Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
Showing results for 
Search instead for 
Did you mean: 

With 10.0 FP 2208, SAP Business One introduces the Identity and Authentication Management (IAM) service, allowing users to authenticate with their Identity Provider’s (IDP) user when Signing-in to SAP Business One.

Connecting SAP Business One with an Identity provider can help you manage user access in a secured manner without compromising on user experience during sign-in to SAP Business One.

What are the main benefits from using IAM solution in SAP Business One?

  • Single sign-on (SSO) experience.

  • Reduce Password fatigue – users do not need to remember an excessive amount of passwords.

  • Enhance security during sign-in by utilizing IDP’s Multi Factor Authentication and reduce potential attack surface.

  • A central user management solution, allowing Landscape administrators to setup IDP users (under one or more IDPs), bind them to SAP Business One company users and manage users from across all company databases in one place.

Identity Providers Management

IAM can be activated by configuring IDPs and Users under newly added ‘Identity Providers’ and ‘Users’ tabs in SAP Business One System Landscape Directory (SLD) control center.
After upgrading to 10.0 FP 2208, The following Identity Providers appear by default under ‘Identity Provider’ tab in SLD:

  • SAP Business One Authentication Server – Built-in Authentication Service

  • Active Directory Domain Services –  Built-in Authentication Service

It is also possible to add OIDC (Open ID Connect) IDP by clicking on ‘Add’

  • OIDC (Open ID Connect)Note: with 10.0 FP 2208, it is possible to register 'AD FS' or 'Azure Active Directory' as external identity providers in OIDC.

Identity Providers tab in SLD

By default, to preserve backward compatibility, IDPs are set to ‘inactive‘ after upgrade. There is no change to the Sign-in experience for SAP Business One users unless an IDP is activated.

Before an IDP is activated, there are a few important prerequisites that need to be fulfilled:

  • There must be at least one corresponding Landscape Admin user configured under ’Users’ tab in SLD.

  • IDP users created and bound to SAP Business One company users across all companies.

  • IDP property for add-ons was adopted.

User Management

The newly added ‘Users’ Tab in SLD, acts as a ‘one stop shop’ for:

  • Adding / removing IDP users.

  • Binding IDP users to SAP Business One users across company databases.

  • Central user management solution: change PwD and activate / deactivate unified users (users created under SAP Business One Authentication Server IDP), assign users with Landscape Admin role.

Note: The licenses assigned to SAP Business One company users remain unchanged after enabling the identity and authentication management.


to SAP Business One with an IDP

Once an IDP is activated in SLD, SAP Business One users will experience a new Sign-in window. Depending on landscape's IDP configuration (IDP type, number of IDPs activated), users are redirected to their IDP within SAP Business One Sign-in window to authenticate.

Watch the quick demo below on how to setup Microsoft Azure as an identity provider in SAP Business One and Sign-in to SAP Business One Web client with an Azure account.


As IAM has a noticeable footprint on user’s Sign-in journey in addition to behavioral changes in SAP Business One, it is highly recommended reviewing ‘Identity and authentication management in SAP Business OneHow-to-guide to learn more about the following topics:

  • IAM Setup and Configuration

  • Recovery / Reset of IAM

  • Behavior changes

  • Supported SAP Business One Components in 10 FP 2208

  • Extension adaptations

Roll out plan

The Identity and authentication management service is planned be rolled out in a phased manner.
With 10.0 FP 2208, IAM is supported by the following SAP Business One Products:

  • SAP Business One

  • SAP Business One, version for SAP HANA

Please note that with 10.0 FP release, The IAM service is not supported by existing SAP Business One Cloud versions. It is planned to be supported in SAP Business One Cloud in later versions.

Hope this Blog was useful to you as an introduction to SAP Business One’s Identification and Authentication Management service. I'm looking forward to hear about your experience from working with IAM in SAP Business One, be sure to leave your feedback in the comments section below.

Active Participant
We are looking forward to the release of IDP support for SAP Business One Cloud and will start upgrading our single tenant customers to use IDP with FP2208 soon
Active Contributor
0 Kudos
Hi Guy,

Does the new IAM capability support principle propagation of a business user through to the Business One Service Layer during API calls?


