Integrate Microsoft Azure AD with SAP BTP, Cloud Foundry environment
- How to set up Microsoft Azure AD as one of your Identity Providers (IdP) for SAP BTP, Cloud Foundry environment applications
- You have an SAP BTP, Cloud Foundry environment subscription or a trial account, and you are a security administrator of it (meaning that you can see the Security menu in the SAP BTP cockpit).
- You have an Microsoft Azure subscription or a free account.
You will enable trust between SAP Business Technology Platform, Cloud Foundry environment subaccount and your Microsoft Azure AD. As a result, your Microsoft Azure AD can serve as a primary IdP or alternative IdP to communicate later with the UAA services of the SAP BTP, Cloud Foundry environment.
Congratulation! You have configured Azure AD as the SAML Identity Provider for your SAP BTP, Cloud Foundry environment applications.
- Step 1
You have to replace some variables in provided URLs throughout the tutorial like a
Navigate to your SAP BTP, Cloud Foundry environment subaccount in the SAP BTP cockpit in order to have your
regionvalues for the next step handy.
tenant_nameis equal to the subaccount domain, which can be found on the Overview page of the SAP BTP, Cloud Foundry environment subaccount.
regionis part of the API Endpoint URL on the same page.
- Step 2
To download the metadata file of your SAP BTP, Cloud Foundry environment subaccount, navigate to the Trust Configuration section in your SAP BTP cockpit.
Click on SAML Metadata to download the corresponding SAML metadata file.
- Step 3
Go to the Microsoft Azure Portal and navigate to Azure Active Directory and to the sub menu Enterprise applications.
Your Azure Portal might look different according to your configured colour scheme. You can change your colour scheme whenever you want in the portal settings section.
Click New Application.
Search for the SAP Cloud Platform application in the gallery, enter
MyAzureTutorialas the name, and save it.
After the successful creation, an overview of your application appears. Click the menu item Single-sign on (left) and select SAML.
Import the previously downloaded metadata file from the SAP BTP, Cloud Foundry environment subaccount via Upload metadata file.
A new view to update your Basic SAML Configuration should appear. Provide a Sign on URL and save. In this example, you are using the UAA tenant URL from Step 1.
Your UAA tenant URL has the following pattern:
- Step 4
Before you configure user attributes and claims as part of SAML assertions, you are going to make the
Groupsattribute visible to the application. The
Groupsattribute is necessary on SAP BTP, Cloud Foundry environment to match with Role Collections and, therefore, grant authorizations to users in business applications. Microsoft Azure AD does not provide the user groups claim by default.
Thus, navigate to Azure Active Directory > App registrations. Click View all applications and enter in the name of the application you created earlier,
Change the value of
groupMembershipClaimsand save. In this tutorial, you are going to use
SecurityGroup(for security groups and Azure AD roles). An alternative attribute value is
All(security groups, distribution groups, and Azure AD directory roles).
Go back to Azure Active Directory > Enterprise applications >
MyAzureTutorial> Single Sign-on , and you will note that the
Groupsattribute has been added to User Attributes & Claims.
A claim is usually a piece of information about a user, which is then provided to the connected application
Click the pencil button to adjust your name identifier value. Switch the Name identifier value to
Then, click on each claim to open the editor mode and change the and user attributes as shown below (case sensitive).
Groupsattribute, you will have to use the Advanced options as below:
Finally, download the Federation Metadata XML from Microsoft Azure. This file contains several assertion information and the certificate for SAP BTP, Cloud Foundry environment.
- Step 5
Access your SAP BTP, Cloud Foundry environment account (as in Step 1) and go to Security > Trust Configuration. Choose New Trust Configuration and import the metadata file downloaded from Microsoft Azure.
The Link Text is the text that will be displayed in the logon page of the UAA tenant for end users.
- Step 6
Open a new browser window and enter the UAA tenant URL again:
You will still be able to logon with your S-Users/P-Users e-mail and password. You will see a link to Azure AD below the form. In Trust Configuration, you can enable/disable the SAP ID Service or any other IdP (
MyAzureTutorial IdP Link Text) you have configured. If you disable the SAP ID Service, you will only see the links to the external Identity Providers. If there is only one Identity Provider configured, you will be automatically redirected to it.
Log on via the Microsoft Azure AD IdP (
MyAzureTutorial IdP Link Text) and enter your Microsoft user.
An error message should appear:
AADSTS50105: The signed in user ‘
xyz’ is not assigned to a role for the application ‘
Until now, you don’t have any users assigned to this enterprise application in Microsoft Azure AD. Only your Microsoft Azure AD is known as an IdP in your SAP Cloud Platform Cloud Foundry subaccount, but so far no users are allowed to log in with it.
Go back to your overview of enterprise applications in Microsoft Azure AD and click your application. Add a new user by clicking Add user in the Users and groups submenu, as shown on the screenshot.
For this tutorial you only want to add a single user (e.g. instead of whole groups). Continue with a click on Users (so far the application has no users assigned, accordingly None Selected should appear). Search for either your name or the email address you want to continue working with.
By hitting the result tile you select the user and should appear under
Selected memberspanel. Finish your user assignment with clicks on
- Step 7
Check if your user assignment was successful. Open a new browser window again and enter the UAA tenant URL again:
Click the Azure link (
MyAzureTutorial IdP Link Text) and log on with your Microsoft Azure user you previously assigned to the enterprise application in Microsoft Azure AD. You will be redirected back to UAA afterwards.
You should not see any particular application, because you did not access a CF application, only the UAA tenant page.
You can check the users details, including the groups mapped, by accessing the following URL:
Which text appears on the UAA tenant page, after you completed the last step?