Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Identity and Authentication Management in SAP Business One

GSsap
Advisor
Advisor
‎12-28-2022 9:43 AM

With 10.0 FP 2208, SAP Business One introduces the Identity and Authentication Management (IAM) service, allowing users to authenticate with their Identity Provider’s (IDP) user when Signing-in to SAP Business One.


Connecting SAP Business One with an Identity provider can help you manage user access in a secured manner without compromising on user experience during sign-in to SAP Business One.



What are the main benefits from using IAM solution in SAP Business One?



  • Single sign-on (SSO) experience.

  • Reduce Password fatigue – users do not need to remember an excessive amount of passwords.

  • Enhance security during sign-in by utilizing IDP’s Multi Factor Authentication and reduce potential attack surface.

  • A central user management solution, allowing Landscape administrators to setup IDP users (under one or more IDPs), bind them to SAP Business One company users and manage users from across all company databases in one place.


Identity Providers Management


IAM can be activated by configuring IDPs and Users under newly added ‘Identity Providers’ and ‘Users’ tabs in SAP Business One System Landscape Directory (SLD) control center.
After upgrading to 10.0 FP 2208, The following Identity Providers appear by default under ‘Identity Provider’ tab in SLD:




  • SAP Business One Authentication Server – Built-in Authentication Service

  • Active Directory Domain Services –  Built-in Authentication Service


It is also possible to add OIDC (Open ID Connect) IDP by clicking on ‘Add’




  • OIDC (Open ID Connect)Note: with 10.0 FP 2208, it is possible to register 'AD FS' or 'Azure Active Directory' as external identity providers in OIDC.



Identity Providers tab in SLD


By default, to preserve backward compatibility, IDPs are set to ‘inactive‘ after upgrade. There is no change to the Sign-in experience for SAP Business One users unless an IDP is activated.

Before an IDP is activated, there are a few important prerequisites that need to be fulfilled:




  • There must be at least one corresponding Landscape Admin user configured under ’Users’ tab in SLD.

  • IDP users created and bound to SAP Business One company users across all companies.

  • IDP property for add-ons was adopted.


User Management


The newly added ‘Users’ Tab in SLD, acts as a ‘one stop shop’ for:




  • Adding / removing IDP users.

  • Binding IDP users to SAP Business One users across company databases.

  • Central user management solution: change PwD and activate / deactivate unified users (users created under SAP Business One Authentication Server IDP), assign users with Landscape Admin role.


Note: The licenses assigned to SAP Business One company users remain unchanged after enabling the identity and authentication management.


 

Sign-in to SAP Business One with an IDP


Once an IDP is activated in SLD, SAP Business One users will experience a new Sign-in window. Depending on landscape's IDP configuration (IDP type, number of IDPs activated), users are redirected to their IDP within SAP Business One Sign-in window to authenticate.



Watch the quick demo below on how to setup Microsoft Azure as an identity provider in SAP Business One and Sign-in to SAP Business One Web client with an Azure account.



How-to-guide


As IAM has a noticeable footprint on user’s Sign-in journey in addition to behavioral changes in SAP Business One, it is highly recommended reviewing ‘Identity and authentication management in SAP Business OneHow-to-guide to learn more about the following topics:




  • IAM Setup and Configuration

  • Recovery / Reset of IAM

  • Behavior changes

  • Supported SAP Business One Components in 10 FP 2208

  • Extension adaptations



Roll out plan


The Identity and authentication management service is planned be rolled out in a phased manner.
With 10.0 FP 2208, IAM is supported by the following SAP Business One Products:




  • SAP Business One

  • SAP Business One, version for SAP HANA


Please note that with 10.0 FP release, The IAM service is not supported by existing SAP Business One Cloud versions. It is planned to be supported in SAP Business One Cloud in later versions.

Hope this Blog was useful to you as an introduction to SAP Business One’s Identification and Authentication Management service. I'm looking forward to hear about your experience from working with IAM in SAP Business One, be sure to leave your feedback in the comments section below.

 
Labels:
68 Comments
victor_durand
Discoverer
‎04-25-2023 8:19 AM
0 Kudos
HI, Guy.
When I was referrign to an "active" account, I was talking about its status in the Active Directory.

As of now, a user that doesn't exist anymore in the ActiveDirectory is still existing on the SLD configuration. Which means that as time passes, we might have some serious issue of SLD records being polluted by accounts that do not exist anymore.