0 Kudos
Hi Mustafa,
Thanks for your follow up question. I am not sure I fully comprehend the scenario you mentioned. For further evaluation, can you please provide a step by step description of the intended flow?

BTW - please also refer to the Extension chapter in the Identity and Authentication Management guide to review the required adaptations for DI API and Service Layer based Add-ons in order to consume IAM.

Best Regards
Active Contributor
Hi guy.sujetzki

I think my scenario would be covered by the Web App flow for IAM as described in the guide you referred to.  For context, the intended flow in my scenario is as follows:

  • A custom sales order creation Fiori app is deployed on SAP BTP Cloud Foundry environment.

  • This Fiori app interacts with SAP Business One via the APIs of the Business One Service Layer.

  • When the user signs into the Fiori app and authenticates, the desired outcome is that when the Fiori app calls the relevant Business One Service Layer APIs, the user's identity is propagated through to the API so that the data the logged in user sees and the actions they can take via the API are consistent with that particular user's authorisations in Business One.

Does that make sense?


Hi Mustafa,
Thanks for clarifying, yes that seems to fall under the Web App flow for IAM.
BTW - Regarding BTP application & choice of IDPs - Plz note that in 2208 FP we officially support Azure and ADFS as external IDPs via OIDC configuration. SAP IAS will be officially supported in future releases.
Best Regards
0 Kudos

Installing new versoin works, New Licence also importing well, But when trying to assign SAP users attributes error appearing:

Connection to license server is not authenticated

I've activated the "SAP Business One" in the identity provider tab in SLD but failed to add local user.

0 Kudos
Hi Tomer,
Thanks for sharing this finding. As we did not encounter this error in various IAM related configurations, I believe this error might be related to a different landscape issue.

for example
2409083 Connection to License Server Is Not Authenticated

Please try to run a KB search. In case you're still unclear about this issue, please create an incident with a step-by-step reproduction desc. so we could further investigate.

Best Regards

0 Kudos
Hi Guy,

We are currently buiding a C# Blazor WASM application hosted on ASPNETCore and using Duende IdentityServer as our OIDC using the BFF (backend for frontend) framework. I want to know how do I add Duende IdentityServer to SAP Authentication Server (Keycloak) as IdP.


  1. Duende IdentityServer is our IdP providing login, logout, redirection, authentication and authorization to our Blazor WASM client application

  2. Our Blazor WASM client have local API Endpoints (controllers) that call remote API (SAP Service layer), hence a Proxy access

  3. Duende IdentityServer will manage token and grant our Blazor WASM client application access to SAP Business One Layer API Endpoints

  4. We are using Authorization code + PKCE flow

The link is reference to Duende identityServer implementation of BFF https://docs.duendesoftware.com/identityserver/v6/bff/tokens/

Best regards,

Gideon Makinwa
0 Kudos
Hi Gideon,

With 2208 FP release, we officially support MS Azure and ADFS as external IDPs for OIDC.
We are planning to expand the list of supported IDPs in the next releases.

For the time being, i strongly recommend raising your requirement to support Duende as an IDP via our Customer influence site  https://influence.sap.com/sap/ino/#/campaign/887
This can allow us visibility into overall market's demand for IDPs mostly used in our SAP Business One community.

Best Regards
0 Kudos
Hi Guy,

My App is a Blazor WASM BFF (back-end for frontend) relying on Duende IdentityServer for users authenication and authorization, however for Remote API call (using HttpClinet methods to call SAP B1 Service Layer) I want a machine to machine communication client credential flow. In the SAP Keycloak SapB1 realm servcie layer client  is already created by SAP

Here is my C# code in a Console app to first get Access Token and then add it to by HTTP call from Service layer APIs


// Console app Program.cs
using IdentityModel.Client;


var tokenClient = new HttpClient();

var token2 = await tokenClient.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
Address = "https://[Server]:40020/auth/realms/sapb1/protocol/openid-connect/token",  //SAP Keycloak Authentication Server TokenEndpoint
ClientId = "b1-B1ServiceLayers-1713-main-sbo",  //created by SAP already , default
ClientSecret = "728adc6d-560e-4f80-82d3-452a939182ee"  //generated alerady by SAP

var apiClient = new HttpClient();

var response = await apiClient.GetAsync("https://localhost:50000/b1s/v1/Items");  //B1 Service layer Items Endpoints
var data = await response.Content.ReadAsStringAsync();


This seems not working. What's the correct way to get Access token to call Service layer APIs.


