Create Azure AD Enterprise Application for SAP Backend

38 views 0

This application is necessary to be created in order to allow oAuth2 based SSO into SAP system.

  1. Search for Enterprise applications in the Resources tab
  2. Click the button of New application.

3. Choose the SAP tab

4. We need SAP NetWeaver icon

Under Single Sign On, add the SAML2 option and fill in the mandatory parameters:

Then fill in the application name, and click the Create button at the bottom of the page.

For Reply URL, insert https://<your SAP system host and port>/sap/bc/sec/oauth2/token

Once non-standard client used in SAP, add ?sap-client=<client number> at the end.

Example: https://<your SAP system host and port>/sap/bc/sec/oauth2/token?sap-client=100

For Identifier (Entity ID), value should be same as Provider Name from SAML2 transaction in SAP system (SAML2 – local provider). We suggest set it to https://<your SAP system host and port>

For Signon URL and Logout URL, provide the settings according to your system configuration (these values are not too critical, if you are not sure,  use the settings from the above screenshot).

Then open User Attributes & Claims, and click on Name ID:

Make sure that it is set to the email format, and the source attribute is set to the user principal name

Download the certificate and the configuration xml (this will be required for future steps):

If you need to restrict access to this app, under Properties change the setting of User Assignment Required, and add authorized users to Users and Groups. If you do not need this restriction, set the setting to “NO”

Under Identity Providers application (Bot Management), create a new backend application of the Microsoft type:

Graphical user interface, application Description automatically generated

Paste your Identifier (Entity ID) into the field of Backend Application ID URI (from Azure)

Graphical user interface, text, application Description automatically generated

Go to the App Registrations and find the enterprise app created above:

 

Open Expose an API, the default scope should be available here. Add the client ID of the application created in Chapter 7 Create Application for Bot Services SSO. This will enable on-behalf flow, and the user from MS Teams will be able to log in to SAP via SSO.

Was this helpful?

 
Related Articles