We are looking forward to the release of IDP support for SAP Business One Cloud and will start upgrading our single tenant customers to use IDP with FP2208 soon

Hi Guy,

Does the new IAM capability support principle propagation of a business user through to the Business One Service Layer during API calls?

Regards,

Mustafa.

Hi Mustafa,
Thanks for your follow up question. I am not sure I fully comprehend the scenario you mentioned. For further evaluation, can you please provide a step by step description of the intended flow?

BTW - please also refer to the Extension chapter in the Identity and Authentication Management guide to review the required adaptations for DI API and Service Layer based Add-ons in order to consume IAM.

Best Regards
Guy

Hi guy.sujetzki

I think my scenario would be covered by the Web App flow for IAM as described in the guide you referred to.  For context, the intended flow in my scenario is as follows:

• A custom sales order creation Fiori app is deployed on SAP BTP Cloud Foundry environment.


• This Fiori app interacts with SAP Business One via the APIs of the Business One Service Layer.


• When the user signs into the Fiori app and authenticates, the desired outcome is that when the Fiori app calls the relevant Business One Service Layer APIs, the user's identity is propagated through to the API so that the data the logged in user sees and the actions they can take via the API are consistent with that particular user's authorisations in Business One.

Does that make sense?

Thanks,

Mustafa.

Hi Mustafa,
Thanks for clarifying, yes that seems to fall under the Web App flow for IAM.
BTW - Regarding BTP application & choice of IDPs - Plz note that in 2208 FP we officially support Azure and ADFS as external IDPs via OIDC configuration. SAP IAS will be officially supported in future releases.
Best Regards
Guy

Hello,

Installing new versoin works, New Licence also importing well, But when trying to assign SAP users attributes error appearing:

Connection to license server is not authenticated

I've activated the "SAP Business One" in the identity provider tab in SLD but failed to add local user.

Hi Tomer,
Thanks for sharing this finding. As we did not encounter this error in various IAM related configurations, I believe this error might be related to a different landscape issue.

for example
2409083 Connection to License Server Is Not Authenticated


Please try to run a KB search. In case you're still unclear about this issue, please create an incident with a step-by-step reproduction desc. so we could further investigate.

Best Regards
Guy

Hi Guy,

We are currently buiding a C# Blazor WASM application hosted on ASPNETCore and using Duende IdentityServer as our OIDC using the BFF (backend for frontend) framework. I want to know how do I add Duende IdentityServer to SAP Authentication Server (Keycloak) as IdP.

Note

1. Duende IdentityServer is our IdP providing login, logout, redirection, authentication and authorization to our Blazor WASM client application


2. Our Blazor WASM client have local API Endpoints (controllers) that call remote API (SAP Service layer), hence a Proxy access


3. Duende IdentityServer will manage token and grant our Blazor WASM client application access to SAP Business One Layer API Endpoints


4. We are using Authorization code + PKCE flow

The link is reference to Duende identityServer implementation of BFF https://docs.duendesoftware.com/identityserver/v6/bff/tokens/

Best regards,

Gideon Makinwa

Hi Gideon,

With 2208 FP release, we officially support MS Azure and ADFS as external IDPs for OIDC.
We are planning to expand the list of supported IDPs in the next releases.

For the time being, i strongly recommend raising your requirement to support Duende as an IDP via our Customer influence site  https://influence.sap.com/sap/ino/#/campaign/887
This can allow us visibility into overall market's demand for IDPs mostly used in our SAP Business One community.

Best Regards
Guy

Hi Guy,

My App is a Blazor WASM BFF (back-end for frontend) relying on Duende IdentityServer for users authenication and authorization, however for Remote API call (using HttpClinet methods to call SAP B1 Service Layer) I want a machine to machine communication client credential flow. In the SAP Keycloak SapB1 realm servcie layer client  is already created by SAP

Here is my C# code in a Console app to first get Access Token and then add it to by HTTP call from Service layer APIs

 

// Console app Program.cs
using IdentityModel.Client;

 

var tokenClient = new HttpClient();

var token2 = await tokenClient.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
Address = "https://[Server]:40020/auth/realms/sapb1/protocol/openid-connect/token",  //SAP Keycloak Authentication Server TokenEndpoint
ClientId = "b1-B1ServiceLayers-1713-main-sbo",  //created by SAP already , default
ClientSecret = "728adc6d-560e-4f80-82d3-452a939182ee"  //generated alerady by SAP
});

var apiClient = new HttpClient();
apiClient.SetBearerToken(token2.AccessToken);

var response = await apiClient.GetAsync("https://localhost:50000/b1s/v1/Items");  //B1 Service layer Items Endpoints
var data = await response.Content.ReadAsStringAsync();
Console.WriteLine(data);

 

This seems not working. What's the correct way to get Access token to call Service layer APIs.