This behaviour is harder to treat for 2 main reasons :

  • we have no insight, when in the SLD, if the user is valid in AD or not

  • we have no way of extracting the user mapping data from the SLD. Considering we have tens of licencing server on our infrastrcture this will soon become unmanageable to deal with offboarding as we have no way to process the data stored in SLD other than manually connect to each SLD and manually check each data entry in the "users" tab...


Consequently, this makes our user auditing processes harder than it already was...
AtLeastMe
Explorer
‎05-12-2023 7:34 AM
0 Kudos
Hi Guy,

we upgraded our customer to 2208 HF1 and afterwards the windows logon will no longer be recognized? This means when staring sbo the logon window appears. then the user have to click logon without entering anything. then afterwards the the domain login window appears and they can login by entering there credentials.

 

So any ideas why the windows credentials are no longer retrieved?

Any held would be greatly appreciated. SAP Support is already contacted, but no response so far.

 

Best whishes

Sebastian
Simon_nAG
Explorer
‎05-12-2023 9:35 AM
0 Kudos
Hi Guy,

we think there is a authentification process without popup login page missing. In keycloak there is the "Direct Access Grants Enabled" disabled.

So in SAP B1 you have to types of licensing api users:

a) Indirect Access User -> scenario is clear an working, thank you for that.
b) Indirect Access non-emplyoee (api sync users) -> scenario is not clear by checking your documentation here: https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/07a8fc4acabe4ba5884b...

Could you please give the answers to us partner to going further in working with service layer an api sync users for FP2208 and higher?
GSsap
Advisor
Advisor
‎05-14-2023 12:49 PM
0 Kudos
Hi Simone,

 

Regarding point b) - If I read your question correctly - technical users are supposed to continue working normally (without any change required) after upgrading to FP 2208. Plz refer to the following section in the IAM documentation:

https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/a22e86b800794aca934b...


Hope this helps,
Kind Regards
Guy

GSsap
Advisor
Advisor
‎05-14-2023 12:59 PM
0 Kudos
Hi Sebastian,

Thanks for sharing this issue. Sorry to hear about this behavior drawback.
Please let me know the incident number so I can follow up with Support accordingly to find out more about this case. As you wrote and also experienced in earlier version FP 2208, when signing in with an AD IDP user, the user should not be required to type his user credentials, instead SSO should take place - users should be signed in automatically (via Kerberos authentication).
Let's further evaluate this over the incident.

Best Regards
Guy
ynoorland
Member
‎05-22-2023 2:53 PM
0 Kudos

Hi Guy,

We upgraded to FP2208 and try to login in in SBO, but get the following error:




We have enabled the Identity Provider "Active Directory Domain Services" and added a user in the System Landscape Directory with an active SBO account.

Do you have any idea how we can solve this issue.

Best Regards,
Yvette

former_member410434
Explorer
‎05-24-2023 1:19 PM
0 Kudos
Hi Guys,

Need Help!

We upgraded SAP B1 HANA 10.00.170 to SAP B1 HANA 10.00.201 FP 2208 HF2. In previous version we was using Active Directory SSO functionality.

When we click on Login Button it asking for Domain Windows credentials .


 

In the previous version no credentials was asking.

 

 
GSsap
Advisor
Advisor
‎05-24-2023 1:27 PM
0 Kudos
Hi reza.rehman2

Sorry to hear about your experience.
I highly recommend contacting support, they should be able to provide you with a manual fix to get the SSO working smooth again under the latest Hotfix. I am working with Development to further evaluate this issue and provide a fix if needed in the next FP.

Hope this helps,
Best Regards
Guy
GSsap
Advisor
Advisor
‎05-24-2023 1:40 PM
0 Kudos
Hi Yvette,

Thanks for sharing this issue. Seems that there's some failing point in your environment that stops you from being able to SSO using Active Directory.

It is hard to say what could be the cause without proper evaluation of the setting and your environment. It would be interesting to check whether you're able to sign in to SLD with an Active Directory user or you receive the same error as you do in the SAP Business One Client.

In any case, I recommend to report this incident to support for further investigation.
Hope this gets resolved soon.

