How to Configure MS ADFS 3.0 as Identity Provider for SAP HANA Cloud Platform

This post is a step-by-step configuration guide and it will help you to understand the steps and specifics to configure MS ADFS 3.0 (Microsoft Active Directory 3.0) as Identity Provider (IdP) for SAP HANA Cloud Platform (SAP HCP).
In this post, you see how to enable the MS ADFS 3.0 as IdP for your applications in SAP HCP.

1. How it Works

By default, SAP HCP uses SAP ID Service as identity provider based on SAML 2.0. In addition, SAP HCP supports identity federation and single sign-on with external identity providers. In this case, we will the focus on MS ADFS 3.0 as external IdP for SAP HCP. It means we will configure SAP HCP to authenticate users on MS ADFS 3.0, instead of SAP ID Service. The following steps can describe the authentication process in a simple way:

a. User requests access to an application on SAP HCP thru the browser.
b. SAP HCP request user authentication on MS ADFS.
c. User authenticates on MS ADFS.
d. The user receives a redirect to SAP HCP and holds a SAML 2.0 Assertion in order to access the application.
e. User get access to the application

2. Prerequisites

Below you find a list of the prerequisites:
a. An SAP HCP account (In my case, I’m using an SAP HCP trial account).
b. SAP MS ADFS 3.0 configured and working with SAML 2.0.
c. IoT service enabled on SAP HCP. (If you don’t know how to do it, please follow this link).
Note: As you can see, the installation of MS ADFS 3.0 is not a subject of this blog.

3. Gettting Metadata File From MS ADFS 3.0

Before starting the SAP HCP configuration, I really recommend you to get the metadata XML file from MS ADFS. The metadata file contains information about certificates, URLs, algorithms and so on, which are required to configure the Federation between SAP HCP and MS ADFS.
The MS ADFS 3.0 provides an URL where you can access and download the Metadata; It has the following structure: https:///FederationMetadata/2007-06/FederationMetadata.xml, of course you need to replace the with the full-qualified name of your ADFS server.

4. SAP HCP Configuration.

4.1 Creating a Trusted Identity Provider

Let’s work! Now you have all you need to configure your SAP HCP to work with MS ADFS as IdP, therefore follow the instructions below:
a) Go to SAP HCP Cockpit.
b) On the menu, click on “Trust”.
c) Click on folder “Trusted Identity Provider”.
d) Click on link “Add Trusted Identity Provider”.

It’s time to import the Metadata file from MS ADFS on SAP HCP. In the folder “General”, click on Button “Browse” and import the FederationMetadata.xml file. The fields will be automatically populated with the data from the metadata file, but you need to fix some fields, see the instructions below:
a) Setup Assertion Consumer Service from Application Root to Assertion Consumer Service
b) Change the SSO URL to https:///adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://hanatrial.ondemand.com/

Example:

ADFS FQDN = idp.example.com
SAP HCP Account User: p1942090147
https://idp.example.com/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://hanatrial.ondemand.com/p1942090147

c) Change the Signature algorithm from SHA-1 to SHA-256
d) Leave the option “Only for IDP-Initiated SSO” unchecked.


4.2 Rebuilding the Local Provider Configuration

The local provider needs to be recreated in a custom way. In other words, you need to rebuild the local provider in order to get the metadata file from SAP HCP.
In this case, we will perform a simple rebuild of the local provider. Follow the instructions below:
a) In the Menu “Trust”, click on folder “Local Service Provider”
b) Click on button “Edit”

Follow the instructions below in order to setup a new local provider:
a) Change configuration type to “CUSTOM”
b) Fill the “Local Provider Name” with a URL based on the following rule:
https:///
Example: https://hanatrial.ondemand.com/p1942090147
c) Click on button “Generate Key Pair” in order to create new keys for signing and the certificate.
d) Enable Principal Propagation
e) Disable the option “Force Authentication”

4.3 Getting Metadata File from SAP HCP

Once you have created a custom configuration for a local provider then you can perform this step.
An option to get the Metadata file will be available after you save the custom configuration for “Local Service Provider”. Therefore, click on link “Get Metadata” and save the file.


