Configure SAML SSO For SAP Cloud Platform Using An External Identity Provider - SAP Blogs PDF

9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs
Community
Ask a Question Write a Blog Post
Alper AKBAL
April 13, 2017 5 minute read
Con gure SAML SSO for SAP Cloud Platform Using an

External Identity Provider
Follow RSS feed Like
17 Likes 29,835 Views 10 Comments
Overview
SAP Cloud Platform (formerly SAP HANA Cloud Platform) supports Identity Federation and Single Sign-on
with external Identity Providers (i.e. SAP SSO, SAP Cloud Platform Identity Authentication, Active Directory
Federation Services etc.). By default SCP is connected to SAP ID Service(accounts.sap.com)
In the example below, I demonstrate how to con gure your SCP account to support SAML SSO with
SSOCircle IdP.
Scenario Description
Below illustration shows how a user is authenticated, when she/he wants to access SAP Cloud Platform.
Authentication part is handled by Identity Provider.
https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/ 1/18
Flow is not di erent, if you use any other IdP(i.e. ADFS). Scenario can be enriched by adding Two-factor
authentication which is supported by SAP SSO.
Prerequisities
In order to test SAML authentication, I’ve developed a small application which is a simple “Hello World” app
that extracts and displays UserID part of SAML token. Details of how to develop a similar application can be
found in “Create a basic Java app in SAP Cloud Platform” Tutorial Part 1, Part 2, and Part 3.
Then I’ve deployed this application to SCP via Eclipse. You can export your project from Eclipse and deploy it
to SCP using .war le as well.
Con guration
1- Con gure SCP as a Service Provider
First of all, SAP Cloud Platform (SCP) must be enabled to act as a ServiceProvider.
Login to SCP Cockpit, Go to Security –> Trust and click on Edit
Con guration Type can be set to 3 di erent values:
Default: SAML authentication is active and SAP ID Service is used as IdP

Custom: SAML authentication is active and Custom IdP will be used
None: There won’t be any trust between Service Provider and any Identity Provider.
Change Con guration Type to Custom
Local Provider Name is populated automatically, if not, use a URI as the local provider name.
Then click on Generate Key Pair
Signing Key and Signing Certi cate will be generated automatically. These certi cates are self signed and
valid for 10 years.If you want to generate your own certi cates, please follow Guidelines for Using External
Key and Certi cate.
Set Principal Propagaion to Enabled and Force Authentication to Disabled. Detailed information for these
settings can be found at SAP Help Portal.
Then click on Save and click on Get Metadata to export Service Provider metadata.xml
Save this le which will be used to establish trust between SP and IdP.
2- Con gure IdP and Establish Trust
For the scenario, we need an Identity Provider. SAP SSO can provide this functionality and supports many
more scenarios such as Kerberos support, X.509 Client Certi cates, Two-factor and Risk-based
authentication.
In this example I will use SSOCircle, which is a public IdP that provides free limited usage and integration to
your service providers. It’s very easy to con gure and use. Additional features like tracing, unlimited logins
can be used with premium accounts. Details of integration can be found at SSOCircle How-To .
I skip creating new user part in this example. You can follow this link, to create an account.
After logging in to SSOCircle, go to Service Provider Import Page
Enter FQDN of the Service Provider, which is samlssoi068593trial.hanatrial.ondemand.com in my case.