Best Regards

Guy
jb_bryant
Explorer
‎05-25-2023 3:48 AM
0 Kudos
We just set up Azure as an identity provider and users have to log in twice - once to get into B1 and once to load the Fiori cockpit. I just opened a ticket with SAP support about this but curious if this is normal. I also have to SAP identity provider enabled, and the same happens when I make a user there and bind with the same B1 user and log in that way.
GSsap
Advisor
Advisor
‎06-04-2023 2:53 PM
0 Kudos
Hi Bryant,

Thanks for sharing this. Does not sound to me like a normal behavior, there shouldn't be a duplicated Sign-in process. Were you able to find a possible root cause for this together with Support?
I remember experiencing such issue in some 'internal' version, however this was not yet under an officially released version as far as I'm aware. if this occurs under one of our recently released FPs we definitely need to look into this further together with Support and our Dev Teams.

Best Regards
Guy
jb_bryant
Explorer
‎06-05-2023 9:08 PM
0 Kudos
No. They said it's a bug and will be fixed in FP2305, which is very unfortunate if true. They also are very vague on the scenario details. This happens for me for a customer without OIDC too once I change the SLD and authentication service URLs to the FQDN for web client external access. For that customer, we can't use the web client for their sales reps even though we want to because it will cause double sign-in requests for local users. https://me.sap.com/notes/3314556
Simon_nAG
Explorer
‎06-12-2023 1:46 PM
0 Kudos

Hi Guy,

thanks for the additional documentation, but unfortunately this is no answer to my question.

However, my question was aimed at "Technical" users based on Indirect access by instance / non-employee.

This could be a new user in B1 for example called: “sync_job_for_facebook”.

Is there a token with longer lifetime / API token / API Key?
Or is a POST /Login possible for this technical api user?

In the past for B1Authentification and WindowsAuthentification we did a easy POST Login.

POST /Login



{

    "CompanyDB": "SBODEMODE",

    "UserName": "domain\\Administrator",

    "Password": "xxxxxxx"

}
GSsap
Advisor
Advisor
‎06-18-2023 1:45 PM
0 Kudos
Hi simon.berleb

Nice meeting you in the Vienna Summit 🙂
Let me summarize main points we discussed in our meeting face to face for the benefit of anyone reading this in the community;

1. In case you work with Active Directory IDP in FP 2208, in order to make a connection with Service Layer - you need to use a SAP Business One Authentication service user (binded to the relevant User code).

2. The good news; in upcoming FP (2305) we plan to support Active Directory user for SL connection, so no modification will be required as suggested in point above.

3. In Future release we will also provide a solution for technical users to consume IAM as well.

hope I didn't miss anything,
Kind Regards
Guy
josh12b
Explorer
‎07-07-2023 1:20 PM
0 Kudos
We have the same issue.

Super annoying.
josh12b
Explorer
‎07-07-2023 1:31 PM
0 Kudos
Hi Guy,

in FP2208 HF2 some users get the following error message on the login screen or when SBO locks:

"Cookie not found. Please make sure Cookies are enabled in your browser."

Cookies are enabled in the systems default browser. Why is the SAP Business One Client Login dependent on browser cookies in the first place?
This new IAM creates more and more problems the more we use it.


SBO locked itself. Then this came.

GSsap
Advisor
Advisor
‎07-09-2023 1:35 PM
0 Kudos
Hi josh12b

Thanks for sharing this issue. Seems we may need further details to analyze this behavior I would therefore appreciate if you reported this as an incident and share incident # in the post.

When working with IAM the traditional Lock Screen threshold that existed earlier is not longer visible on screen and applicable. Please refer to https://help.sap.com/docs/SAP_BUSINESS_ONE_IAM/548d6202b2b6491b824a488cfc447343/eb57986eb4644d03a6c0...
for further details.

However, as a security measure, there is a default timeout defined for a Session.
Once this time expires, the Session is no longer active and any roundtrip call to server should revoke access. In the screen capture you shared, seems the message itself may not be optimal, we therefore need to further examine this over an incident. You also mentioned this message may occur during initial login, which clearly requires further analysis, I'd therefore appreciate your follow up with an incident.

Thanks!
Best Regards
Guy
Kuldeep
Active Participant
2 weeks ago
0 Kudos

Hi @GSsap ,

We are trying to enable the SSO for in our environment and it seems to worked a bit as we got onto to the login screen along with Microsoft authenticator verify with an 2 digit number on mobile app. But thereafter, it would pop up with the message:

"Unexpected error when authenticating with identity provider"

I have tried searching for SAP note but it could find anything. Also on the Azure ID, we checked the logs and connection request seems to be successful. Furthermore, now as I mistakenly logged out of the SLD and when trying to login back it takes me to same SSO process and gives the unexpected error so I am not even able to disable the SSO from SLD.

Any guidance? Thank you in advance

Popular Blog Posts