Tutorial: Azure Active Directory integration with SAP NetWeaver
In this tutorial, you learn how to integrate SAP NetWeaver with Azure Active Directory (Azure AD). Integrating SAP NetWeaver with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to SAP NetWeaver.
- You can enable your users to be automatically signed-in to SAP NetWeaver (Single Sign-On) with their Azure AD accounts.
- You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.
To configure Azure AD integration with SAP NetWeaver, you need the following items:
- An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
- SAP NetWeaver single sign-on enabled subscription
- SAP NetWeaver V7.20 required atleast
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
- SAP NetWeaver supports SP initiated SSO
Adding SAP NetWeaver from the gallery
To configure the integration of SAP NetWeaver into Azure AD, you need to add SAP NetWeaver from the gallery to your list of managed SaaS apps.
To add SAP NetWeaver from the gallery, perform the following steps:
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise Applications and then select the All Applications option.
To add new application, click New application button on the top of dialog.
In the search box, type SAP NetWeaver, select SAP NetWeaver from result panel then click Add button to add the application.
Configure and test Azure AD single sign-on
In this section, you configure and test Azure AD single sign-on with SAP NetWeaver based on a test user called Britta Simon. For single sign-on to work, a link relationship between an Azure AD user and the related user in SAP NetWeaver needs to be established.
To configure and test Azure AD single sign-on with SAP NetWeaver, you need to complete the following building blocks:
- Configure Azure AD Single Sign-On - to enable your users to use this feature.
- Configure SAP NetWeaver Single Sign-On - to configure the Single Sign-On settings on application side.
- Create an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
- Assign the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
- Create SAP NetWeaver test user - to have a counterpart of Britta Simon in SAP NetWeaver that is linked to the Azure AD representation of user.
- Test single sign-on - to verify whether the configuration works.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal.
To configure Azure AD single sign-on with SAP NetWeaver, perform the following steps:
Open a new web browser window and log into your SAP NetWeaver company site as an administrator
Make sure that http and https services are active and appropriate ports are assigned in SMICM T-Code.
Log on to business client of SAP System (T01), where SSO is required and activate HTTP Security session Management.
a. Go to Transaction code SICF_SESSIONS. It displays all relevant profile parameters with current values. They look like below:-
login/create_sso2_ticket = 2 login/accept_sso2_ticket = 1 login/ticketcache_entries_max = 1000 login/ticketcache_off = 0 login/ticket_only_by_https = 0 icf/set_HTTPonly_flag_on_cookies = 3 icf/user_recheck = 0 http/security_session_timeout = 1800 http/security_context_cache_size = 2500 rdisp/plugin_auto_logout = 1800 rdisp/autothtime = 60
Adjust above parameters as per your organization requirements, Above parameters are given here as indication only.
b. If required adjust parameters, in the instance/default profile of SAP system and restart SAP system.
c. Double click on relevant client to enable HTTP security session.
d. Activate below SICF services:
/sap/public/bc/sec/saml2 /sap/public/bc/sec/cdc_ext_service /sap/bc/webdynpro/sap/saml2 /sap/bc/webdynpro/sap/sec_diag_tool (This is only to enable / disable trace)
Go to Transaction code SAML2 in business client of SAP system [T01/122]. It will open a user interface in a browser. In this example, we assumed 122 as SAP business client.
Provide your username and password to enter in user interface and click Edit.
Replace Provider Name from T01122 to
http://T01122and click on Save.
By default provider name come as
<sid><client>format but Azure AD expects name in the format of
<protocol>://<name>, recommending to maintain provider name as
https://<sid><client>to allow multiple SAP NetWeaver ABAP engines to configure in Azure AD.
Generating Service Provider Metadata:- Once we are done with configuring the Local Provider and Trusted Providers settings on SAML 2.0 User Interface, the next step would be to generate the service provider’s metadata file (which would contain all the settings, authentication contexts and other configurations in SAP). Once this file is generated we need to upload this in Azure AD.
a. Go to Local Provider tab.
b. Click on Metadata.
c. Save the generated Metadata XML file on your computer and upload it in Basic SAML Configuration section to auto-populate the Identifier and Reply URL values in Azure portal.
In the Azure portal, on the SAP NetWeaver application integration page, select Single sign-on.
On the Select a Single sign-on method dialog, select SAML/WS-Fed mode to enable single sign-on.
