Dear Readers
Do you want to know how to enable Single Sign-On from SAP IAS ??
SAML Flow
SAP IAS - Identity Authentication Service
The single sign-on through SAP IdP is not turned on by default. When disabled, users can only access SAP Commissions through the SAP Commissions login page, using their user ID and password. To enable it, you need to follow the below steps to configure
Once set up, users authenticated with SAP IAS can log in to SAP Commissions without entering their ID or password. Unauthenticated Commissions users that attempt to access a Commissions URL will be redirected to the SAP Identity Access Management login page for authentication.
Integration with IAS and Commission URL
You will be provided with two URLs:
- Standard Commissions URL - Users can enter the user ID and password and access SAP Commissions.
- SAP IdP based Commissions URL - This URL prompts users to enter their user ID and password via IdP and redirects users to SAP Commissions.
Architecture & documentation related to SAP Sales Cloud Single Sign-On(SSO) can be found here
Let's start the configuration,
Login to SAP Identity Authentication Service [IAS] Portal
Go to Application & Resources Menu - Tenant Settings
- Click SAML 2.0 Configuration
Download Metadata.xml
which will be used to upload in SAP Commission ( will be shown in below steps)
Navigate to Applications and choose the product you need to enable SSO
1. Type
Select SAML 2.0
2. SAML 2.0 Configuration and upload the sp.xml from SAP Commissions
3. Subject Name Identifier
4. Default Name ID Format
Choose either one for users login method
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
5. Assertion Attributes
| User Attributes | Assertion Attributes |
| Language | sapIdp.language |
| User ID | sapIdp.uid |
| Login Name | sapIdp.loginName |
| First Name | sapIdp.firstName |
| Last Name | sapIdp.lastName |
| sapIdp.email | |
| Groups | sapIdp.userGroups |
Update the values from the above table if incase if values are blank
Login to SAP Commission Portal to enable Single Sign-On ( SSO)
Go to Global Settings
Configure from below screen with corresponding sequence numbers in SAML Configuration Type Section
Admin should logout the page after SAML is configured and ask Users to login to SAP Commission Portal.
Users should able to see the login page of SAP IAS Login screen
Admin can see the Security logs in SAP Commission Portal for users Authentication mechanism (SAML)
Troubleshooting in IAS or to find audit logs ( download CSV)
Azure Single Sign on Setup
Links
SAP Cloud Identity Services: https://community.sap.com/topics/cloud-identity-services
Identity Authentication service in a nutshell:
Troubleshooting Resources
Online & Browser Tools:
➢ Allows you to validate a SAML Response for Chrome (see example in next slide, FF uses SAML Tracer) - https://www.samltool.com/validate_response.php
➢ Allows you to debug your SAML based implementation (see example in next slide, it is a way to validate if all of the related entries are valid) -
https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=e...
➢ https://www.base64decode.org/ - Decode from Base64 format.
Thanks, for reading it till the end.
Hope you find that helpful! Let me know your thoughts on this in the comments section.
Don't forget to share this article with your friends or colleagues.
Feel free to connect with me on any of the platforms below! 🚀
yoganandamuthaiah |Twitter | LinkedIn | GitHub
- SAP Managed Tags:
21 Comments
