Enable Single Sign On for SAP Cloud Platform Foundry and SAP Cloud Platform Neo with AWS SSO

In this blog, we will learn about how to integrate SAP Cloud Platform Cloud Foundry and SAP Cloud Platform Neo with AWS Single Sign On to enable Single Sign On.

AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and browser based business applications. With just a few clicks, you can enable a highly available SSO service without the upfront investment and on-going maintenance costs of operating your own SSO infrastructure. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO also includes built-in SAML integrations to many business applications, such as Salesforce, Box, and Office 365. Further, by using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. Your users simply sign in to a user portal with credentials they configure in AWS SSO or using their existing corporate credentials to access all their assigned accounts and applications from one place.

Prerequisites

You need the following for this walkthrough:

• An organization created in AWS Organizations. (If you don’t already have an organization, one will be created automatically by AWS Single Sign-On.)
• AWS Directory Service, provisioned either for Microsoft Active Directory or AD Connector. For more information about these services, please refer to the following resources:

• 1. Getting Started with Managed Active Directory
  2. Active Directory Connector Admin Guide
  3. Admin access to SAP Cloud Platform CloudFoundry
  4. Admin access to SAP Cloud Platform Neo

Part 1 Enable SAML SSO for SAP Cloud Platform CloudFoundry using AWS SSO

Solution Overview

The integration between AWS SSO and any SAP Cloud Platform based on CloudFoundry works using industry standard SAML 2.0. The steps to configure are as follows

Step 1: Logon to AWS Console and launch AWS SSO. Add SAP CloudPlatform CloudFoundry

• Logon to AWS Console and launch AWS SSO
• Select on Manage SSO access to your cloud applications
• Select on Add a New application
• Search for SAP Cloud Platform CF for SAP Cloud Platform Cloud Foundry
• Click on Add application
• Provide a unique description
• Click on view instructions to get detailed step-by-step procedure

Step 2 Set up trust in SAP Cloud Platform with AWS SSO

• Login to SAP Cloud Platform Cockpit as an Administrator.
• Choose Cloud Foundry.
• Click on Subaccounts, then choose your account.
• Click on Security, then choose Trust Configuration.
• Click on New Trust Configuration.
• Download AWS SSO Metadata fileand import into SAP Cloud Platform by clicking on Upload. Then choose Parse
  • Metadata File : https://portal.sso.us-east-1.amazonaws.com/saml/metadata/MDM0NTQ0MDI0NTI4X2lucy01ODBhYjc3ZmRjMGExYmM5
• Insert these values, then click on Save.
  • Name AWS SSO
  • Description AWS SSO
  • Status Active
  • Show SAML Login Link on Login Page Checked
  • Link Text AWS SSO
  • Create Show Users During Login Checked
• Get the tenant name and region in your SAP Cloud Platform Cloud Foundry account.
  • Download the SAP Cloud Platform Cloud Foundry metadata file from the URL below. Replace the tenantname and region with your account information. https://tenantname.authentication.region.hana.ondemand.com/saml/metadata
  • or you can also download SAML metadata from here
• Go back to the AWS SSO console page where you are configuring the Application.

• Under Application metadata, choose Browse and select the Metadata downloaded in previous step
• Choose Save Changes.
• Assign a user to the applicationin AWS SSO.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both AWS SSO and the application before performing the steps in each section.

Verifying Service Provider Initiated SSO from SAP Cloud Platform Cloud Foundry

• Access the SAP Cloud Platform Cloud Foundry Application URL.
• On the AWS SSO user portal, type the credentials of a user assigned to the application in the AWS SSO user portal.
• Choose Sign In.
• On the SAP Cloud Platform Cloud Foundry Applicationhome page, verify that both SAP Cloud Platform Cloud Foundry Application and AWS SSO are logged in with the same user.

Part 2 : Enable SSO for SAP Cloud Platform Neo with AWS SSO

Solution Overview

The integration between AWS SSO and any SAP Cloud Platform based on Neo works using industry standard SAML 2.0. The steps to configure are as follows

Step 1: Logon to AWS Console and launch AWS SSO. Add SAP CloudPlatform Neo

• Logon to AWS Console and launch AWS SSO
• Select Manage SSO access to your cloud applications
• Select Add a New application
• Search for SAP Cloud Platform CF for SAP Cloud Platform Neo
• Select Add application
• Provide a unique description
• Click on view instructions to get detailed step-by-step procedure

Step 2 Set up trust in SAP Cloud Platform Neo with AWS SSO

• Login to SAP Cloud Platform Neo as an Administrator.
  • Select Security then choose Trust.
  • Click on the Local Service Providertab, then click on Edit.
  • Insert these values:
    • Configuration Type Value Custom
    • Principal Propagation Value Disabled
    • Force Authentication Value Disabled
      • You can have principal propagation enabled if you want to configure principal propagation.
• Click on Generate Key Pair, then choose Save.
• Click on Get Metadatato download SAP Cloud Platform metadata file.
• Click on the Application Identity Providertab, then choose Add Trusted Identity Provider.
• Download AWS SSO metadata file from the URL https://portal.sso.us-east-1.amazonaws.com/saml/metadata/MDM0NTQ0MDI0NTI4X2lucy00ZmU2NDEwZjcwMTUzODM3 and upload to Metadata File, by choosing Browse
• For Assertion Consumer Service, choose default
• Click on Save
• Click on Attributes tab, under Assertion-Based Attributes, insert these values: Then choose Save
  • Assertion Attribute mail Principal Attribute Email
  • Assertion Attribute first_name Principal Attribute firstname
  • Assertion Attribute last_name Principal Attribute lastname

• In the SAP Cloud Platform Neo console, click on Security, then choose Authorizations.
• To add users, enter the email address in the User field and then assign the subaccount, application and role for the selected user.

Step 3 Complete setup in AWS SSO

• Go back to the AWS SSO console page where you are configuring the Application.
• Under Application metadata, choose Browseand select the Metadata downloaded from SAP CloudPlatform Neo
• Choose Save Changes.
• Assign a user to the applicationin AWS SSO.

Step 4 Verification

Verifying Service Provider Initiated SSO from SAP Cloud Platform Neo

1. Access the SAP Cloud Platform Neo Application URL.
2. On the AWS SSO user portal, type the credentials of a user assigned to the application in the AWS SSO user portal.
3. Choose Sign In.
4. On the SAP Cloud Platform Application Neohome page, verify that both SAP Cloud Platform Neo Application and AWS SSO are logged in with the same user.

Conclusion :  It is very easy to configure Single Sign on to simplify operations and make the SAP end user experience easy. You can use AWS SSO for any enterprise application, which supports SAML 2.0. AWS SSO is free to use. In case you integrate it with managed AD or AD connector then you pay for managed AD on AWS or AD connector based on your use case as per the pricing enclosed below.

AWS Directory Services Pricing

Other Directory Services Pricing.

You can use AWS SSO only for browser-based applications which supports SAML 2.0. You can enable MFA using following document.

AWS SSO MFA