Skip to content

Latest commit

 

History

History
127 lines (61 loc) · 7.1 KB

optional-configure-single-sign-on-manually-789a120.md

File metadata and controls

127 lines (61 loc) · 7.1 KB

Optional: Configure Single-Sign On Manually

Use this procedure as an alternative to the automated configuration of the SSO between SAP BTP and the Identity Authentication tenant.

Prerequisites

Tip:

We recommend that you use the manual configuration only if the automated configuration is not possible. For example, if you are not authorized to access the Identity Authentication tenant.

You own an SAP S/4HANA Cloud tenant with an Identity Authentication tenant configured. You need to use the same Identity Authentication tenant for your subaccount. For more information about how to get Identity Authentication, see Getting Started with Identity Authentication Service.

Context

Remember:

SAP Business Technology Platform, Neo environment will sunset on December 31, 2028, subject to terms of customer or partner contracts.

For more information, see SAP Note 3351844.

Tip:

This documentation refers to SAP Business Technology Platform, Neo environment. If you are looking for documentation about other environments, see SAP Business Technology Platform ↗️.

The Identity Authentication service is closely integrated with SAP BTP, and it is offered as part of most of the cloud platform packages. For those packages the trust between the subaccount and Identity Authentication service is configured automatically and the tenant for the Identity Authentication service is set up by default, once you have a partner or customer subaccount. However, you can manually configure the trust and set up the Identity Authentication tenant if your scenario requires it.

Procedure

  1. Open the SAP BTP cockpit and select the region in which your subaccount is hosted. Select the global account that contains your subaccount, and then choose the tile of your subaccount. For more information about regions, see Regions and Hosts.

  2. Choose Security > Trust Configuration.

  3. From the Local Service Provider tab select Edit.

  4. Change the Configuration Type to Custom.

  5. From the Principal Propagation dropdown box, select Enabled. Thus, you enable the propagation of the principal ID in the OAuth destination and hence, the application-to-application single sign-on (SSO).

  6. Configure the signing key and the signing certificate as follows:

    • If you want to use a signing key and a self-signed certificate automatically generated by the system, choose Generate Key Pair.
    • If you have your own key and certificate generated from an external application and signed by a trusted CA, you can use them instead of using the ones generated by the SAP BTP. To do so, copy the Base64-encoded signing key in the Signing Key field, and then copy the textual content of the certificate in the Signing Certificate field.

  7. Choose Save.

  8. Choose the Get Metadata link to download the SAP BTP metadata for your subaccount. You will need this metadata in Step 13.

  9. Access the administration console of the Identity Authentication tenant, using the following URL:

    https://<tenant ID>.accounts.ondemand.com/admin

    You can also get the URL from the Identity Authentication tenant registration e-mail.

    Note:

    You need to use another browser, or incognito session of the same browser.

  10. Choose Applications & Resources > Applications.

  11. Choose the +Add button on the left-hand panel, and enter the name of your subaccount.

  12. Choose Save.

  13. Configure the SAML 2.0 trust with the subaccount as a service provider. To do so, proceed as follows:

    1. On the left-hand side, choose the newly created application, and then choose Trust.

    2. Choose SAML 2.0 Configuration.

    3. Upload the metadata XML file of your subaccount that you have downloaded in Step 8.

      On service provider metadata upload, the fields are populated with the parsed data from the XML file.

    4. Save the configuration settings.

  14. Configure the identity federation on the Identity Authentication service. To do so, proceed as follows:

    1. You are still in the tenant's administration console for the Identity Authentication service. Under Applications and Resources, choose the Tenant Settings tile, and then select Login Name.

      This is the profile attribute that the Identity Authentication service sends to the application as a name ID. The application then uses this attribute to identify the user.

    2. Save your selection.

  15. Under CONDITIONAL AUTHENTICATION choose Conditional Authentication.

  16. From the drop-down menu in the Default Authenticating Identity Provider section, select your identity provider

  17. Choose Save.

  18. You have to save the metadata of your Identity Authentication tenant on your local file system as an XML file. You can either find the tenant at https://<tenant ID>.accounts.ondemand.com/saml2/metadata or access it via Applications & Resources > Tenant Settings > SAML 2.0 Configuration. Then choose the Download Metadata File link. You will need this metadata in Step 21.

  19. Go back to your subaccount in the SAP BTP cockpit and choose Security > Trust.

  20. Select the Application Identity Provider tab.

  21. Select Add Trusted Identity Provider.

  22. In the General tab, upload the Identity Authentication service metadata XML file (from Step 17) in the Metadata File field.

  23. Choose Save.

Results

The trust will be established automatically upon registration on both the SAP BTP and Identity Authentication tenant side.

Related Information

Get Started with Identity Authentication

ID Federation with a Identity Authentication Tenant