During the configuration of Task Connect, an integration between ServiceNow and SAP Task center, we devoted significant effort to addressing security concerns, particularly focusing on user authentication and user provisioning. Given the widespread use of Azure as an identity and token provider, we developed a method to synchronize users and groups across ServiceNow, SAP Task Center, and Azure. 

In this document, you will find the scenario overview, related architectural diagrams presenting the different components and how they interact with each other and what are the steps to follow to configure the connection between ServiceNow, SAP Task Center and Azure. 

1. Scenario overview

The starting point in this scenario is the user's authentication and access token issued by the SAP Cloud Identity tenant's authentication service (IAS), indicated as AT (IAS) APP in returned by step 2 in figure 1 below and following the notation <token type> (<issuer>) <audience>. The complete token exchange is orchestrated by the OAuth 2.0 and OpenID Connect (OIDC) authorization and authentication frameworks and their respective token types, which are access tokens (AT), refresh tokens (RT), and identity tokens (ID). Thus, AT (IAS) IAS is an access token, issued by the IAS tenant's OAuth 2.0 authorization server, with an audience set to the IAS tenant's client ID. All tokens except for refresh tokens are formatted as JWTs. Compared to the token exchange in the previous parts of this blog series (see part I, Interoperability and standards, for more details), SAML 2.0 - or more precisely the SAML assertion as an OAuth 2.0 authorization grant defined in section 2.1 of RFC 7522 - is no longer used in this scenario. Instead of transforming between different token formats (JWT to SAML and back to JWT), this scenario only uses JWTs for the token exchange. It is important to note that for this token exchange no direct trust relationship between the application on BTP and Azure AD is required. The application only has a trust relationship to the IAS tenant, and the IAS tenant maintains the trust relationship to the Azure AD tenant (and vice versa).   

All authentication requests for the business application on BTP (SAP TASK CENTER) are forwarded by the IAS tenant to the Azure AD tenant which is configured as a corporate identity provider (IdP) in IAS. IAS acts as a proxy and delegates authentication to Azure AD in the role of the relying party to the corporate identity provider. The IAS tenant therefore requires an application registration in Azure AD.  

Note: For the TaskConnect integration configuration to work, the SAP Task Center should be configured according to the following documentation: https://help.sap.com/docs/task-center/sap-task-center/initial-setup

2. Users authentication and token exchange

1. The user accesses the BTP business application's SAP Task Center. The app delegates authentication to the IAS tenant using OIDC. It starts the authentication process by redirecting the user' browser to the IAS tenant's OAuth server authorization endpoint at https://<IAS tenant name>.accounts.ondemand.com/oauth2/authorize and sending an OAuth authorization request. 
2. Because the user is not yet authenticated at the IAS tenant, the user's browser is redirected to the IAS tenant's single sign-on (SSO) endpoint at https://<IAS tenant name>.accounts.ondemand.com/saml2/idp/sso. 
3. The business application is configured in IAS to pass all authentication requests to Azure AD as its corporate IdP. Therefore, IAS sends an OAuth authorization request to the Azure AD tenant's OAuth authorization endpoint. 
4. The user gets prompted by Azure AD to enter the credentials. Upon successful authentication, Azure AD sends the authorization code to IAS by redirecting the user's web browser to the URI specified in the previous request. 
5. IAS receives the authorization code and sends an access token request to Azure AD's token. Azure AD issues an access token and refresh token (RT(AAD)IAS which is cached for later use in step for the authenticated user with an audience set to the IAS tenant's OIDC name. 
6. The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant's OIDC proxy. The client application sends a token request to the IAS tenant's token endpoint. The POST request is authenticated with the client ID and secret of the business application in IAS. The client assertion from IAS takes the form of a signed JWT that proofs the application's identity to AAD when requesting tokens via the IAS corporate IdP OIDC proxy. 
7. The business application exchanges the IAS-issued ID token into an Azure AD-issued access token via the IAS tenant's OIDC proxy token exchange endpoint. The POST request uses the assertion parameter to pass the base64-encoded IAS ID token of the user. 
8. IAS token service sends a refresh token request using RT(AAD)IAS cached in step 5 to obtain a new access token AT(AAD)APP for the business application, 
9. The business application uses the Azure AD On-behalf-Of (ObO) flow for requesting the access token  
10. Finally, the business application calls the ServiceNow to take actions to the signed-in user's tasks. 
11. ServiceNow validate the token using OIDC provider to verify ID tokens configuration with the same application registered in Azure which issues an access token and refresh token in step 5. 

3. User provisioning - Azure SAP

Use SAP Cloud Identity Services - Identity Provisioning to provision users from Microsoft Azure Active Directory to SAP Cloud Identity Services - Identity Authentication. 

4. User provisioning & SSO - Azure-ServiceNow

1. Use ServiceNow enterprise application in Azure to provision users from Microsoft Azure Active Directory to ServiceNow instance 
2. Use the same ServiceNow enterprise application created in step 13 in Azure to authenticate users from Microsoft Azure Active Directory to ServiceNow instance 

5. Technical service flow

You need to create integration user for SAP Technical connection and choose how SAP Task Center will authenticate when technical connection is used (delta jobs in SAP are using this technical connection)

For example, you can use Basic Auth or OAuth: 

1. For basic auth provide username and password to the team who is configuring the connection to ServiceNow. 
2. The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant's OIDC proxy.
3. For OAuth follow these steps in ServiceNow (account with admin role is required) 
   1. Open System OAuth -> Application Registry. Click New and choose "Create an OAuth API endpoint for external clients". Configure the record and share username, user password, client id and client secret with the team configuring the connection to ServiceNow 

6. Register the applications in Azure AD for IAS tenant and SN OIDC provider to verify ID tokens. 

The token exchange and OIDC proxy setup between the SN, IAS, and the Azure AD tenant, requires a trust relationship which is established by registering one application in the Azure AD tenant    

“SAPIASTenant” represents the SAP Cloud Identity Service tenant.

Step 1
Login to Azure Portal (e.g. with your Microsoft 365 E5 developer subscription’s admin account) and select Azure Active Directory from the portal menu.  

Select App registrations from the left-side menu.  

Step 2
Click + New registration 

Step 3 
Enter "<SAP IAS Tenant>" for the Name of the new application registration.  

Replace <SAP IAS Tenant> with your friendly name  

Select "Web" from the dropdown list in the Redirect UR I section.  

Enter your IAS tenant's redirect UR Iin the Redirect URI section's text field:https://<IAStenant name>.accounts.ondemand.com/oauth2/callback.Replace <IAS tenant name> with your tenant's name.

Click Register.  

Step 4
Copy the newly generated Application (client) ID to a temporary text file. You will need it in the next step for deploying the sample application.  

Step 5
Select Manifest from the navigation menu to edit the application registration's manifest file.  
Change the value for the field "accessTokenAcceptedVersion" from null to 2.    
Click Save.  

7. Configure trust to the IAS tenant in Azure AD

Trust to the IAS tenant is configured in Azure AD with a new federated identity credential. In addition, a client secret is required for the initial token exchange in step 5 of figure 1. Both credentials will be configured for the application registrations in the following step.  

Step 6
Select the SAPIASTenant app from the list. (created in step 3)  
Select Certificates & secrets from the menu and switch to the Client secrets tab.  
Click + New client secret.  

Step 7
Enter "<SAPOIDCProxy>" for the Description.  
Click Add.  

Step 8
Click Copy to clipboard in the Value column and paste it to a temporary text file. You will need it later in the setup process.

Step 9
Create another one secret for ServiceNow   
Enter "<ServiceNow>" for the Description.  
Click Add.  

8. Configure permissions and scopes in Azure AD

To request the Outlook calendar event on behalf of the user, the business application (SAPBTPGraphApp) requires the Graph API permission Calendars.Read. SAPBTPGraphApp also exposes the custom scope "token.exchange".This scope is referred to as a (downstream) API permission for the SAPIASTenant application registration and required for steps 7 and 8 in figure 1. For the initial token request to Azure AD (see step 5 in figure 1 and figure 2), the SAPIASTenant application exposes the custom scope "ias.access".  