Best regards,

Gideon Makinwa
0 Kudos
Hi Gideon,

Thanks for the details.

In case you haven't done so before, please check out the extension chapter in our Identity and Authentication Management How-to Guide

Otherwise, I recommend reporting an incident to allow our Support experts to take a closer look.
Kind Regards
0 Kudos
Hi, Guy!

Maybe it's already happening to others, but when I try to configure the external IP for the authentication service and SLD, it returns an error message that doesn't make sense with what the FP 2208 administration manual says.

The option to map the SLD with the domain/external IP is no longer in the External Mapping tab, it is now configured in the Security tab.

Either the manual has an error or the service has an internal problem, they are something very easy to configure that are not working as we would expect.


0 Kudos
Hi Erick,

Thanks for sharing this scenario.
When defining an address for SLD and Authentication service under Security tab, to prevent a scenario where SLD is no longer reachable after the update, there is a check in place that the defined addresses for SLD and authentication service are indeed reachable in order to successfully save the new values.

Please make sure that the new addresses for SLD and Authentication service are indeed reachable. If you still face an issue during save operation, I recommend logging an incident with relevant details incl. actual error message shown.

Best Regards
0 Kudos
Hi, Guy
We have a novelty after the update to version 2208. 

Previously it allowed that when activating the SSO from the SLD, if a user needed to change the linked user, clicking "change user" to type a new user.

With this version, we don't see that possibility.

It is important to be able to have this option, since with the link it was possible to indicate which databases the users had access to.

In previous versions, the service was activated by the SLD

The SSO option was shown activated for users with the Microsoft Windows account link

If they need to change the user, uncheck the option and they could enter with a new user

I appreciate if you can help me with this news.

Best Regards
0 Kudos
Hi Luis,

Thanks for addressing this behavior change.
With FP 2208, once Active Directory Domain services is enabled (Will be automatically enabled in case you worked with SSO prior to upgrade) the option to sign-in with B1 User codes in parallel is no longer available. This is part of a security measure we took to comply with security standards for authorizing users during sign-in process.

For your scenario:

  • In case you have B1 user codes that are not yet binded to  domain users, you should be able to complete all necessary IDP user creation and bindings from SLD - under User's tab. for more information please refer to our IAM guide

  • In case you would like to avoid binding some of your B1 User codes to a domain users, as an option you may also consider activating in parallel SAP Business One Authentication Service and creating relevant IDP users (under SAP B1 authentication service) and bindings for these B1 user codes.

    By doing so, users may log-in with their corresponding domain user (SSO) or with their B1 IDP user (SAP B1 Authentication service).

Hope this helps

Best Regards
Hi Guy,

does the new IAM solution support integration with OKTA?


0 Kudos
Hi Greg,

With FP 2208 we officially support Azure AD and ADFS as external IDPs (via OIDC).
OKTA & additional IDPs are planned to be supported in future releases.

Best Regards
Active Contributor
If you want to renew the certificate used for the Authentication Service, check out my blog post:

How to renew your SAP B1 Authentication Service Certificate | SAP Blogs

Hope it is helpful!

Best regards,


Hi joerg.ceo

Thanks for taking the time to share this tip on certificate renewal, great Blog!

One short comment to this:
Certificate renewal and DB user configuration changes can be done in the same procedure as before - during Reconfiguration of SAP Business One
Here are some mockups from my SQL based environment:


Hope this clarifies how to handle certification refresh in SAP Business One landscape.

Kind Regards
Active Contributor
Hi guy.sujetzki !

Thanks for sharing the info. I am of course aware that the reconfiguration is possible.

However, it is not well suited for automated execution, although it might actually be possible to execute unattendedly.

