Skip to Content

Integrate Microsoft Azure AD with SAP BTP, Cloud Foundry environment

Configure Microsoft Azure AD as the Identity Provider of your SAP BTP, Cloud Foundry environment subaccount.
You will learn
  • How to set up Microsoft Azure AD as one of your Identity Providers (IdP) for SAP BTP, Cloud Foundry environment applications
maxstreifenederMaxi StreifenederMarch 9, 2021
Created by
April 8, 2019


  • You have an SAP BTP, Cloud Foundry environment subscription or a trial account, and you are a security administrator of it (meaning that you can see the Security menu in the SAP BTP cockpit).
  • You have an Microsoft Azure subscription or a free account.

You will enable trust between SAP Business Technology Platform, Cloud Foundry environment subaccount and your Microsoft Azure AD. As a result, your Microsoft Azure AD can serve as a primary IdP or alternative IdP to communicate later with the UAA services of the SAP BTP, Cloud Foundry environment.

Congratulation! You have configured Azure AD as the SAML Identity Provider for your SAP BTP, Cloud Foundry environment applications.

  • Step 1

    You have to replace some variables in provided URLs throughout the tutorial like a tenant_name or region.

    Navigate to your SAP BTP, Cloud Foundry environment subaccount in the SAP BTP cockpit in order to have your tenant and region values for the next step handy.

    The tenant_name is equal to the subaccount domain, which can be found on the Overview page of the SAP BTP, Cloud Foundry environment subaccount.

    The correct region is part of the API Endpoint URL on the same page.

    tenant and region replacement
  • Step 2
    1. To download the metadata file of your SAP BTP, Cloud Foundry environment subaccount, navigate to the Trust Configuration section in your SAP BTP cockpit.

    2. Click on SAML Metadata to download the corresponding SAML metadata file.

      download saml metadata
  • Step 3

    Go to the Microsoft Azure Portal and navigate to Azure Active Directory and to the sub menu Enterprise applications.

    Azure AD enterprise application

    Your Azure Portal might look different according to your configured colour scheme. You can change your colour scheme whenever you want in the portal settings section.

    Click New Application.

    Search for the SAP Cloud Platform application in the gallery, enter MyAzureTutorial as the name, and save it.

    create new enterprise application

    After the successful creation, an overview of your application appears. Click the menu item Single-sign on (left) and select SAML.

    Import the previously downloaded metadata file from the SAP BTP, Cloud Foundry environment subaccount via Upload metadata file.

    upload subaccount metadata file

    A new view to update your Basic SAML Configuration should appear. Provide a Sign on URL and save. In this example, you are using the UAA tenant URL from Step 1.

    maintain sign on url

    Your UAA tenant URL has the following pattern: https://<tenant_name>.authentication.<region>

  • Step 4

    Before you configure user attributes and claims as part of SAML assertions, you are going to make the Groups attribute visible to the application. The Groups attribute is necessary on SAP BTP, Cloud Foundry environment to match with Role Collections and, therefore, grant authorizations to users in business applications. Microsoft Azure AD does not provide the user groups claim by default.

    Thus, navigate to Azure Active Directory > App registrations. Click View all applications and enter in the name of the application you created earlier, MyAzureTutorial.

    show app registrations

    Click Manifest.

    edit manifest file

    Change the value of groupMembershipClaims and save. In this tutorial, you are going to use SecurityGroup (for security groups and Azure AD roles). An alternative attribute value is All (security groups, distribution groups, and Azure AD directory roles).

    group membership claim attribute

    Go back to Azure Active Directory > Enterprise applications > MyAzureTutorial > Single Sign-on , and you will note that the Groups attribute has been added to User Attributes & Claims.

    A claim is usually a piece of information about a user, which is then provided to the connected application

    group assertion were automatically added

    Click the pencil button to adjust your name identifier value. Switch the Name identifier value to user.mail.

    Then, click on each claim to open the editor mode and change the and user attributes as shown below (case sensitive).

    change name identifier

    For the Groups attribute, you will have to use the Advanced options as below:

    groups claim advanced view

    Finally, download the Federation Metadata XML from Microsoft Azure. This file contains several assertion information and the certificate for SAP BTP, Cloud Foundry environment.

    federation medata file download
  • Step 5

    Access your SAP BTP, Cloud Foundry environment account (as in Step 1) and go to Security > Trust Configuration. Choose New Trust Configuration and import the metadata file downloaded from Microsoft Azure.

    new trust configuration

    The Link Text is the text that will be displayed in the logon page of the UAA tenant for end users.

    link text trust configuration
  • Step 6

    Open a new browser window and enter the UAA tenant URL again:


    You will still be able to logon with your S-Users/P-Users e-mail and password. You will see a link to Azure AD below the form. In Trust Configuration, you can enable/disable the SAP ID Service or any other IdP (MyAzureTutorial IdP Link Text) you have configured. If you disable the SAP ID Service, you will only see the links to the external Identity Providers. If there is only one Identity Provider configured, you will be automatically redirected to it.

    Log on via the Microsoft Azure AD IdP (MyAzureTutorial IdP Link Text) and enter your Microsoft user.

    An error message should appear:

    AADSTS50105: The signed in user ‘xyz’ is not assigned to a role for the application ‘abc’(MyAzureTutorial).

    Until now, you don’t have any users assigned to this enterprise application in Microsoft Azure AD. Only your Microsoft Azure AD is known as an IdP in your SAP Cloud Platform Cloud Foundry subaccount, but so far no users are allowed to log in with it.

    Go back to your overview of enterprise applications in Microsoft Azure AD and click your application. Add a new user by clicking Add user in the Users and groups submenu, as shown on the screenshot.

    add additional user

    For this tutorial you only want to add a single user (e.g. instead of whole groups). Continue with a click on Users (so far the application has no users assigned, accordingly None Selected should appear). Search for either your name or the email address you want to continue working with.

    search for your user

    By hitting the result tile you select the user and should appear under Selected members panel. Finish your user assignment with clicks on Select and Assign.

    finish assignment
  • Step 7

    Check if your user assignment was successful. Open a new browser window again and enter the UAA tenant URL again:


    two IdPs on login page

    Click the Azure link (MyAzureTutorial IdP Link Text) and log on with your Microsoft Azure user you previously assigned to the enterprise application in Microsoft Azure AD. You will be redirected back to UAA afterwards.

    You should not see any particular application, because you did not access a CF application, only the UAA tenant page.

    You can check the users details, including the groups mapped, by accessing the following URL:


    Which text appears on the UAA tenant page, after you completed the last step?

Back to top