 

Best regards,

Gideon Makinwa

Hi Gideon,

Thanks for the details.

In case you haven't done so before, please check out the extension chapter in our Identity and Authentication Management How-to Guide
https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/07a8fc4acabe4ba5884b...

Otherwise, I recommend reporting an incident to allow our Support experts to take a closer look.
Kind Regards
Guy

Hi, Guy!

Maybe it's already happening to others, but when I try to configure the external IP for the authentication service and SLD, it returns an error message that doesn't make sense with what the FP 2208 administration manual says.

The option to map the SLD with the domain/external IP is no longer in the External Mapping tab, it is now configured in the Security tab.

Either the manual has an error or the service has an internal problem, they are something very easy to configure that are not working as we would expect.

Regards,

Erick

Hi Erick,

Thanks for sharing this scenario.
When defining an address for SLD and Authentication service under Security tab, to prevent a scenario where SLD is no longer reachable after the update, there is a check in place that the defined addresses for SLD and authentication service are indeed reachable in order to successfully save the new values.

Please make sure that the new addresses for SLD and Authentication service are indeed reachable. If you still face an issue during save operation, I recommend logging an incident with relevant details incl. actual error message shown.


Best Regards
Guy

Hi, Guy

We have a novelty after the update to version 2208. 



Previously it allowed that when activating the SSO from the SLD, if a user needed to change the linked user, clicking "change user" to type a new user. 



With this version, we don't see that possibility. 



It is important to be able to have this option, since with the link it was possible to indicate which databases the users had access to.





In previous versions, the service was activated by the SLD

The SSO option was shown activated for users with the Microsoft Windows account link

If they need to change the user, uncheck the option and they could enter with a new user





I appreciate if you can help me with this news.



Best Regards

Camilo

Hi Luis,

Thanks for addressing this behavior change.
With FP 2208, once Active Directory Domain services is enabled (Will be automatically enabled in case you worked with SSO prior to upgrade) the option to sign-in with B1 User codes in parallel is no longer available. This is part of a security measure we took to comply with security standards for authorizing users during sign-in process.

For your scenario:

• In case you have B1 user codes that are not yet binded to  domain users, you should be able to complete all necessary IDP user creation and bindings from SLD - under User's tab. for more information please refer to our IAM guide
  https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/76de0bbf52a24cfc9970...


• In case you would like to avoid binding some of your B1 User codes to a domain users, as an option you may also consider activating in parallel SAP Business One Authentication Service and creating relevant IDP users (under SAP B1 authentication service) and bindings for these B1 user codes.
  
  By doing so, users may log-in with their corresponding domain user (SSO) or with their B1 IDP user (SAP B1 Authentication service).

Hope this helps

Best Regards
Guy

Hi Guy,

does the new IAM solution support integration with OKTA?

Regards

Greg

Hi Greg,

With FP 2208 we officially support Azure AD and ADFS as external IDPs (via OIDC).
OKTA & additional IDPs are planned to be supported in future releases.

Best Regards
Guy

If you want to renew the certificate used for the Authentication Service, check out my blog post:

How to renew your SAP B1 Authentication Service Certificate | SAP Blogs

Hope it is helpful!

Best regards,

Joerg.

Hi joerg.ceo

Thanks for taking the time to share this tip on certificate renewal, great Blog!

One short comment to this:
Certificate renewal and DB user configuration changes can be done in the same procedure as before - during Reconfiguration of SAP Business One
Here are some mockups from my SQL based environment:

 

Hope this clarifies how to handle certification refresh in SAP Business One landscape.