When using Letsencrypt.org certificates they expire every 90 days (and renew every 60), so an admin would have to "constantly" run the reconfiguration to update the certificates.

Our renewal script goes into a cronjob (or scheduled task on Windows) and is executed weekly. Only when a renewed certificate is available is it actually substituted, and the service restarted.

Also, the reconfiguration is much more "invasive" in my opinion, since it revalidates and restarts every single service. The procedure I shared takes just seconds to execute, vs. at least 3 minutes, probably up to 10, when done using the reconfiguration wizard.

I hope this explains why we don't use the reconfiguration procedure for that purpose (unless a certificate password change or other "major" modification is actually required).

Best regards,

0 Kudos

We have user named "xdtw" with license  "SAP Business One Indirect Access User"

In SLD we will add user as "SAP Business One Authentication Server"


What happes next? This new feature force us to change password for first time.

How we can change password for user XDTW when we can not log in to SAP with this user?


0 Kudos
Hi Bloch,

Would it be possible to remove "SAP Business One Indirect Access User" license assignment for the user code, only in order to sign-in with the IDP user "xdtw" to SAP Business One and change the Password? is that a viable option?

Best Regards
0 Kudos
But how we can log if there is no option to log to SAP using user name. When you have SSO configured there is no window to put user name, am I right?

0 Kudos
Hi Lukasz
That's why I proposed in my initial reply in this comment thread to activate in parallel the SAP Business One authentication service and create a new SAP Business One Authentication service user (as you apparently did according to screen capture above) and bind the user to your SAP Business One relevant user code, e.g. xdtw.
Once you do that, you will be able to sign-in using the SAP Business One Authentication service user "xdtw" and during sign-in process it will be mapped to the xdtw user code sign-in.
Hope it is now clearer,

Best Regards
0 Kudos
I have bind my user DOMAIN\LUKASZ.BLOCH  with SAP account so when i start SAP client there is no option to put username and password. Sop i am not able to change password for user I have created


so the option is to log in to OS as user that IS NOT SET UP and bind and then SAP will ask about username and password during login



0 Kudos
Hi Lukasz

1. You have to make sure that your SAP Business One authentication service is activated (under Identity Provider tab) in parallel to Active domain Services IDP.
0 Kudos
2. in case more than one IDP is activated in a landscape, you should be getting the following initial screen when opening SAP Business One:
0 Kudos

0 Kudos
3. In case you do not get this window, despite having 2 IDPs activated and instead you are automatically signed in with your Domain user - I suggest the following actions:
- temporary disable your Active Directory authentication service.
- finish setting up the needed SAP Business One authenitcation IDP users and bindings to relevant B1 User codes across all companies.
- Sign-in with the SAP Business One IDP users, you will be asked to set a new Password as part of the initial sign-in process.
- reactivate the Active Directory authentication service.
Hope this helps
Best Regards
0 Kudos


we are facing issues with this new FP regarding the new SSO configuration that lead us to a rollback when we tried to upgrade in FP2208.

  • When both AD authentification and SAP authentification are on, we are unable to login with a B1 user that is not bound to a domaine account. This is highly problematic for us, because our infrastructure team of 40+ people can currently access it to perform add-on installation for example. Considering we have a bit less than a 100 SAP B1 environnement, the current functionning would lead us needing approximately 4000 SAP B1 licences ... just for the infrastructure team because of its relatively large size, which is currently done by using manager on the 100 bases, which is roughly ~100 licences. The gap of 3K+ licenses is unreachable.
  • The creation of an SAP B1 user is now divided in 2 parts : the B1 account, done in B1, and the domain account bind, which is now done in SLD. Previously, this bind was directly done in the User management window in SAP B1, which allowed a project manager to create a new user in Business one in complete autonomy. Now with this functionning requiring an SLD access to bind a domain user to an SAP user, we have to either give and SLD access to B1 project manager (unsafe) , or make it so that our infrastructure team is now part of the user creation workflow, which is ... completly out of touch in an organization our size.

