Connect Azure Active Directory to SAP Cloud Platform Identity Authentication Service

Login to Azure Portal by going to https://portal.azure.com and provide your credentials.

Make sure you are using the right directory within the Azure subscription. The current directory is shown below your user name.

If it’s not the one you want to use, click on your profile and choose Switch Directory.

Either set your Default directory by selecting an item in the Dropdown or choose the directory for this particular session by selecting one of the listed options. (see both variants on the screenshot below)

Search for Azure Active Directory in the search bar on the top of the page and select the according entry in the shown results below.

Click the menu item Enterprise applications.

Click New application.

Azure Active Directory has templates for a variety of applications, one of them is the SAP Cloud Platform Identity Authentication Service. Search for this and select it.

A new column on the right side will appear to give the application a name. Give the application a name and click Add.

Click the menu item Single sign-on.

Choose SAML as the Single-Sign On method.

Download the federation metadata as shown below.

With this information we can setup the trust between Azure Active Directory and SAP Cloud Platform Identity Authentication Service.

Login to the administration console of SAP Cloud Platform Identity Authentication service through your particular URL.

The URL therefore is: https://[TENANT_ID].accounts.ondemand.com/admin

Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID. For more information have a look at SAP Cloud Identity Services - Identity Authentication in the SAP Discovery Center.

Navigate to Identity Providers and click Corporate Identity Providers.

Click Add at the bottom of the page and define a name for the Identity Provider. Click Save to finally create the Identity Provider.

Click SAML 2.0 Configuration and to upload the recently downloaded federation metadata from Azure Active Directory.

Choose the file from your local file system.

All fields below are automatically going to be filled due to the information provided through the uploaded file.

Click Save at the bottom of the page.

Click on Identity Provider Type.

Change the selection to Microsoft ADFS / Azure AD. Save the the configuration through clicking the Save button at the bottom of the page.

Go to the Tenant Settings in SAP Cloud Platform Identity Authentication Service and navigate to the SAML 2.0 Configuration.

Scroll down to the bottom of the page and Download the metadata file.

You have already uploaded the metadata file from Azure Active Directory to SAP Cloud Platform Identity Authentication Service. It’s time to do it the other way round now and upload the metadata of SAP Cloud Platform Identity Authentication Service to Azure Active Directory.

Go back to the https://portal.azure.com and search for Enterprise application in the search bar on top of the page. Select the according result.

Select the application you created previously in this tutorial.

Go to Single sign-on and select SAML as Single-Sign On method. Click Upload metadata to upload the metadata file from SAP Cloud Platform Identity Authentication Service.

All the details are now taken from the metadata file. There’s nothing to do for you other than saving the details. Therefore, click Save.