4.3 Create a Relying Party Trust 

Creating a relaying party trust on MS ADFS 3.0 is easy, but you need to pay attention for each step presented here.

a) Open MS ADFS Management and expand three menu up to “Relying Party Trusts”.
b) Click on “Add Relying Party Trust”

Configure a new Relying Party Trust in thirty clicks on fourteen screenshots;

1) Click on next
adfs-hcp-10-a
2) Select “Import data about the relying party from a file”. Do you remember the Metadata file you save? You need it now.
3) Click on “Browse” and select the Metadata file you saved.
4) Click on Next.
adfs-hcp-10-b
5) Give a name, for example SAP HCP
6) Enter a description.
7) Click on Next.
adfs-hcp-10-c
8) Select “I don’t want to configure multi-factor authentication setting for this relying party trust at this time”.
9) Click on “Next”.
adfs-hcp-10-d
10) Select “Permit all users to access this relying party trust”.
11) Click on button “Next”
.adfs-hcp-10-e
12) Just perform a click on “Next”
.adfs-hcp-10-f
13) Check the box “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes”
.adfs-hcp-10-g
14) Click on “Add Rule”.
adfs-hcp-10-h
15) Select “Send LDAP Attributes as Claims” for Claim Rule Template.
16) Click on Next.
adfs-hcp-10-i
17) Give a name for the rule, in this case I gave “R1”.
18) Choose Active Directory for Attribute store option.
19) Mapping Attribute: “SAM-ACCOUNT-NAME” to “Given Name”
20) Click on Next.
adfs-hcp-10-j
21) Click on “Add Rule”.
adfs-hcp-10-k
22) Select “Transform Incoming Claim” for for Claim Rule Template.
23) Give a name for the rule, in this case I gave “R2”.

24) Choose “Given Name” for Incoming Claim Type.
25) Choose “Name ID” for Outgoing Claim Type.
26) Choose “Unspecified” for Outgoing Name ID format
27) Select: Pass through all claim values
28) Click on “Next”.
adfs-hcp-10-l
29) Click on “Apply”
30) Click on “Ok”

Done! Just close ADFS Management.


4.5 Mapping Users 

At this point we will create a mapping for all users, the users exists only in MS ADFS. You don’t need to create users in SAP HCP, but you need to create groups to give access to your Applications. In this case, we will create a group and link it to IdP (MS ADFS).

4.5.1 Create a Group

Go back to SAP HANA Cloud Platform Cockpit and perform the following activities:

a) Click on “Authorizations” in the right side of the screen.
b) Click on folder “Groups”.
c) Click on “New Group”.

d) Give a name to the group. In my case I used “demo-sso”.
e) Give the following role to the group “demo-sso!.

Note: Do not forget to click on button “Save”.

4.5.2. Mapping Group to IdP

Perform the following tasks:

a) On the SAP HANA Cloud Cockpit, click on menu “Trust”.

b) Click on folder “Trusted Identiity Provider”.

c) Click on IdP name.

d) Click on folder “Groups”.

e) Select the group you’ve created.

f) Click on “Save”.

You can create access for specific group, for example, you can combine groups and permission and map these groups adding assertion-based group. But it is a subject for another blog.

At this time, the users can access the IoT Cockpit with SAML 2.0.

4.5.3 Test

a) Ensure that IoT Cockpit is activate in your instance.
b) Ensure that you got the URL for Iot Cockpit of your instance.
c) Open the browser in a private mode. It is just to confirm that a identity will be required.
d) Activate the developer tools; Press F12 in Google Chrome and click on Network and check the Preserve Log box.
e) Enter the link of the IoT Cockpit, see the example:

https://iotcockpitiotservices-p1941111trial.hanatrial.ondemand.com/com.sap.iotservices.cockpit/

Lets understand, see my screenshot below:

The user is “simpson” (SAM-Account name on Active Directory).

Following the Browser’s sequence:

  • User open his browser and put the IoT URL.
  • User’s browser receives an redirect the user to MS ADFS login URL.
  • The user is logged on Windows Network and has a Kerberos ticket, therefore the user gets a SAML 2.0 assertion from MS ADFS and User’s browser moves to SAP HCP Authentication endpoint.
  • User authenticates on SAP HCP with their SAML 2.0 Assertion and receives an redirect to the IoT Cockpit.

Remember: you do not need to create the users on HCP, you just need to create groups and give the access.

See you on next blog.

Configuring MS ADFS 3.0 as Identity Provider for SuccesFactors

Many companies are using MS ADFS 3.0 as Identity Provider (IdP) to authenticate users with SAML2 protocol and all of them are enabled to use ADFS with SuccessFactors (SFSF) too. Also many companies prefer to keep their users managed in the Corporate Network instead of managing users in the cloud services.

This post will show you how it’s easy to configure ADFS to work with SuccessFactors.

ADFS-SFSF-INTEGRATION

Due to the nature of the integration between two or more systems, it’s necessary some explanation about the tasks and responsibilities. The table below is a responsibility matrix, keep in your mind that’s a basic suggestion and the idea is to identify the tasks of each team or person.

Action

TASK

Responsible

1. Configure MS AD FS.

  • Check ADFS availability
  • Validate Infrastructure
  • Provide access from Corporate Network to SuccessFactors Cloud Services

Company

2. Deliver the forms.

  • SAP/SuccessFactors Consultant must request information, certificate and others, thru the form.

SAP/SuccessFactors

3 Fill out the forms

  • The forms must be filled and returned to SAP/SuccessFactors.

Company

4. Cloud Configuration

  • Configure SSO environment as requested in the form

SAP/SuccessFactors

5. Test SSO

  • Provide authentication tests for SSO with SMAL 2.0

Company

6.Validation

  • After the tests the customer team must confirm the architecture and the results.

Company

Keep in your mind that we are considering that MS ADFS is working and do not forget, the MS ADFS must be allowed to handle Web SSO tokens with SAML 2.0. The installation of MS ADFS will not be showed in this post.

Step 1 – MS ADFS 3.0 Version and Patches

I really recommend you to check on the Microsoft site if there are patches to be applied in your environment.

Step 2 – Metadata and certificates from SAP/SuccessFactors

In order to configure the MS ADFS you need to request some files from SuccessFactors. These files will provide a metadata and certificates to be used in ADFS.

Also you need to send the metatada from  ADFS to SuccessFactors. It’s quite simple, just open your browser and use the following URL https://<SERVER>/FederationMetadata/2007-06/FederationMetadata.xml. Do not forget to repalce  <SERVER> with your server address.

Export certificates used by ADFS to communicate, sign and encrpyt is not mandatory, but you can save some time doing it. To export them, open your ADFS Management from Server Manager and follow the sequence below:

adfs-management-access-001-300x205

 

2.1 In the left side of the ADFS Management has a tree view, click on Service node.

adfs-management-access-002

2.2 Go to Certificates, all certificates will appear in the right side of the ADFS Management.

adfs-management-access-003a.jpg

2.3 Perform and right click on the commnication certificate and choose “view certificate”.

adfs-management-access-004

 

2.3 In a new window select the folder “Details” and click on button labeled as “Copy to File…”

adfs-management-access-005

2.4 In the certificate export wizard window click on “Next” button.

adfs-management-access-006

2.5 Select the option “No, do not export the private key” in order to export only the Public key. Click on “Next” button.

adfs-management-access-007

2.6 Select BASE-64 encoded X.509 in order to export the certificate as BASE64. Click on “Next” button.

adfs-management-access-008

2.7 Select the path and the file name which will be created.

adfs-management-access-009

2.8 Communication Certificate was exported, click on “Finish” button.

adfs-management-access-010

2.9 Repeat the process for Encryption and Signature certificates, do not forget to give a unique file name for each certificate.

adfs-management-access-011

 

 

2.10 Open the file saved for communication certificate and go to Certification Path.

 

adfs-management-access-013

2.11 In order to avoid missing of information,CA Root in certification path can be exported too. Perform a double click on CA Root.

adfs-management-access-014

 

Execute the same procedure have you done to export others certificates.

adfs-management-access-015

 

 

These files will be sent to SAP/SFSF together with the metadata xml file.

Step 3 – Configure MS ADFS

3.1 Open ADFS Management (Start the ADFS Management in the server) and start the wizard to add a Relying Party Trust for SFSF Cloud Service

adfs-1a.gif

3.2 Select option “Import data about the relying party from a file”

adfs-1b

3.3 Add the configuration from Metadata.xml file

adfs-1c.gif

3.4 Specify the display name of the Claim

adfs-1d

3.5 Check the option “Permit all user to access this relying party”

adfs-1e

3.6  Confirm the certificate for Encryption

adfs-1f

 

adfs-1g

3.7 Flag this option in order to configure the Claim Rules

adfs-1h.gif

3.8 Click on “Add Rule” button to create new rules. Two new rules must be configured in Claim Rules

adfs-1i

3.9 The new rule is related to LDAP attributes; Therefore choose “Send LDAP Attributes as Claims” and click on “Next”

adfs-1j
3.10 Define the rule name as you want, choose Active Directory in the attribute store. In the mapping select SAM-Account-Name for LDAP Attribute and choose Given Name for Outgoing Claim. Click on the “Finish” button.

adfs-1k
3.11 Create another rule

adfs-1l

3.12 Choose the option “Transform an Incoming Claim” and click on “Next”

adfs-1m

3.13 Give some name for the rule. Incoming type is “Given Name” and outgoing type is “Name ID”. Outgoing name ID forma must be “Unspecified”. Finish this configuration

adfs-1n

3.14 Close this window clicking on OK button

adfs-1o

 3.15 Close MS ADFS window and enjoy your SAML2 provider.

It will work only after the SuccessFactors has finished the configuration of their environment.

In the same way MS ADFS can be configured to provide identity for SAP NW GATEWAY and SAP PORTAL.