On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
On the Basic SAML Configuration section, perform the following steps:
a. Click Upload metadata file to upload the Service Provider metadata file which you have obtained earlier.
b. Click on folder logo to select the metadata file and click Upload.
c. After the metadata file is successfully uploaded, the Identifier and Reply URL values get auto populated in Basic SAML Configuration section textbox as shown below:
d. In the Sign-on URL text box, type a URL using the following pattern:
https://<your company instance of SAP NetWeaver>
We have seen few customers reporting an error of incorrect Reply URL configured for their instance. If you receive any such error, you can use following PowerShell script as a work around to set the correct Reply URL for your instance.:
Set-AzureADServicePrincipal -ObjectId $ServicePrincipalObjectId -ReplyUrls "<Your Correct Reply URL(s)>"
ServicePrincipal Object ID is to be set by yourself first or you can pass that also here.
SAP NetWeaver application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the User Attributes section on application integration page. On the Set up Single Sign-On with SAML page, click Edit button to open User Attributes dialog.
In the User Claims section on the User Attributes dialog, configure SAML token attribute as shown in the image above and perform the following steps:
a. Click Edit icon to open the Manage user claims dialog.
b. From the Transformation list, select ExtractMailPrefix().
c. From the Parameter 1 list, select user.userprinicipalname.
d. Click Save.
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Federation Metadata XML from the given options as per your requirement and save it on your computer.
On the Set up SAP NetWeaver section, copy the appropriate URL(s) as per your requirement.
a. Login URL
b. Azure Ad Identifier
c. Logout URL
Configure SAP NetWeaver Single Sign-On
Logon to SAP system and go to transaction code SAML2. It opens new browser window with SAML configuration screen.
For configuring End points for trusted Identity provider (Azure AD) go to Trusted Providers tab.
Press Add and select Upload Metadata File from the context menu.
Upload metadata file, which you have downloaded from the Azure portal.
In the next screen type the Alias name. For example aadsts and press Next to continue.
Make sure that your Digest Algorithm should be SHA-256 and don’t require any changes and press Next.
On Single Sign-On Endpoints, use HTTP POST and click Next to continue.
On Single Logout Endpoints select HTTPRedirect and click Next to continue.
On Artifact Endpoints, press Next to continue.
On Authentication Requirements, click Finish.
Go to tab Trusted Provider > Identity Federation (from bottom of the screen). Click Edit.
Click Add under the Identity Federation tab (bottom window).
From the pop-up window select Unspecified from the Supported NameID formats and click OK.
Note that user ID Source and user id mapping mode values determine the link between SAP user and Azure AD claim.
Scenario: SAP User to Azure AD user mapping.
a. NameID details screenshot from SAP.
b. Screenshot mentioning Required claims from Azure AD.
Scenario: Select SAP user id based on configured email address in SU01. In this case email id should be configured in su01 for each user who requires SSO.
a. NameID details screenshot from SAP.
b. screenshot mentioning Required claims from Azure AD.
Click Save and then click Enable to enable identity provider.
Click OK once prompted.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
Select New user at the top of the screen.
In the User properties, perform the following steps.
a. In the Name field enter BrittaSimon.
b. In the User name field type email@example.com
For example, BrittaSimon@contoso.com
c. Select Show password check box, and then write down the value that's displayed in the Password box.
d. Click Create.
Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting access to SAP NetWeaver.
In the Azure portal, select Enterprise Applications, select All applications, then select SAP NetWeaver.
In the applications list, select SAP NetWeaver.
In the menu on the left, select Users and groups.
Click the Add user button, then select Users and groups in the Add Assignment dialog.
In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the bottom of the screen.
If you are expecting any role value in the SAML assertion then in the Select Role dialog select the appropriate role for the user from the list, then click the Select button at the bottom of the screen.
In the Add Assignment dialog click the Assign button.
Create SAP NetWeaver test user
In this section, you create a user called Britta Simon in SAP NetWeaver. Please work your in house SAP expert team or work with your organization SAP partner to add the users in the SAP NetWeaver platform.
Test single sign-on
Once the identity provider Azure AD was activated, try accessing below URL to check SSO (there will no prompt for username & password)
(or) use the URL below
Replace sapurl with actual SAP hostname.
The above URL should take you to below mentioned screen. If you are able to reach up to the below page, Azure AD SSO setup is successfully done.
If username & password prompt occurs, please diagnose the issue by enable the trace using below URL
Send feedback about: