Tutorial - Tutorial - Azure Active Directory Single Sign-On (SSO) Integration With SAP NetWeaver - Microsoft Docs

1/7/22, 8:23 PM Tutorial: Tutorial: Azure Active Directory Single sign-on (SSO) integration with SAP NetWeaver | Microsoft
tWeaver | Microsoft Docs
torial: Azure Active Directory Single

gn-on (SSO) integration with SAP
etWeaver
e • 11/11/2021 • 11 minutes to read • +10 Is this page helpful?  
s article
equisites
ario description
ng SAP NetWeaver from the gallery
igure and test Azure AD SSO for SAP NetWeaver
igure Azure AD SSO
igure SAP NetWeaver using SAML
SSO
igure SAP NetWeaver for OAuth
Steps
s tutorial, you'll learn how to integrate SAP NetWeaver with Azure Active Directory
e AD). When you integrate SAP NetWeaver with Azure AD, you can:
Control in Azure AD who has access to SAP NetWeaver.

Enable your users to be automatically signed-in to SAP NetWeaver with their Azure
AD accounts.
Manage your accounts in one central location - the Azure portal.
erequisites
t started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free
account .
SAP NetWeaver single sign-on (SSO) enabled subscription.
SAP NetWeaver V7.20 required atleast
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-netweaver-tutorial 1/29
1/7/22, 8:23 PM Tutorial: Tutorial: Azure Active Directory Single sign-on (SSO) integration with SAP NetWeaver | Microsoft Docs
enario description
SAP NetWeaver supports both SAML (SP initiated SSO) and OAuth. In this tutorial,
you configure and test Azure AD SSO in a test environment.
Note
entifier of this application is a fixed string value so only one instance can be
nfigured in one tenant.
Note
nfigure the application either in SAML or in OAuth as per your organizational

quirement.
ding SAP NetWeaver from the gallery

nfigure the integration of SAP NetWeaver into Azure AD, you need to add SAP
Weaver from the gallery to your list of managed SaaS apps.
Sign in to the Azure portal using either a work or school account, or a personal
Microsoft account.
On the left navigation pane, select the Azure Active Directory service.
Navigate to Enterprise Applications and then select All Applications.
To add new application, select New application.
In the Add from the gallery section, type SAP NetWeaver in the search box.
Select SAP NetWeaver from results panel and then add the app. Wait a few seconds
while the app is added to your tenant.
nfigure and test Azure AD SSO for SAP

tWeaver
gure and test Azure AD SSO with SAP NetWeaver using a test user called B.Simon. For
to work, you need to establish a link relationship between an Azure AD user and the
ed user in SAP NetWeaver.
nfigure and test Azure AD SSO with SAP NetWeaver, perform the following steps:
Configure Azure AD SSO to enable your users to use this feature.

a. Create an Azure AD test user to test Azure AD single sign-on with B.Simon.
b. Assign the Azure AD test user to enable B.Simon to use Azure AD single sign-on.
Configure SAP NetWeaver using SAML to configure the SSO settings on application
side.
a. Create SAP NetWeaver test user to have a counterpart of B.Simon in SAP
NetWeaver that is linked to the Azure AD representation of user.
Test SSO to verify whether the configuration works.
Configure SAP NetWeaver for OAuthto configure the OAuth settings on application
side.
nfigure Azure AD SSO

s section, you enable Azure AD single sign-on in the Azure portal.
nfigure Azure AD single sign-on with SAP NetWeaver, perform the following steps:
Open a new web browser window and sign into your SAP NetWeaver company site as
an administrator
Make sure that http and https services are active and appropriate ports are assigned
in SMICM T-Code.
Sign on to business client of SAP System (T01), where SSO is required and activate
HTTP Security session Management.
a. Go to Transaction code SICF_SESSIONS. It displays all relevant profile parameters

with current values. They look like below:-
＝ Copy
login/create_sso2_ticket = 2
login/accept_sso2_ticket = 1
login/ticketcache_entries_max = 1000
login/ticketcache_off = 0 login/ticket_only_by_https = 0
icf/set_HTTPonly_flag_on_cookies = 3
icf/user_recheck = 0 http/security_session_timeout = 1800
http/security_context_cache_size = 2500
rdisp/plugin_auto_logout = 1800
rdisp/autothtime = 60
７ Note
Adjust above parameters as per your organization requirements, Above

parameters are given here as indication only.
b. If necessary adjust parameters, in the instance/default profile of SAP system and

