well.
On SP part(SCP in this case), SAML token extraction is done on SP. SCP app itself should ident y and
authorize users from SAML token. In one of my projects, SCP is connected to an SAP backend system via
SAP Cloud Connector. Users and attributes are pulled from this SAP system.

You can also use Active Directory as a user store in SCP.

Regards

Like (0) | Reply | Alert Moderator

Alexander Wan

May 2, 2017 at 1:38 pm

Hi Alper

if we have issues with SAML SSO to SAP Cloud, which oss message component area do we open an incident
under?  Thanks

Like (0) | Reply | Alert Moderator

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 15/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Former Member

August 31, 2017 at 1:21 am

Thanks for sharing very good information on SAML configuration.

Can this SAML configuration be used to call S/4HANA cloud OData services to another 3rd
If not can you please advise right blog or help document to setup this communication?

Thanks

Like (0) | Reply | Alert Moderator

S. Chawala Chemicals HEC

October 30, 2017 at 1:43 pm

Thanks for sharing very good information on SAML con guration.

Can this SAML con guration be used to call S/4HANA cloud OData services to another 3rd Party
application?
If not can you please advise right blog or help document to setup this communication?

Thanks

Like (0) | Reply | Alert Moderator

Gerald Iakobinyi-Pich

June 14, 2018 at 12:19 pm

Hello,

How do I determine the correct FQDN in my case, when importing the Metadata in SSOCircle?

I have tried samlsso<user_id>trial.hanatrial.ondemand.com but I get an error when saving the metadata in


SSOCircle: “An error occured. Reason: 0006”

Thanks

Like (2) | Reply | Alert Moderator

Valeriya Ponomarenko
https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 16/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs
y

January 22, 2019 at 9:01 am

Hello Gerald!

I have the same question right now. Did you manage to solve this problem? What is the correct form of
FQDN and how сan we nd it?

Thanks

Like (0) | Reply | Alert Moderator

Eric Yu

January 23, 2019 at 8:42 am

You should save the data that is generated from service provider, it’s not the metadata from ID service
provide here.

Like (0) | Reply | Alert Moderator

adrian di ruggiero

July 9, 2020 at 2:57 pm

Hello,

I got the same error, and I could make it work, generating the metadata using this link:

https://www.ssocircle.com/en/idp-tips-tricks/build-your-own-metadata/

Also, I’ve changed the value of FQDN: Instead of samlsso<user-id>trial.hanatrial.ondemand.com, I entered


https://authn.hanatrial.ondemand.com/saml2/sp/acs/<user-id>trial/<user-id>trial

The rest of the steps are ok.

Regards

Like (0) | Reply | Alert Moderator

Umesh Sohaliya

February 12, 2019 at 5:43 am

Seems like tutorial is removed i am getting error “404 Page Oops… Since we cannot nd what you are
looking for, here’s everything.”  Please some one help me to get this done.

Like (0) | Reply | Alert Moderator

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 17/18
9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Add Comment

Find us on

Privacy Terms of Use

Legal Disclosure Copyright

Trademark Cookie Preferences

Newsletter Support

https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 18/18

You might also like