Kind Regards
Guy

Hi guy.sujetzki !

Thanks for sharing the info. I am of course aware that the reconfiguration is possible.

However, it is not well suited for automated execution, although it might actually be possible to execute unattendedly.

When using Letsencrypt.org certificates they expire every 90 days (and renew every 60), so an admin would have to "constantly" run the reconfiguration to update the certificates.

Our renewal script goes into a cronjob (or scheduled task on Windows) and is executed weekly. Only when a renewed certificate is available is it actually substituted, and the service restarted.

Also, the reconfiguration is much more "invasive" in my opinion, since it revalidates and restarts every single service. The procedure I shared takes just seconds to execute, vs. at least 3 minutes, probably up to 10, when done using the reconfiguration wizard.

I hope this explains why we don't use the reconfiguration procedure for that purpose (unless a certificate password change or other "major" modification is actually required).

Best regards,

Joerg.

We have user named "xdtw" with license  "SAP Business One Indirect Access User"

In SLD we will add user as "SAP Business One Authentication Server"

SLD

What happes next? This new feature force us to change password for first time.

How we can change password for user XDTW when we can not log in to SAP with this user?

 

Hi Bloch,

Would it be possible to remove "SAP Business One Indirect Access User" license assignment for the user code, only in order to sign-in with the IDP user "xdtw" to SAP Business One and change the Password? is that a viable option?

Best Regards
Guy

But how we can log if there is no option to log to SAP using user name. When you have SSO configured there is no window to put user name, am I right?

 

Hi Lukasz
That's why I proposed in my initial reply in this comment thread to activate in parallel the SAP Business One authentication service and create a new SAP Business One Authentication service user (as you apparently did according to screen capture above) and bind the user to your SAP Business One relevant user code, e.g. xdtw.
Once you do that, you will be able to sign-in using the SAP Business One Authentication service user "xdtw" and during sign-in process it will be mapped to the xdtw user code sign-in.
Hope it is now clearer,

Best Regards
Guy

I have bind my user DOMAIN\LUKASZ.BLOCH  with SAP account so when i start SAP client there is no option to put username and password. Sop i am not able to change password for user I have created

 

so the option is to log in to OS as user that IS NOT SET UP and bind and then SAP will ask about username and password during login

 

Regards

 

Hi Lukasz

1. You have to make sure that your SAP Business One authentication service is activated (under Identity Provider tab) in parallel to Active domain Services IDP.

2. in case more than one IDP is activated in a landscape, you should be getting the following initial screen when opening SAP Business One:

3. In case you do not get this window, despite having 2 IDPs activated and instead you are automatically signed in with your Domain user - I suggest the following actions:
- temporary disable your Active Directory authentication service.
- finish setting up the needed SAP Business One authenitcation IDP users and bindings to relevant B1 User codes across all companies.
- Sign-in with the SAP Business One IDP users, you will be asked to set a new Password as part of the initial sign-in process.
- reactivate the Active Directory authentication service.
Hope this helps
Best Regards
Guy

Hello,

we are facing issues with this new FP regarding the new SSO configuration that lead us to a rollback when we tried to upgrade in FP2208.

• When both AD authentification and SAP authentification are on, we are unable to login with a B1 user that is not bound to a domaine account. This is highly problematic for us, because our infrastructure team of 40+ people can currently access it to perform add-on installation for example. Considering we have a bit less than a 100 SAP B1 environnement, the current functionning would lead us needing approximately 4000 SAP B1 licences ... just for the infrastructure team because of its relatively large size, which is currently done by using manager on the 100 bases, which is roughly ~100 licences. The gap of 3K+ licenses is unreachable.
• The creation of an SAP B1 user is now divided in 2 parts : the B1 account, done in B1, and the domain account bind, which is now done in SLD. Previously, this bind was directly done in the User management window in SAP B1, which allowed a project manager to create a new user in Business one in complete autonomy. Now with this functionning requiring an SLD access to bind a domain user to an SAP user, we have to either give and SLD access to B1 project manager (unsafe) , or make it so that our infrastructure team is now part of the user creation workflow, which is ... completly out of touch in an organization our size.