restart SAP system.
c. Double-click on relevant client to enable HTTP security session.
d. Activate below SICF services:
＝ Copy
/sap/public/bc/sec/saml2
/sap/public/bc/sec/cdc_ext_service
/sap/bc/webdynpro/sap/saml2
/sap/bc/webdynpro/sap/sec_diag_tool (This is only to enable / disable

trace)
Go to Transaction code SAML2 in business client of SAP system [T01/122]. It will open
a user interface in a browser. In this example, we assumed 122 as SAP business client.
Provide your username and password to enter in user interface and click Edit.
Replace Provider Name from T01122 to http://T01122 and click on Save.
７ Note
By default provider name come as <sid><client> format but Azure AD expects

name in the format of <protocol>://<name> , recommending to maintain provider
name as https://<sid><client> to allow multiple SAP NetWeaver ABAP engines
to configure in Azure AD.
Generating Service Provider Metadata:- Once we are done with configuring the
Local Provider and Trusted Providers settings on SAML 2.0 User Interface, the next
step would be to generate the service provider’s metadata file (which would contain
all the settings, authentication contexts and other configurations in SAP). Once this
file is generated we need to upload this in Azure AD.
a. Go to Local Provider tab.
b. Click on Metadata.
c. Save the generated Metadata XML file on your computer and upload it in Basic
SAML Configuration section to autopopulate the Identifier and Reply URL values in
Azure portal.
w these steps to enable Azure AD SSO in the Azure portal.
In the Azure portal, on the SAP NetWeaver application integration page, find the
Manage section and select Single sign-on.
On the Select a Single sign-on method page, select SAML.
On the Set up Single Sign-On with SAML page, click the pencil icon for Basic SAML
Configuration to edit the settings.
On the Basic SAML Configuration section, if you wish to configure the application in
IDP initiated mode, perform the following step:
a. Click Upload metadata file to upload the Service Provider metadata file, which
you have obtained earlier.
b. Click on folder logo to select the metadata file and click Upload.
c. After the metadata file is successfully uploaded, the Identifier and Reply URL values
get auto populated in Basic SAML Configuration section textbox as shown below:
d. In the Sign-on URL text box, type a URL using the following pattern:
https://<your
company instance of SAP NetWeaver>
７ Note
We have seen few customers reporting an error of incorrect Reply URL

configured for their instance. If you receive any such error, you can use following
PowerShell script as a work around to set the correct Reply URL for your
instance.:
＝ Copy
Set-AzureADServicePrincipal -ObjectId $ServicePrincipalObjectId -

ReplyUrls "<Your Correct Reply URL(s)>"
ServicePrincipal Object ID is to be set by yourself first or you can pass that also
here.
SAP NetWeaver application expects the SAML assertions in a specific format, which
requires you to add custom attribute mappings to your SAML token attributes
configuration. The following screenshot shows the list of default attributes. Click Edit
icon to open User Attributes dialog.
In the User Claims section on the User Attributes dialog, configure SAML token
attribute as shown in the image above and perform the following steps:
a. Click Edit icon to open the Manage user claims dialog.
b. From the Transformation list, select ExtractMailPrefix().
c. From the Parameter 1 list, select user.userprincipalname.
d. Click Save.
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate
section, find Federation Metadata XML and select Download to download the
certificate and save it on your computer.
On the Set up SAP NetWeaver section, copy the appropriate URL(s) based on your
requirement.
ate an Azure AD test user

s section, you'll create a test user in the Azure portal called B.Simon.
From the left pane in the Azure portal, select Azure Active Directory, select Users,
and then select All users.
Select New user at the top of the screen.
In the User properties, follow these steps:
a. In the Name field, enter B.Simon .
b. In the User name field, enter the username@companydomain.extension. For
example, B.Simon@contoso.com .
c. Select the Show password check box, and then write down the value that's
displayed in the Password box.
d. Click Create.
ign the Azure AD test user

s section, you'll enable B.Simon to use Azure single sign-on by granting access to SAP
Weaver.
In the Azure portal, select Enterprise Applications, and then select All applications.
In the applications list, select SAP NetWeaver.
In the app's overview page, find the Manage section and select Users and groups.
Select Add user, then select Users and groups in the Add Assignment dialog.
In the Users and groups dialog, select B.Simon from the Users list, then click the
Select button at the bottom of the screen.
If you are expecting a role to be assigned
to the users, you can select it from the Select a role dropdown. If no role has been set
up for this app, you see "Default Access" role selected.
In the Add Assignment dialog, click the Assign button.
nfigure SAP NetWeaver using SAML

Sign in to SAP system and go to transaction code SAML2. It opens new browser
window with SAML configuration screen.
For configuring End points for trusted Identity provider (Azure AD) go to Trusted
Providers tab.
Press Add and select Upload Metadata File from the context menu.
Upload metadata file, which you have downloaded from the Azure portal.
In the next screen type the Alias name. For example, aadsts and press Next to
continue.
Make sure that your Digest Algorithm should be SHA-256 and don’t require any
changes and press Next.
On Single Sign-On Endpoints, use HTTP POST and click Next to continue.
On Single Logout Endpoints select HTTPRedirect and click Next to continue.
On Artifact Endpoints, press Next to continue.
On Authentication Requirements, click Finish.
Go to tab Trusted Provider > Identity Federation (from bottom of the screen). Click
Edit.
Click Add under the Identity Federation tab (bottom window).
From the pop-up window, select Unspecified from the Supported NameID formats
and click OK.
Give the User ID Source value as Assertion Attribute, User ID mapping mode value
as Email and Assertion Attribute Name as
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name .
Note that User ID Source and User ID mapping mode values determine the link
between SAP user and Azure AD claim.
Scenario: SAP User to Azure AD user mapping.

a. NameID details screenshot from SAP.
b. Screenshot mentioning Required claims from Azure AD.
Scenario: Select SAP user ID based on configured email address

in SU01. In this case email ID should be configured in su01 for
each user who requires SSO.
a. NameID details screenshot from SAP.
b. screenshot mentioning Required claims from Azure AD.
Click Save and then click Enable to enable identity provider.
Click OK once prompted.
Create SAP NetWeaver test user

In this section, you create a user called B.simon in SAP NetWeaver. Please work your
in house SAP expert team or work with your organization SAP partner to add the
users in the SAP NetWeaver platform.
st SSO
Once the identity provider Azure AD was activated, try accessing below URL to check
SSO (there will no prompt for username & password)
https://<sapurl>/sap/bc/bsp/sap/it00/default.htm
(or) use the URL below
https://<sapurl>/sap/bc/bsp/sap/it00/default.htm
７ Note
Replace sapurl with actual SAP hostname.
The above URL should take you to below mentioned screen. If you are able to reach
up to the below page, Azure AD SSO setup is successfully done.
If username & password prompt occurs, please diagnose the issue by enable the
trace using below URL
https://<sapurl>/sap/bc/webdynpro/sap/sec_diag_tool?sap-client=122&sap-
language=EN#
nfigure SAP NetWeaver for OAuth

SAP Documented process is available at the location: NetWeaver Gateway Service
Enabling and OAuth 2.0 Scope Creation
Go to SPRO and find Activate and Maintain services.
In this example we want to connect the OData service: DAAG_MNGGRP with OAuth to
Azure AD SSO. Use the technical service name search for the service DAAG_MNGGRP and
activate if not yet active, already (look for green status under ICF nodes tab). Ensure if
system alias (the connected backend system, where the service actually running) is
correct.
Then click pushbutton OAuth on the top button bar and assign scope (keep
default name as offered).
For our example the scope is DAAG_MNGGRP_001 , it is generated from the service name
by automatically adding a number. Report /IWFND/R_OAUTH_SCOPES can be used to
change name of scope or create manually.
７ Note
Message soft state status is not supported – can be ignored, as no problem.

For more details, refer here .
ate a service user for the OAuth 2.0 Client

OAuth2 uses a service ID to get the access token for the end-user on its behalf.
Important restriction by OAuth design: the OAuth 2.0 Client ID must be identical
with the username the OAuth 2.0 client uses for login when requesting an Access
Token. Therefore, for our example, we are going to register an OAuth 2.0 client with
name CLIENT1, and as a prerequisite a user with the same name (CLIENT1) must exist
in the SAP system and that user we will configure to be used by the referred
application.
When registering an OAuth Client we use the SAML Bearer Grant type .
７ Note
For more details, refer OAuth 2.0 Client Registration for the SAML Bearer Grant
Type here .
tcod: SU01 / create user CLIENT1 as System type and assign password, save it as need
to provide the credential to the API programmer, who should burn it with the
username to the calling code. No profile or role should be assigned.
gister the new OAuth 2.0 Client ID with the creation

ard
To register a new OAuth 2.0 client start transaction SOAUTH2. The transaction will
display an overview about the OAuth 2.0 clients that were already registered. Choose
Create to start the wizard for the new OAuth client named as CLIENT1in this example.
Go to T-Code: SOAUTH2 and Provide the description then click next.
Select the already added SAML2 IdP – Azure AD from the dropdown list and save.
Click on Add under scope assignment to add the previously created scope:
DAAG_MNGGRP_001
Click finish.
xt Steps
you configure Azure AD SAP NetWeaver you can enforce Session Control, which
cts exfiltration and infiltration of your organization’s sensitive data in real time.
on Control extends from Conditional Access. Learn how to enforce session control
Microsoft Defender for Cloud Apps.
commended content
utorial: Azure Active Directory single sign-on (SSO) integration with SAP Fiori
earn how to configure single sign-on between Azure Active Directory and SAP Fiori.
utorial: Azure Active Directory integration with SAP HANA

earn how to configure single sign-on between Azure Active Directory and SAP HANA.
utorial: Azure Active Directory integration with SAP Cloud Platform Identity
uthentication
earn how to configure single sign-on between Azure Active Directory and SAP Cloud Platform
entity Authentication.
utorial: Azure Active Directory single sign-on (SSO) integration with SAP Cloud
or Customer
earn how to configure single sign-on between Azure Active Directory and SAP Cloud for
ustomer.
Show more Ｓ

Tutorial - Tutorial - Azure Active Directory Single Sign-On (SSO) Integration With SAP NetWeaver - Microsoft Docs

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Tutorial - Tutorial - Azure Active Directory Single Sign-On (SSO) Integration With SAP NetWeaver - Microsoft Docs

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tutorial - Tutorial - Azure Active Directory Single Sign-On (SSO) Integration With SAP NetWeaver - Microsoft Docs

Uploaded by

Copyright:

Available Formats

1/7/22, 8:23 PM Tutorial: Tutorial: Azure Active Directory Single sign-on (SSO) integration with SAP NetWeaver | Microsoft

tWeaver | Microsoft Docs

torial: Azure Active Directory Single

Control in Azure AD who has access to SAP NetWeaver.

nfigure the application either in SAML or in OAuth as per your organizational

ding SAP NetWeaver from the gallery

nfigure and test Azure AD SSO for SAP

Configure Azure AD SSO to enable your users to use this feature.

nfigure Azure AD SSO

a. Go to Transaction code SICF_SESSIONS. It displays all relevant profile parameters

icf/user_recheck = 0 http/security_session_timeout = 1800

Adjust above parameters as per your organization requirements, Above

b. If necessary adjust parameters, in the instance/default profile of SAP system and

c. Double-click on relevant client to enable HTTP security session.

d. Activate below SICF services:

/sap/bc/webdynpro/sap/sec_diag_tool (This is only to enable / disable

Replace Provider Name from T01122 to http://T01122 and click on Save.

By default provider name come as <sid><client> format but Azure AD expects

a. Go to Local Provider tab.

w these steps to enable Azure AD SSO in the Azure portal.

On the Select a Single sign-on method page, select SAML.

We have seen few customers reporting an error of incorrect Reply URL

Set-AzureADServicePrincipal -ObjectId $ServicePrincipalObjectId -

a. Click Edit icon to open the Manage user claims dialog.

b. From the Transformation list, select ExtractMailPrefix().

c. From the Parameter 1 list, select user.userprincipalname.

ate an Azure AD test user

ign the Azure AD test user

nfigure SAP NetWeaver using SAML

On Single Logout Endpoints select HTTPRedirect and click Next to continue.

On Artifact Endpoints, press Next to continue.

On Authentication Requirements, click Finish.

Click Add under the Identity Federation tab (bottom window).

Scenario: SAP User to Azure AD user mapping.

b. Screenshot mentioning Required claims from Azure AD.

Scenario: Select SAP user ID based on configured email address

b. screenshot mentioning Required claims from Azure AD.

Click Save and then click Enable to enable identity provider.

Click OK once prompted.

Create SAP NetWeaver test user

(or) use the URL below

Replace sapurl with actual SAP hostname.

nfigure SAP NetWeaver for OAuth

Go to SPRO and find Activate and Maintain services.

Message soft state status is not supported – can be ignored, as no problem.

ate a service user for the OAuth 2.0 Client

gister the new OAuth 2.0 Client ID with the creation

Go to T-Code: SOAUTH2 and Provide the description then click next.

utorial: Azure Active Directory integration with SAP HANA

You might also like