7

SSO Configuration on Asset Management steps involved.

 1 year ago
source link: https://blogs.sap.com/2023/05/17/sso-configuration-on-asset-management-steps-involved./
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

SSO Configuration on Asset Management steps involved.

SSO based on Principal Propagation for SAP Asset Manager

Agenda:
Single Sign-on Authentication Types:

Single Sign-on based on Principal Propagation for SAP Asset Manager (BTP)

Principal Propagation -process Flow

Principal-propagation.png

Principal Propagation: Architecture Overview

Architecture-Digram.png

 technical landscape

technical-landscape.png

Principle Propagation Compatibility

In the context of the SAP Mobile Add-On, the authorization expectation is for the SAP Cloud Connector to pass the cloud user identity through principal propagation in a subject pattern that is matched to a matched alias in the back end system.

SAP uses Rule based certificate mapping

SAP_GUI_CONFIG.png

Backend user names

user_names.png

Set the Principal propagation.

Cloud-connector_PP.png

Step1.

SAP Cloud platform authentication setup using IAS with Azure AD

Connection to Corporate Active Directory need to establish.

Prerequisite: Cloud connector is installed and connected to SCP subaccount

Cloud%20Connector%20configuration

Cloud Connector configuration

Step 2.

Check the BTP

BTP%20Cockpit

BTP Cockpit

click on Local Service Provider and edit & click on Get Metadata and upload in the IAS.

Step 3.

Go to IAS tenant.

IAS%20Home%20screen

IAS Home screen

Application & Add new Application.

Add%20Application

Add Application

Give the name to the Application.

Application Display Name:

Application Home URL: keep empty.

Application Type:

Step 4.

Go to SAP BTP Cockpit

On Trust, create a Trust Management

BTP_Configuration.png

Add identity Authentication Tenant (we have two tenant one is used for development & quality and other is used for production.

Select the trail and confirmation popup will appear.

BTP_CONFIG.png

download the metadata.

Step 5.

Go to IAS –> Application –> Bundled Applications –> where you have created the Asset manager DEV.

IAS1.png

Define from Metadata (upload the metadata which you have downloaded.

check the SAML 2.0 Configuration and signing Certificates.

check SHA-256 and Sign assertions is oN and sign single logout message is on and require signed single logout messages.

IAS2.png

Step 6.

Steps for IAS -Azure AD

SAML 2.0 Configuration –>go to Tenant settings and under the Assertion consumer service end point you see the metadata where you can download the metadata.

IAS3.png

Step 7:

Upload the metadata into Azure AD

To configure the integration of SAP cloud platform Identity Authentication into Azure AD, you need to add SAP Cloud Platform Identity Authentication from the gallery to your list of managed SaaS apps.

Sign into the Azure portal using either a work or school account to Microsoft account.

in the left navigation pane, select the Azure Active Directory service.

navigate to Enterprise Applications and then select App applications.

to Add new application, select New Application

in the Add from the gallery section, type SAP Cloud Platform Identity Authentication in the search box. select SAP cloud Platform Identity Authentication from results panel and then add the app.

wait a few second s while the ap is added to your tenant.

download the metadata.

AD.png
AD1.png
AD3.png

Login to IAS and upload the metadata in IAS.

Go to Identity Authentication Service –> Corporate Identity Providers –> create –> Add identity Provider & define the Metadata.

IAS4.png

select the Microsoft ADFS/Azure AD as the Identity Provider Type

IAS5.png

Enable the Single Sign on button & go to conditional Authentication and select the Default identity provider.

IAS6.png

Enable Single Sign-on

IAS7.png

Set conditional Authentication.

IAS8.png

Go to BTP

Security à Trust à Add – Identity Authentication Tenant / Trusted Identity Provider

& Add-Trusted identity Provider & upload the IAS metadata which you have downloaded

BTP1.png
BTP3.png
BTP5.png
BTP6.png
BTP9.png

Click on the Add-Trusted identity Provider & upload the IAS metadata which you have downloaded.

BTP99.png
BTP10.png

Identity Authentication Service Account Configuration

Create a group in IAS tenant for “Administrators” of Cloud Platform mobile services

Login to IAS

IAS71.png
IAS72.png

Go to Applications and Budled Applications (Assertion Attribuites)

99.png

Cloud Platform Account Configuration

Now, the Cloud Platform account needs to be configured to map the IAS_CPms_Admin group to a group that is granted the desired roles.

Navigate to the “Authorization Management” screen in Cloud Platform cockpit. Go to the “Groups” tab and click on “New Group”. Create a new group called “MobileServiceAdmin

98.png

Similarly create Group “MobileServiceUser” and assign the roles mentioned. This is required for Mobile app users.

SCP/BTP – Navigate to Trust Management screen, click on “Application Identity Provider” tab and click on the trusted IdP setting that represents the IAS tenant account

Login to BTP

Similarly add the Group for Mobile App user

96.png
95.png
94.png

Now, navigate to “Configure development & Operations Cockpit” (refer to the screen in step 5) and click on “Roles”. Create a new role “MobileServicesCockpitAdministrator” and assign it to the group “MobileServiceAdmin”.

111.png
112.png

Click on “Destinations & Permissions”. Edit the application permissions and select the role “MobileServicesCockpitAdministrator” and save.

114.png

Flow chart for Troubleshooting the issue.

Troubleshooting.png

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK