Identity and Authentication Management in SAP Busi...
Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
With 10.0 FP 2208, SAP Business One introduces the Identity and Authentication Management (IAM) service, allowing users to authenticate with their Identity Provider’s (IDP) user when Signing-in to SAP Business One.
Connecting SAP Business One with an Identity provider can help you manage user access in a secured manner without compromising on user experience during sign-in to SAP Business One.
What are the main benefits from using IAM solution in SAP Business One?
Single sign-on (SSO) experience.
Reduce Password fatigue – users do not need to remember an excessive amount of passwords.
Enhance security during sign-in by utilizing IDP’s Multi Factor Authentication and reduce potential attack surface.
A central user management solution, allowing Landscape administrators to setup IDP users (under one or more IDPs), bind them to SAP Business One company users and manage users from across all company databases in one place.
Identity Providers Management
IAM can be activated by configuring IDPs and Users under newly added ‘Identity Providers’ and ‘Users’ tabs in SAP Business One System Landscape Directory (SLD) control center.
After upgrading to 10.0 FP 2208, The following Identity Providers appear by default under ‘Identity Provider’ tab in SLD:
SAP Business One Authentication Server – Built-in Authentication Service
Active Directory Domain Services – Built-in Authentication Service
It is also possible to add OIDC (Open ID Connect) IDP by clicking on ‘Add’
OIDC (Open ID Connect)Note: with 10.0 FP 2208, it is possible to register 'AD FS' or 'Azure Active Directory' as external identity providers in OIDC.
Identity Providers tab in SLD
By default, to preserve backward compatibility, IDPs are set to ‘inactive‘ after upgrade. There is no change to the Sign-in experience for SAP Business One users unless an IDP is activated.
Before an IDP is activated, there are a few important prerequisites that need to be fulfilled:
There must be at least one corresponding Landscape Admin user configured under ’Users’ tab in SLD.
IDP users created and bound to SAP Business One company users across all companies.
IDP property for add-ons was adopted.
User Management
The newly added ‘Users’ Tab in SLD, acts as a ‘one stop shop’ for:
Adding / removing IDP users.
Binding IDP users to SAP Business One users across company databases.
Central user management solution: change PwD and activate / deactivate unified users (users created under SAP Business One Authentication Server IDP), assign users with Landscape Admin role.
Note: The licenses assigned to SAP Business One company users remain unchanged after enabling the identity and authentication management.
Sign-in to SAP Business One with an IDP
Once an IDP is activated in SLD, SAP Business One users will experience a new Sign-in window. Depending on landscape's IDP configuration (IDP type, number of IDPs activated), users are redirected to their IDP within SAP Business One Sign-in window to authenticate.
Watch the quick demo below on how to setup Microsoft Azure as an identity provider in SAP Business One and Sign-in to SAP Business One Web client with an Azure account.
How-to-guide
As IAM has a noticeable footprint on user’s Sign-in journey in addition to behavioral changes in SAP Business One, it is highly recommended reviewing ‘Identity and authentication management in SAP Business One‘ How-to-guide to learn more about the following topics:
IAM Setup and Configuration
Recovery / Reset of IAM
Behavior changes
Supported SAP Business One Components in 10 FP 2208
Extension adaptations
Roll out plan
The Identity and authentication management service is planned be rolled out in a phased manner.
With 10.0 FP 2208, IAM is supported by the following SAP Business One Products:
SAP Business One
SAP Business One, version for SAP HANA
Please note that with 10.0 FP release, The IAM service is not supported by existing SAP Business One Cloud versions. It is planned to be supported in SAP Business One Cloud in later versions.
Hope this Blog was useful to you as an introduction to SAP Business One’s Identification and Authentication Management service. I'm looking forward to hear about your experience from working with IAM in SAP Business One, be sure to leave your feedback in the comments section below.
HI, Guy.
When I was referrign to an "active" account, I was talking about its status in the Active Directory.
As of now, a user that doesn't exist anymore in the ActiveDirectory is still existing on the SLD configuration. Which means that as time passes, we might have some serious issue of SLD records being polluted by accounts that do not exist anymore.
This behaviour is harder to treat for 2 main reasons :
we have no insight, when in the SLD, if the user is valid in AD or not
we have no way of extracting the user mapping data from the SLD. Considering we have tens of licencing server on our infrastrcture this will soon become unmanageable to deal with offboarding as we have no way to process the data stored in SLD other than manually connect to each SLD and manually check each data entry in the "users" tab...
Consequently, this makes our user auditing processes harder than it already was...
we upgraded our customer to 2208 HF1 and afterwards the windows logon will no longer be recognized? This means when staring sbo the logon window appears. then the user have to click logon without entering anything. then afterwards the the domain login window appears and they can login by entering there credentials.
So any ideas why the windows credentials are no longer retrieved?
Any held would be greatly appreciated. SAP Support is already contacted, but no response so far.
Regarding point b) - If I read your question correctly - technical users are supposed to continue working normally (without any change required) after upgrading to FP 2208. Plz refer to the following section in the IAM documentation:
Thanks for sharing this issue. Sorry to hear about this behavior drawback.
Please let me know the incident number so I can follow up with Support accordingly to find out more about this case. As you wrote and also experienced in earlier version FP 2208, when signing in with an AD IDP user, the user should not be required to type his user credentials, instead SSO should take place - users should be signed in automatically (via Kerberos authentication).
Let's further evaluate this over the incident.
We upgraded to FP2208 and try to login in in SBO, but get the following error:
We have enabled the Identity Provider "Active Directory Domain Services" and added a user in the System Landscape Directory with an active SBO account.
Sorry to hear about your experience.
I highly recommend contacting support, they should be able to provide you with a manual fix to get the SSO working smooth again under the latest Hotfix. I am working with Development to further evaluate this issue and provide a fix if needed in the next FP.
Thanks for sharing this issue. Seems that there's some failing point in your environment that stops you from being able to SSO using Active Directory.
It is hard to say what could be the cause without proper evaluation of the setting and your environment. It would be interesting to check whether you're able to sign in to SLD with an Active Directory user or you receive the same error as you do in the SAP Business One Client.
In any case, I recommend to report this incident to support for further investigation.
Hope this gets resolved soon.
We just set up Azure as an identity provider and users have to log in twice - once to get into B1 and once to load the Fiori cockpit. I just opened a ticket with SAP support about this but curious if this is normal. I also have to SAP identity provider enabled, and the same happens when I make a user there and bind with the same B1 user and log in that way.
Thanks for sharing this. Does not sound to me like a normal behavior, there shouldn't be a duplicated Sign-in process. Were you able to find a possible root cause for this together with Support?
I remember experiencing such issue in some 'internal' version, however this was not yet under an officially released version as far as I'm aware. if this occurs under one of our recently released FPs we definitely need to look into this further together with Support and our Dev Teams.
No. They said it's a bug and will be fixed in FP2305, which is very unfortunate if true. They also are very vague on the scenario details. This happens for me for a customer without OIDC too once I change the SLD and authentication service URLs to the FQDN for web client external access. For that customer, we can't use the web client for their sales reps even though we want to because it will cause double sign-in requests for local users. https://me.sap.com/notes/3314556
Nice meeting you in the Vienna Summit 🙂
Let me summarize main points we discussed in our meeting face to face for the benefit of anyone reading this in the community;
1. In case you work with Active Directory IDP in FP 2208, in order to make a connection with Service Layer - you need to use a SAP Business One Authentication service user (binded to the relevant User code).
2. The good news; in upcoming FP (2305) we plan to support Active Directory user for SL connection, so no modification will be required as suggested in point above.
3. In Future release we will also provide a solution for technical users to consume IAM as well.
in FP2208 HF2 some users get the following error message on the login screen or when SBO locks:
"Cookie not found. Please make sure Cookies are enabled in your browser."
Cookies are enabled in the systems default browser. Why is the SAP Business One Client Login dependent on browser cookies in the first place?
This new IAM creates more and more problems the more we use it.
Thanks for sharing this issue. Seems we may need further details to analyze this behavior I would therefore appreciate if you reported this as an incident and share incident # in the post.
However, as a security measure, there is a default timeout defined for a Session.
Once this time expires, the Session is no longer active and any roundtrip call to server should revoke access. In the screen capture you shared, seems the message itself may not be optimal, we therefore need to further examine this over an incident. You also mentioned this message may occur during initial login, which clearly requires further analysis, I'd therefore appreciate your follow up with an incident.
We are trying to enable the SSO for in our environment and it seems to worked a bit as we got onto to the login screen along with Microsoft authenticator verify with an 2 digit number on mobile app. But thereafter, it would pop up with the message:
"Unexpected error when authenticating with identity provider"
I have tried searching for SAP note but it could find anything. Also on the Azure ID, we checked the logs and connection request seems to be successful. Furthermore, now as I mistakenly logged out of the SLD and when trying to login back it takes me to same SSO process and gives the unexpected error so I am not even able to disable the SSO from SLD.