The current functionning is clearly not adapted to a relatively large scale organization, what are you planning regarding this ? we are currently stuck for our upgrades with FP 2202 because of this SSO issue, or we have to comlpletly disable SSO and migrate to 2208

Active Contributor


Exactly the same scenario here

0 Kudos

Hi Victor,

Thanks for sharing your experience.
Let me try to clarify the existing behavior / status for both points you mentioned;

  • When both AD authentication and SAP authentication are on, we are unable to login with a B1 user that is not bound to a domaine account
    My comment: in the above configuration (both IDPs are set as active) In case you are logged in to Windows with a Domain user that does not exist under 'users' tab in SLD, when opening SAP Business One client, you will be prompted with the option to sign-in with your SAP Business One Authentication IDP user.


    In case you experience a different behaviour, please report an incident on component "SBO-BC-IAM" with a step-by-step description of the scenario and supporting screen captures of your settings under "Identity Providers" and "Users" tabs in SLD.

  • Missing the option to bind users from SAP Business One client, as done before.
    My Comment: Thanks for this important feedback, we are aware about this temporary limitation which was introduced in 2208 FP (documented as well under the Identity and Authentication management how to guide under behavior change chapter) and can assure the option to bind users from SAP Business One client will be re-introduced in upcoming versions.

Best Regards

0 Kudos
Hi Guy,

SLD redirection explained.

Best regards,

Hi Erick,
Muchas Gracias por el Link.
Muy buen Video 🙂

Switching to English as my Spanish is somewhat rusty,
Thanks for sharing this with video the community, that's a very helpful resource making IAM further accessible to wider audience. Now we need an English version as well. 🙂

Best Regards
0 Kudos
Hi Guy,

Thank you for your answer

Concerning those two points :

  • That's the current functionning I have on the 2 systems I tried this FP,and I already have an incident opened about it (123135)

  • Does this feature is planned on your roadmap ? Is there an ETA on it ?

Best Regards
0 Kudos

Hi Victor,

Thanks for sharing info, let's continue the follow up with Support teams via the incident.
As for user binding from B1 client, I can confirm it is on the roadmap with high priority, cannot  commit on ETA at this point.

Best Regards

0 Kudos
Hi Guy,

Yeeei soon, sure 🙂

Best regards,

0 Kudos
Hi Guy,

Are you able to share information on how to connect to the Service Layer when the Active Directory Domain Services IDP is enabled?  In my initial tests, the old method (https://hostname:50000/b1s/v1/Login) returns a 502 proxy error.

I was able to make an initial connection using https://hostname:50000/b1s/v1/ssob1s, but subsequent calls using the session ID provided returned a 401 error stating "Invalid session or session already timeout."

Any information or resources would be greatly appreciated.


0 Kudos
Hi Glenn,

Thanks for reaching out. Did you have a chance to review the required changes needed to adopt extensions for IDPs?


Hopefully that does the trick.

Best Regards
0 Kudos
Thanks Guy,

Connections to the Service Layer have never been considered to be extensions.  Has this changed with FP2208 then?  This will mean rewriting the authentication for any application connecting to the Service Layer if that's the case.  Are there any examples available showing the connection method using Postman to clarify what needs to happen?

0 Kudos
Hi Guy,

Can we have an idea the priority of IAM for Cloud? Is it within a year? 2 years? SSO for public cloud comes up very often for us from a requirements perspective.


Thanks for all that you do!




0 Kudos

Hi Jay,

Thanks a lot for sharing this important question.
I can assure you that we're working on bringing IAM into SAP Business One Cloud (Cloud Control Center) as one of our higher priority items (cannot yet publicly commit on timelines).

Let me share some insights on this;

Looking at current customer journey when working on SAP Business One in Cloud (Hosted using Cloud Control Center) we need to consider the dependency we have on RDP in order to consume SAP Business One Desktop Client, using Active Directory Domain users.

This therefore requires a different approach compared with IAM featured implementation in FP 2208 to make sure we offer a consumable solution that cloud Providers can utilize for this use case and truly benefit from IAM capabilities in this context.

For Web Client and other web interfaces hosted on Cloud - a similar approach to FP's 2208 IAM can be taken.

Hope this providers some insights into our planned IAM implementation for Cloud.