Step 10
Go to Expose an API in the navigation menu.  
Click + Add a scope.  

Step 11
Accept the default value for the Application ID URI.  
Click Save and continue.  

Step 12
Enter "ias.access" for the new Scope name. Provide an Admin consent display name and description.  
Click Add scope.  

Scope name: 
ias.access 

Admin consent display name: 
IAS Tenant Access 

Admin consent description: 
Access to SAP Cloud Identity service Application

Step 13
Copy the full-qualified URI of the new scope (api://<client id>/ias.access) from the clipboard to temporary text file. It will be used in a later setup step.  

Step 14
Add Optional claim to the token.  
Navigate to Token configuration  
+ Add optional claim  
Token Type - ID  
Select "email" and add  

Step 15
If message about API permissions required appear  
select the checkbox - Turn On Microsoft Graph email permission (required for claim to appear in token)  
Click "add"

Step 16
Grant Admin Consent 

Step 17
Navigate to authentication  
Scroll down to Implicit grant and hybrid flows  
Select the tokens you would like to be issued by the authorization endpoint:  
Select the checkbox ID tokens  
Click Save 

9. Configure Azure as an OAUTH OIDC provider on ServiceNow

Step 18
Open the ServiceNow instance  
Navigate to All > System OAuth > Application Registry.  
Click New, click Configure an OIDC provider to verify ID tokens.

Step 19
Fill the form.    

Step 20
OAuth OIDC Provider Configuration  
Click on the search icon and then New

OIDC Provider - A unique name that identifies the OIDC provider  

OIDC Metadata URL - the OIDC provider OpenID Connect metadata document  (details in next step)  

User claim: email  
User Field: the field in SN which contain mail value  

Enable JTI claim verification: Disable

Step 21
Navigate to azure application which created in step 3 - Overview - Endpoints - OpenID Connect metadata document  

Step 22
Navigate to Oauth Entity Scope and add  
offline_access,   
Open id  

Click Update.

Step 23
Navigate to the Oauth Entity Profiles which is automatically created when Save Oauth OIDC entity.  

Verify that the Grant type is is Resource Owner Password Credentials and then add the OAuth Entity Scopes created in the above step.

Step 24
Add Auth Scope: 
useraccount

Step 25
Navigate to the created in step 34 Oauth OIDC Entity and copy the redirect url  

Step 26
Navigate to Azure App registered in step 3  
Authentication  
Add the url from the previous step. (do not remove or replace the url added in step 3 when create the application)  
Save

10. Setup user provisioning - Azure >> SAP

Step 27
Launch a browser window and access your Azure portal using the URL: https://portal.azure.com/. 

You will need to authenticate to your Azure AD using your admin credentials. 

Step 28
Click Microsoft Entra ID. 

Step 29
Click App Registration >> New registration. 

Step 30
Specify a name for your app and click Register 

Step 31
Click API permission >> Add a permission. 

Step 32
Select Microsoft Graph.

Step 33
Click Application permissions. 

Step 34
From the list of API permissions, expand User and select User.Read.All. 

Step 35
From the API list also select Group >> Read.All and Directory >> Read.All.  Click Add permissions at the bottom of the screen once done. 

Step 36
The permissions are not granted by default.  To grant the permissions, click Grant admin consent for Default Directory. 

Step 37
Click Yes on the popup message and confirm that all permissions are granted.

Step 38
Click Overview from the left panel.  Make a note of the Application (client) ID.  You will need this later when creating the source system in IPS.   Click Add a certificate or secret. 

Step 39
Click New client secret. 

Step 40
Specify a description and expiry time for the client secret.

Step 41
You should have client secret added successfully.  Make a note of the value field as you will need it later when creating the source system in IPS. 

Step 42
Navigate to the main overview page of Azure AD and make a note of your Primary domain.  You will need this value when creating the source system in IPS. 

Step 43
Follow the blog  https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-... and specific hint on filtering users by a group in Identiy Provisionning Source system Properties, add aad.group.filter=displayName eq '<group_name>': 

11. Establish trust between task sub account and IAS

Step 44
Go to BTP Cockpit->Security->Trust Configuration 

Step 45
Select "Establish trust" and choose the IAS

Step 46
Select "Establish trust" and choose the IAS 

Note: This creates an OIDC application in IAS for the subaccount 

NB: Task Center/Service Now integration works only with OIDC trust between Task Center subaccount and IAS

Step 47
This would create an application in iAS 

For more information, you can check: https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-betwee...

12. Setup the corporate identity provider and OIDC proxy in SAP Cloud Identity tenant

Step 48
Login as an administrator to your SAP Cloud Identity service administration console at 
https://<IAStenant name>.accounts.ondemand.com/admin 

Step 49
Go to Identity Providers > Corporate Identity Providers and click Create.  
Enter a Display name(e.g. "Azure Active Directory") and click Save. 

Step 50
Click on Identity Provider Type from the Trust settings of the new corporate identity provider.

Step 51
Select OpenID Connect Compliant from the list.  
Click Save.

Step 52
Click on OpenID Connect Configuration from the Trust settings of the new corporate identity provider. 

Step 53
Enter your Azure AD tenant's OIDC Discovery URL (https://login.microsoftonline.com/<AAD tenant ID>/v2.0) Click Load.  

The Issuer field gets populated from the loaded Azure AD tenant's OIDC metadata.

Step 54
Enter the SAPIASTenant's client ID in the Client ID field. In the Client Secret field, enter the value of theOIDCProxysecret copied in step 8.  

Click Validate. 

Step 55
Verify a successful validation of the OIDC configuration.  

Click OK. 

Step 56
Click + Add  

Step 57
Copy and paste the full-qualified URI of the SAPIASTenant application's custom scope (api://<client id>/ias.access) copied in step 13 for the new scope.  

Click Save.  

Step 58
Click+ Add again and add the scope: 
"email" 
"openid" 
"offline_access" 

Click Save. 

Step 59
Click Save.  

Step 60
Go to Applications & Resources > Applications  
Select the application from "Establish trust between Task subaccount and IAS" step – step 47

Click Attributes

Step 61
Navigate to Attributes and add  

Name: "xsuaa-persist-corporate-idp-token" 
Source: Expression 
Value: true 

Save

Step 62
Select "Conditional Authentication"  
In the "Default Identity Provider", choose the Azure provider configured in steps 48-59, Click Save

13. Configure destinations for SAP in the BTP sub-account

SAP Task Center uses destinations to connect to Service Now task provider 

 Client Specific configuration: 

• aadTokenEndpoint: Azure AD token endpoint athttps://login.microsoftonline.com/<AAD tenant ID>/oauth2/v2.0/token  
• iasTokenEndpoint: SAP Cloud Identity service tenant's token endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/token  
• iasTokenExchange: SAP Cloud Identity service's token exchange service endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/exchange/corporateidp  

Step 63
Go back to the SAP BTP Cockpit and navigate to your CF subaccount.  
Select Connectivity > Destinations from the navigation menu.  
Click New Destination.

Step 64
Enter the following values for the first destination:  
Refer to 6. TECHNICAL SERVICE FLOW

Click Save.

Step 65
Repeat steps 63 and 64 with following values for the second destination:  

Refer to 10. CONFIGURE AZURE AS AN OAUTH OIDC PROVIDER ON THE SERVICENOW , step 21.

AuthnContextClassRef = urn:oasis:names:tc:SAML:2.0:ac:classes:X509 
clientKey = token service password=client secret 
Token service user = client id 

Task Center documentation for Third Party destination setup: https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task...  

Click Save.  

14. Test the scenario 

Step 66
Use SAP Task Center Administration app to check the status of the configured connector destination, following: https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-app

Step 67
Use SAP Task Center Web app, to validate that tasks from the new destination are seen by business users (for more information, see: https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app)