Choose attributes which you want to add in SAML token. I’ve selected all of them. With SAP SSO or
ADFS, you can include much more speci c attributes in the token, such as phone number, group
memberships, security settings etc.
Copy and paste metadata le, which is downloaded at the end of service provider con guration
Then click on Submit
You will get a success message after submitting SP details, if not please check your metadata le.
Then go to https://idp.ssocircle.com/ and save its content as an XML le. This is SSOCircle IdP metadata
le.
Now go back to SCP Cockpit –> Security –> Trust and click on Application Identity Provider tab and then
click on Add Trusted Identity Provider
New window will be opened and click on Browse then select IdP Metadata you saved couple steps before.
Input boxes are lled, but we need to make some changes
Change Assertion Consumer Service from Application Root to Assertion Consumer Service. SSOCircle
and ADFS do not send the SAML assertion to unknown URLs to them, hence we have to set it to Assertion
Consumer Service.
Change Signature Algorithm from SHA-1 to SHA-256 to harden security
Change User ID Source from subject to attribute and set Source Value to EmailAddress.
IdP’s send di erent values as NameID source. You can con gure whatever NameID or attributes you want
in SAML token. This con guration is done in IdP.
For SSOCircle NameID value is a string and it’s not legible. Therefore I set User ID source to e-mail
address.
Save the changes
Select SSOCircle as Default Identity Provider
Restart Java Application
3- Test SAML SSO
Paste your application URL in the browser and click on Enter.
You will be redirected to SSOCircle webpage for authentication. Enter your username and password and
click on Log In
After successfull authentication, you will receive a SAML assertion and be redirected back to your app.
As you can see below screenshot, My e-mail address is extracted from SAML assertion and displayed on the
screen.
Further Information on SAML assertion
You can check the details of SAML token in any browser using Developer Tools. I prefer to use Mozilla Firefox
and its SAML Tracer add-on which is very easy to use.
Below is the part of the SAML assertion, I received from SSOCircle IdP. As I mentioned above, NameID part
is not a logical value, if you do not change the con guration in SSOCircle. NameID part can be set to
di erent values in SAP SSO or ADFS.
Moreover, rst name, last name and e-mail values are added to respective attributes in the SAML message.
In the screesnshot below, You can see these attributes.
Alert Moderator
Assigned tags
SAP Cloud Platform | SAP Single Sign-On | Security |
Related Blog Posts
AppToAppSSO between SAP Cloud Platform and SAP HANA DB

By Arvind Barathwaj , Dec 19, 2019
Implementing a user self-registration scenario using Work ow and Business rules in SAP Cloud Platform – Part 6
By Murali Shanmugham , Aug 10, 2017
What the SAP Cloud Platform extensibility foundation is doing to enable simple SAML SSO for SAP SuccessFactors extension
applications
By Colin Kraczkowsky , Aug 07, 2017
Related Questions

SSO between SAP Cloud Platform(SCP) and S/4 hana On premise
More Information
By Yamini Thakur , Nov 20, 2018
SSO with Hana Cloud Platform Trial Instance

SCP Identity and Access Management
By Former Member , Dec 05, 2016
IDCloud
SAP Federation
Platformwith the Corporate
and Identity Identity Provider
Federation
By SSOCircle How-to
Devys Zardini , Jun 12, 2018
10 Comments
Alexander Wan
April 18, 2017 at 7:40 pm
Useful information..
Within the SAML token that is passed, is it ok to pass a di erent attribute other than email (for example a
username) to SAP Cloud Platform and how does Cloud Platform know whether that username exists to
check the token against?
Our SSO scenario is for a HANA trial account.
Thanks
Like (0) | Reply | Alert Moderator
Alper Akbal | Post author
April 19, 2017 at 6:29 am
Hi Alex,
Yes you can pass as much as attribute you want. These attributes should exist in your IdP. You can use
UserID to di erentiate users as well.
On SP part(SCP in this case), SAML token extraction is done on SP. SCP app itself should ident y and
authorize users from SAML token. In one of my projects, SCP is connected to an SAP backend system via
SAP Cloud Connector. Users and attributes are pulled from this SAP system.
You can also use Active Directory as a user store in SCP.
Regards
Alexander Wan
May 2, 2017 at 1:38 pm
Hi Alper
if we have issues with SAML SSO to SAP Cloud, which oss message component area do we open an incident
under? Thanks
Former Member
August 31, 2017 at 1:21 am
Thanks for sharing very good information on SAML configuration.
Can this SAML configuration be used to call S/4HANA cloud OData services to another 3rd
If not can you please advise right blog or help document to setup this communication?
Thanks
S. Chawala Chemicals HEC
October 30, 2017 at 1:43 pm
Thanks for sharing very good information on SAML con guration.
Can this SAML con guration be used to call S/4HANA cloud OData services to another 3rd Party
application?
If not can you please advise right blog or help document to setup this communication?
Thanks
Gerald Iakobinyi-Pich
June 14, 2018 at 12:19 pm
Hello,
How do I determine the correct FQDN in my case, when importing the Metadata in SSOCircle?
I have tried samlsso<user_id>trial.hanatrial.ondemand.com but I get an error when saving the metadata in