Kind Regards

0 Kudos
This does not work.....

As soon as the Active Directory authentication service is re-enabled, the ability to enter a user code disappears again.
I'm sorry but this is horrendous.

This either forces us to disable Single-Sign-On for our customers who use it or it induces license sharing on the customer side, as sometimes it's necessary to use SBO on another machine.

0 Kudos
Hi Joshua,

Sorry to hear about your experience.
The ability to enter a user code should when starting SAP Business One should still be available when Active Directory is enabled for users that do not have a corresponding Active Directory IDP user set for them in SLD.

In case there is a corresponding AD IDP user set in SLD, the user will be indeed automatically signed-in via Kerberos to provide a true SSO experience.

Best Regards
Hi Guy,

this is what our problem is. When I am working with a Windows user that is assigned to an SBO user then there is no way of using another SBO user on that machine, unless the whole windows user is changed.

And that is a huge step backwards.

Why don't just provide the option to uncheck "Single-Sign-On" to login with whatever SBO User you want. It was there before and should be there now.
Even when the checkmark is there, it still would be as you say "a true SSO experience". Just always leave the box checked by default.

I know this isn't on you personally but things like this really really frustrate me...
We have several customers who already are disappointed in all the huge bugs the last couple of releases brought with them (not to mention that FP2208 is unusable in german) and now I'm facing another issue where we have to explain to those customers that unfortunately they have to live with that limited functionality or that the users cannot use SSO anymore.

I really hope that you guys think about this and bring it back.

0 Kudos

Hi Joshua,

Thanks for providing the detailed scenario. I have a clear picture now of your specific setup and challenge with latest change introduced in FP 2208 in Sign-in scenarios.
Another option you may consider in order to also fullfill some decent level of security when using a shared computer is to sign in to windows with a user that is not bounded to any B1 User code in SLD.
In this case, both users (User A bound to B1 authentication service and user B bound to Active Directory Domain Service) can sign in by typing their user credentials.

While we continue to review this internally -  I highly recommend sharing this request also over our SAP Business One Customer influence site https://influence.sap.com/sap/ino/#/campaign/887
to get SAP Business One community take on this.

Thanks again for sharing this.
Best Regards

Okay I will try it there.
But from our experience, once it goes to customer influence it's a dead end most of the time anyway...

0 Kudos
We are unable to use the reconfiguration wizard to renew the certificate. We are unable to complete the process of renewing the security certificate. When using the Components Wizard it gets to the Service Databases and the options are Keep Current Scheme which is the default - B1AS. After clicking next it says Scheme [B1AS] is not a valid Authentication Service Schema. There is an OK button and this returns to the Wizard and we cannot continue.  We have opened a case with SAP but no progress yet.
0 Kudos
With this new functionning,using the SLD, there's no check of validity anmore when adding new users (before that, when we added a user in ActiveDirectory, the system checked the existence of said user), is there a way to control the mappings done in the SLD ?

Furthermore, as we strive to manage a regular inventory of our users and licences affectation we would like to be able to make regular check up of the users mapped in the SLD to verify

  • If the users in the SLD are still active Active Directory users

  • If the users with a licence in SAP B1 are still active

is there a way to retrieve the data in the "user" tab of the SLD ?


0 Kudos
Hi David,

Thanks for your comments and insights;

I understand you are looking for an online verification (currently does not exist as of FP 2208) of user's existence as a valid Domain User in the following scenarios:

1. Adding a new AD based IDP User in SLD.

2. A routine check for existing AD based IDP users that are already registered in SLD.

In addition, from your last point, I understand you would like to have some traceability in SLD (under users) to evaluate whether your B1 licensed user codes are still active.

It would be interesting from your (or community's) point of view how you would envision - what defines an Active user.
e.g. User that signed in in last X days ?

I fully agree that all 3 points make sense and bring noticeable value to Lifecycle management of SAP Business One.
I would kindly suggest to raise these points via CIS (Customer Influence) https://influence.sap.com/sap/ino/#/campaign/887 Let's see how our community votes on this idea.

Thanks once again for sharing these great ideas!
Best Regards