HOW TO CONFIGURE SINGLE SIGN-ON (SSO) FOR SAP CLOUD FOR CUSTOMER USING SAP CLOUD IDENTITY SERVICE
HOW TO GUIDE TABLE OF CONTENTS Overview... 3 Chapter 1: Configure SAP Cloud Identity service... 5 Creating a New Application in SAP Cloud Identity Administration Console... 5 Defining the Identity Federation on SAP Cloud Identity service... 7 Chapter 2: Configure SAP Cloud for Customer... 9 Configure Single Sign-On on the SAP Cloud for Customer system to SAP Cloud Identity... 9 Page 2, How To Guide
Configuring SAP Cloud Identity as Identity Provider for SAP Cloud for Customer OVERVIEW SAP Cloud Identity service provides services for authentication, single sign-on and on premise integration as well as self-services such as registration or password reset for employees, customers and partners. To use SAP Cloud Identity services you must obtain a tenant. The tenant represents a single instance of the SAP Cloud Identity service that has a specific configuration and data separation. For configuration of most features administrators use the administration console for SAP Cloud Identity service. You can find detailed information under https://help.hana.ondemand.com/cloud_identity. In this document we describe the implementation steps necessary for the integration between SAP Cloud Identity service as an identity provider and the SAP Cloud for Customer system as a service provider. The authentication mechanism is based on the standard SAML 2.0 (Security Assertion Markup Language) protocol defined by OASIS. In our scenario the SAP Cloud for Customer provides applications. The applications are restricted to the users that are authorized to consume them (no strangers accepted). The identity of a user is verified by the identity provider (IdP), as specified by SAML 2.0. The IdP (SAP Cloud Identity) stores a list of all users that are allowed to access the service provider (SAP Cloud for Customer) along with their credentials. The simplest credential is the user's password but there may also be others for stronger security protection. The integration between the SAP Cloud for Customer (SP) and the SAP Cloud Identity (IdP) is based on trust configuration. When a user attempts to access SAP Cloud for Customer for the first time, the system redirects the user to the identity provider for identification. From then on, the user session is kept active, and the user is no longer prompted for credentials (Single Sign-On). How is the workflow for Single Sign-On? Step 1: A user accesses a protected web resource on the Service Provider. In our case it could be an application of the SAP Cloud for Customer system (for example SAP Cloud for Sales). How To Guide, Page 3
HOW TO GUIDE Step 2: The SAP Cloud for Customer system sends a SAML authentication request via HTTP redirect to the trusted Identity Provider. In our case your corporate tenant in the SAP Cloud Identity service. Step 3: The Sap Cloud Identity service prompts the user for authentication if the user is not already authenticated (e.g via Single Sign-On to the SAP Cloud Identity or a previous successful authentication). Step 4: Upon successful authentication on the SAP Cloud Identity service, the SAP Cloud Identity service sends a SAML Response to the SAP Cloud for Customer system containing the necessary data to logon the user to the SAP Cloud for Customer system. If the user accesses another application of the SAP Cloud for Customer system that also uses SAP Cloud Identity service for authentication, the above message exchange starts again. However, this time the user is already authenticated at the identity provider (SAP Cloud Identity) and does not need to perform step 3 again. Thus, the SAP Cloud Identity can immediately send the SAML Response with the authentication statement back to the Web application, and the user is automatically signed-on. This guide explains how to configure the SAP Cloud Identity service and SAP Cloud for Customers to use the authentication and single sign-on capabilities based on the industry standard SAML 2.0. Chapter 1 guides you through the necessary configuration steps on the SAP Cloud Identity and chapter 2 explains the configuration for the SAP Cloud for Customer system. Page 4, How To Guide
Configuring SAP Cloud Identity as Identity Provider for SAP Cloud for Customer CHAPTER 1: CONFIGURE SAP CLOUD IDENTITY SERVICE Administrators can create a new application and customize the services for user login, registration, authentication, and access to the application. This chapter describes how to configure the service provider (SAP Cloud for Customer) in the SAP Cloud Identity tenant and to define the Identity Federation. Creating a New Application in SAP Cloud Identity Administration Console 1. Open the SAP Cloud Identity Administration Console: Access the tenant s administration console for SAP Cloud Identity service by using the console s URL. The URL has the https:// <tenant ID >.accounts.ondemand.com/admi n pattern. 2. After successful logon choose the Application tile. 3. Choose the +Add button on the bottom of the left hand panel to add a new application. Enter the name of your SAP Cloud for Customer system and press Save. 4. Within the new application choose the Trust tab. Then choose SAML 2.0 Configuration under SAML 2.0.. How To Guide, Page 5
HOW TO GUIDE 5. There are two ways to do the SAML 2.0 Configuration:upload the service provider s metadata XML file or manually enter the communication settings. The easiest way is to use the metadata of the SAP Cloud for Customer system. In order to do this you have to download the metadata XML file of your SAP Cloud for Customer system. Therefore 6. logon to your SAP Cloud for Customer system as an administrator. 7. Choose Adapt and select Launch in Microsoft Silverlight. 8. Choose ADMINISTRATOR and under Common Tasks select Configure Single Sign-On. 9. Choose on the next screen under General the link SP Metadata. Page 6, How To Guide
Configuring SAP Cloud Identity as Identity Provider for SAP Cloud for Customer 10. Enter a filename to store the Metadata of your SAP Cloud for Customer system. Then click on Save. 11. Go back to the administration console of the SAP Cloud Identity service. 12. Choose Browse to upload the metadata file of your SAP Cloud for Customer system. 13. Select your Metadata file and click on Open. If you scroll down, you can see that all necessary fields for the manually configuration of the Service Provider even the certificate are automatically filled. 14. Click on the button Save to store the configuration of your Service Provider (the SAP Cloud for Customer system). Defining the Identity Federation on SAP Cloud Identity service The last thing what needs to be configured on the SAP Cloud Identity service is the Identity Federation. 1. Therefore click under SAML 2.0 on Name ID Attribute. How To Guide, Page 7
HOW TO GUIDE 2. Choose the necessary kind of Name ID Attribute what is necessary in your scenario. That means what does your SAP Cloud for Customer expects as a valid system user. Email address is not supported by the SAP Cloud for Customer system. 3. Select Save to save your identity federation settings. Page 8, How To Guide
Configuring SAP Cloud Identity as Identity Provider for SAP Cloud for Customer CHAPTER 2: CONFIGURE SAP CLOUD FOR CUSTOMER Configure Single Sign-On on the SAP Cloud for Customer system to SAP Cloud Identity Go back to the Single Sign-On Administration screen on the SAP Cloud for Customer system. 1. Click on the tab Identity Provider. 2. Select the button New Identity Provider to add the SAP Cloud Identity system as the Identity Provider for the SAP Cloud for Customer system. 3. Call on the SAP Cloud Identity the URL https:// <tenant ID >.accounts.ondemand.com/saml 2/metadata pattern to get the metadata. 4. Save the page. 5. Enter this filename from Step 4 into the field File name and click on Open. Now the new Identity Provider is listed and active. How To Guide, Page 9
HOW TO GUIDE 5. Click on Activate Single Sign-On to use your configuration on the SAP Cloud for Customer system. 6. Click OK. 7. Select Save to save the Single Sign-On configuration. 8. The SSO URL field shows the URL which should be used, if Single Sign-On via SAP Cloud Identity to SAP Cloud for Customer system is wanted. Page 10, How To Guide
Configuring SAP Cloud Identity as Identity Provider for SAP Cloud for Customer 2015 by SAP AG or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ( SAP Group ) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. How To Guide, Page 11