The current functionning is clearly not adapted to a relatively large scale organization, what are you planning regarding this ? we are currently stuck for our upgrades with FP 2202 because of this SSO issue, or we have to comlpletly disable SSO and migrate to 2208

+1

Exactly the same scenario here

Hi Victor,

Thanks for sharing your experience.
Let me try to clarify the existing behavior / status for both points you mentioned;

• When both AD authentication and SAP authentication are on, we are unable to login with a B1 user that is not bound to a domaine account
  My comment: in the above configuration (both IDPs are set as active) In case you are logged in to Windows with a Domain user that does not exist under 'users' tab in SLD, when opening SAP Business One client, you will be prompted with the option to sign-in with your SAP Business One Authentication IDP user.

  

   

  In case you experience a different behaviour, please report an incident on component "SBO-BC-IAM" with a step-by-step description of the scenario and supporting screen captures of your settings under "Identity Providers" and "Users" tabs in SLD.

• Missing the option to bind users from SAP Business One client, as done before.
  My Comment: Thanks for this important feedback, we are aware about this temporary limitation which was introduced in 2208 FP (documented as well under the Identity and Authentication management how to guide under behavior change chapter) and can assure the option to bind users from SAP Business One client will be re-introduced in upcoming versions.

Best Regards
Guy

Hi Guy,

SLD redirection explained.

Best regards,

EG​

Hi Erick,
Muchas Gracias por el Link.
Muy buen Video 🙂

Switching to English as my Spanish is somewhat rusty,
Thanks for sharing this with video the community, that's a very helpful resource making IAM further accessible to wider audience. Now we need an English version as well. 🙂

Best Regards
Guy

Hi Guy,

Thank you for your answer

Concerning those two points :

• That's the current functionning I have on the 2 systems I tried this FP,and I already have an incident opened about it (123135)


• Does this feature is planned on your roadmap ? Is there an ETA on it ?

Best Regards

Hi Victor,

Thanks for sharing info, let's continue the follow up with Support teams via the incident.
As for user binding from B1 client, I can confirm it is on the roadmap with high priority, cannot  commit on ETA at this point.

Best Regards
Guy

Hi Guy,

Yeeei soon, sure 🙂

Best regards,

EG

Hi Guy,

Are you able to share information on how to connect to the Service Layer when the Active Directory Domain Services IDP is enabled?  In my initial tests, the old method (https://hostname:50000/b1s/v1/Login) returns a 502 proxy error.

I was able to make an initial connection using https://hostname:50000/b1s/v1/ssob1s, but subsequent calls using the session ID provided returned a 401 error stating "Invalid session or session already timeout."

Any information or resources would be greatly appreciated.

Thanks,

Glenn

Hi Glenn,

Thanks for reaching out. Did you have a chance to review the required changes needed to adopt extensions for IDPs?

https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/88dcdfca3a11492da0ac...

Hopefully that does the trick.
:-)

Best Regards
Guy

Thanks Guy,

Connections to the Service Layer have never been considered to be extensions.  Has this changed with FP2208 then?  This will mean rewriting the authentication for any application connecting to the Service Layer if that's the case.  Are there any examples available showing the connection method using Postman to clarify what needs to happen?

Cheers,
Glenn

Hi Guy,

Can we have an idea the priority of IAM for Cloud? Is it within a year? 2 years? SSO for public cloud comes up very often for us from a requirements perspective.

 

Thanks for all that you do!

 

Cheers

Jay

 

Hi Jay,

Thanks a lot for sharing this important question.
I can assure you that we're working on bringing IAM into SAP Business One Cloud (Cloud Control Center) as one of our higher priority items (cannot yet publicly commit on timelines).

Let me share some insights on this;

Looking at current customer journey when working on SAP Business One in Cloud (Hosted using Cloud Control Center) we need to consider the dependency we have on RDP in order to consume SAP Business One Desktop Client, using Active Directory Domain users.

This therefore requires a different approach compared with IAM featured implementation in FP 2208 to make sure we offer a consumable solution that cloud Providers can utilize for this use case and truly benefit from IAM capabilities in this context.

For Web Client and other web interfaces hosted on Cloud - a similar approach to FP's 2208 IAM can be taken.

Hope this providers some insights into our planned IAM implementation for Cloud.

