Create Azure AD Enterprise Application for SAP Backend
It is necessary to create this application in order to allow oAuth2 based SSO into SAP system.
Step 1. Search for the Enterprise applications in the Resources tab:
Click the button of New application.
Choose the SAP tab.
Look for SAP NetWeaver icon:
Step 2. Under Single Sign On, add the SAML2 option and fill in the mandatory parameters:
Then fill in the application name, and click the Create button at the bottom of the page.
For Reply URL, insert https://<your SAP system host and port>/sap/bc/sec/oauth2/token
Once non-standard client used in SAP, add ?sap-client=<client number> at the end.
Example: https://<your SAP system host and port>/sap/bc/sec/oauth2/token?sap-client=100
For Identifier (Entity ID), value should be same as Provider Name from SAML2 transaction in SAP system (SAML2 – local provider). We suggest set it to https://<your SAP system host and port>
For Sign on URL and Logout URL, provide the settings according to your system configuration (these values are not too critical, if you are not sure, use the settings from the above screenshot).
Then open User Attributes & Claims, and click on Name ID:
NOTE: Make sure that it is set to the email format, and the source attribute is set to the user principal name
Download the certificate and the configuration xml (this will be required for future steps):
If you need to restrict access to this app, under Properties section change the setting of User Assignment Required, and add authorized users to Users and Groups. If you do not need this restriction, set the setting to NO.
Step 3. Under Identity Providers application (Bot Management), create a new backend application of the Microsoft type:
Paste your Identifier (Entity ID) into the field of Backend Application ID URI (from Azure).
Step 4. Go to the App Registrations and find the enterprise app created above:
Open Expose an API, the default scope should be available here. Add the client ID of the application created earlier. This will enable on-behalf flow, and the user from MS Teams will be able to log in to SAP via SSO.