SSOCircle: “An error occured. Reason: 0006”
Thanks
Valeriya Ponomarenko
y
January 22, 2019 at 9:01 am
Hello Gerald!
I have the same question right now. Did you manage to solve this problem? What is the correct form of
FQDN and how сan we nd it?
Thanks
Eric Yu
January 23, 2019 at 8:42 am
You should save the data that is generated from service provider, it’s not the metadata from ID service
provide here.
adrian di ruggiero
July 9, 2020 at 2:57 pm
Hello,
I got the same error, and I could make it work, generating the metadata using this link:
https://www.ssocircle.com/en/idp-tips-tricks/build-your-own-metadata/
Also, I’ve changed the value of FQDN: Instead of samlsso<user-id>trial.hanatrial.ondemand.com, I entered

https://authn.hanatrial.ondemand.com/saml2/sp/acs/<user-id>trial/<user-id>trial
The rest of the steps are ok.
Regards
Umesh Sohaliya
February 12, 2019 at 5:43 am
Seems like tutorial is removed i am getting error “404 Page Oops… Since we cannot nd what you are
looking for, here’s everything.” Please some one help me to get this done.
Add Comment
Find us on
Privacy Terms of Use
Legal Disclosure Copyright
Trademark Cookie Preferences
Newsletter Support

Configure SAML SSO For SAP Cloud Platform Using An External Identity Provider - SAP Blogs PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configure SAML SSO For SAP Cloud Platform Using An External Identity Provider - SAP Blogs PDF

Uploaded by

Copyright:

Available Formats

9/3/2020 Configure SAML SSO for SAP Cloud Platform Using an External Identity Provider | SAP Blogs

Ask a Question Write a Blog Post

Con gure SAML SSO for SAP Cloud Platform Using an

17 Likes 29,835 Views 10 Comments

1- Con gure SCP as a Service Provider

Login to SCP Cockpit, Go to Security –> Trust and click on Edit

Con guration Type can be set to 3 di erent values:

Default: SAML authentication is active and SAP ID Service is used as IdP

Change Con guration Type to Custom

2- Con gure IdP and Establish Trust

After logging in to SSOCircle, go to Service Provider Import Page

Enter FQDN of the Service Provider, which is samlssoi068593trial.hanatrial.ondemand.com in my case.

Then click on Submit

Input boxes are lled, but we need to make some changes

Save the changes

Select SSOCircle as Default Identity Provider

Restart Java Application

3- Test SAML SSO

Paste your application URL in the browser and click on Enter.

Further Information on SAML assertion

In the screesnshot below, You can see these attributes.

SAP Cloud Platform | SAP Single Sign-On | Security |

Related Blog Posts

AppToAppSSO between SAP Cloud Platform and SAP HANA DB

SSO with Hana Cloud Platform Trial Instance

April 18, 2017 at 7:40 pm

Our SSO scenario is for a HANA trial account.

Like (0) | Reply | Alert Moderator

Alper Akbal | Post author

April 19, 2017 at 6:29 am

You can also use Active Directory as a user store in SCP.

Like (0) | Reply | Alert Moderator

May 2, 2017 at 1:38 pm

Like (0) | Reply | Alert Moderator

August 31, 2017 at 1:21 am

Thanks for sharing very good information on SAML configuration.

Like (0) | Reply | Alert Moderator

S. Chawala Chemicals HEC

October 30, 2017 at 1:43 pm

Thanks for sharing very good information on SAML con guration.

Like (0) | Reply | Alert Moderator

June 14, 2018 at 12:19 pm

I have tried samlsso<user_id>trial.hanatrial.ondemand.com but I get an error when saving the metadata in

Like (2) | Reply | Alert Moderator

January 22, 2019 at 9:01 am

Like (0) | Reply | Alert Moderator

January 23, 2019 at 8:42 am

Like (0) | Reply | Alert Moderator

July 9, 2020 at 2:57 pm

Also, I’ve changed the value of FQDN: Instead of samlsso<user-id>trial.hanatrial.ondemand.com, I entered

The rest of the steps are ok.

Like (0) | Reply | Alert Moderator

February 12, 2019 at 5:43 am

Like (0) | Reply | Alert Moderator

Privacy Terms of Use

Legal Disclosure Copyright

Trademark Cookie Preferences

You might also like