Establish Trust Configuration between SAP S/4HANA On-premise and SAP BTP

Beginner

15 min.

SAP Business Technology Platform, Beginner, SAP Document Management service, Tutorial, Cloud, SAP S/4HANA Cloud

Configure trust between SAP S/4HANA On-premise and the BTP subaccount. During the configuration, you download the identity providers generated in SAP S/4HANA On-premise. You import SAML identity provider metadata into your SAP BTP Cloud Foundry account.

You will learn

How to configure trust between SAP S/4HANA On-premise and SAP BTP system.
How to manage trust configurations between SAP S/4HANA On-premise and SAP BTP.

Vikram KulkarniOctober 8, 2024

Created by

October 8, 2024

Contributors

Prerequisites

You’ve access to the SAP BTP subaccount and have necessary admin privileges.
You’ve access to the SAP S/4HANA On-premise system.
You’ve access to the Google Workspace Account. For more information, see Configure Service Account in Google Cloud Platform.

Step 1
Log in to the SAP S/4HANA system and run the transaction OA2C_SAML20, to get the SAML metadata.

Copy the text into a `.xml’ file into your local system.
Step 2
Log on to your BTP Subaccount and navigate to the Trust Configuration option in the left side menu and click New Trust Configuration.

In the New Trust Configuration window that opens, upload the SAML2.Metadata.xml that you downloaded in the previous step (Reference: Step 1.1), and enter the name of your choice. Click on Parse and Save.

Verify the trust configuration by clicking on the recently created trust configuration in the above step (Reference: Step 2.2).

Important: Verify that the SAP backend system’s host name is correctly specified in the trust configuration. Double-check the selected Origin Key for accuracy and ensure that the protocol is set to SAML.

Click on Show Details and ensure that the Subject and Issuer provided are correct.
Step 3
Navigate back to the SAP BTP Cockpit home screen and go to the Security > Users tab. Click Create.

In the Create User dialog, enter the Username, select the newly created Identity Provider, add the email address of the user, and click Create.

IMPORTANT: The e-mail address of the user must be identical to the one used in the SAP S/4HANA system. The email address can be identified using the Maintain Business User or Manage Workforce option. It’s important to note that the email IDs are identical. For example, if your SAP system user email ID is **demo.user@myexample.com** then the SAP BTP Cockpit user email ID is the as same your SAP system user email ID, and it should also be maintained as : **demo.user@myexample.com**.

Select the newly created user from the list and click on Assign Role Collection.

Assign the user role collection of the SAP Document Management Service, Integration Option (For example, SDM_roles or the role collection that you created) which is defined in the subaccount. For more information, see the 3rd step in this tutorial Create a Service Instance and then a Service Key of SAP Document Management Service, Integration Option.
Step 4
In the same subaccount, navigate to the Trust Configuration and click SAML Metadata. A metadata file gets downloaded to your local system.

Go to the file in your explorer and right-click on the downloaded file in your local system from the previous step. Open it with any editor (like Notepad, Notepad++, Code, Sublime Text, etc.) scroll down to the bottom of the file to get the token endpoint and copy the URL that is located at the string:

JSON
Copy
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="https://example.com"index="1"/>
Step 5
Copy Location URL that you can find in the downloaded SAML Metadata from SAP BTP Cockpit and paste it into the text box.