Kind Regards
Guy

This does not work.....

As soon as the Active Directory authentication service is re-enabled, the ability to enter a user code disappears again.
I'm sorry but this is horrendous.

This either forces us to disable Single-Sign-On for our customers who use it or it induces license sharing on the customer side, as sometimes it's necessary to use SBO on another machine.

 

Hi Joshua,

Sorry to hear about your experience.
The ability to enter a user code should when starting SAP Business One should still be available when Active Directory is enabled for users that do not have a corresponding Active Directory IDP user set for them in SLD.

In case there is a corresponding AD IDP user set in SLD, the user will be indeed automatically signed-in via Kerberos to provide a true SSO experience.

Best Regards
Guy

Hi Guy,

this is what our problem is. When I am working with a Windows user that is assigned to an SBO user then there is no way of using another SBO user on that machine, unless the whole windows user is changed.

And that is a huge step backwards.

Why don't just provide the option to uncheck "Single-Sign-On" to login with whatever SBO User you want. It was there before and should be there now.
Even when the checkmark is there, it still would be as you say "a true SSO experience". Just always leave the box checked by default.

I know this isn't on you personally but things like this really really frustrate me...
We have several customers who already are disappointed in all the huge bugs the last couple of releases brought with them (not to mention that FP2208 is unusable in german) and now I'm facing another issue where we have to explain to those customers that unfortunately they have to live with that limited functionality or that the users cannot use SSO anymore.

I really hope that you guys think about this and bring it back.

Regards,
Josh

Hi Joshua,

Thanks for providing the detailed scenario. I have a clear picture now of your specific setup and challenge with latest change introduced in FP 2208 in Sign-in scenarios.
-----------------------------------------------------------------------------------------------
Edited:
Another option you may consider in order to also fullfill some decent level of security when using a shared computer is to sign in to windows with a user that is not bounded to any B1 User code in SLD.
In this case, both users (User A bound to B1 authentication service and user B bound to Active Directory Domain Service) can sign in by typing their user credentials.
-----------------------------------------------------------------------------------------------

While we continue to review this internally -  I highly recommend sharing this request also over our SAP Business One Customer influence site https://influence.sap.com/sap/ino/#/campaign/887
to get SAP Business One community take on this.

Thanks again for sharing this.
Best Regards
Guy

Okay I will try it there.
But from our experience, once it goes to customer influence it's a dead end most of the time anyway...

Thanks.
Regards,
Josh

We are unable to use the reconfiguration wizard to renew the certificate. We are unable to complete the process of renewing the security certificate. When using the Components Wizard it gets to the Service Databases and the options are Keep Current Scheme which is the default - B1AS. After clicking next it says Scheme [B1AS] is not a valid Authentication Service Schema. There is an OK button and this returns to the Wizard and we cannot continue.  We have opened a case with SAP but no progress yet.

With this new functionning,using the SLD, there's no check of validity anmore when adding new users (before that, when we added a user in ActiveDirectory, the system checked the existence of said user), is there a way to control the mappings done in the SLD ?

Furthermore, as we strive to manage a regular inventory of our users and licences affectation we would like to be able to make regular check up of the users mapped in the SLD to verify

• If the users in the SLD are still active Active Directory users


• If the users with a licence in SAP B1 are still active

is there a way to retrieve the data in the "user" tab of the SLD ?

 

Thanks

Hi David,

Thanks for your comments and insights;

I understand you are looking for an online verification (currently does not exist as of FP 2208) of user's existence as a valid Domain User in the following scenarios:

1. Adding a new AD based IDP User in SLD.

2. A routine check for existing AD based IDP users that are already registered in SLD.

In addition, from your last point, I understand you would like to have some traceability in SLD (under users) to evaluate whether your B1 licensed user codes are still active.

It would be interesting from your (or community's) point of view how you would envision - what defines an Active user.
e.g. User that signed in in last X days ?

I fully agree that all 3 points make sense and bring noticeable value to Lifecycle management of SAP Business One.
I would kindly suggest to raise these points via CIS (Customer Influence) https://influence.sap.com/sap/ino/#/campaign/887 Let's see how our community votes on this idea.


Thanks once again for sharing these great ideas!
Best Regards
Guy