SAP has communicated Microsoft Entra ID as the successor recommendation for SAP Identity Management (IdM). The integration of Microsoft Entra ID (formerly Azure AD) as a single sign-on (SSO) solution for an SAP Business Technology Platform (BTP) subaccount enables centralized user management and simplified authentication. By using the SAML 2.0 protocol, Entra ID can be used as an identity provider (IdP) for SAP BTP.
We not only support your company with the technical implementation, but also work with you to develop a future-proof overall concept for central user administration and authentication. Our team is ready to develop a customized solution – from strategic planning to successful implementation.
The following instructions describe the individual steps for setting up Entra ID as an IdP for a subaccount.
1. Downloading the SAML metadata from the SAP BTP subaccount
First, the SAML metadata of the BTP subaccount must be downloaded in order to store it later in Microsoft Entra ID.
- Log in to the SAP BTP Cockpit.
- Switch to the subaccount and call up the Security → Trust Configuration area.
- Download the SAML metadata file required for the configuration in Entra ID.
2. Create an enterprise application in Entra ID
In order for Entra ID to act as an identity provider for SAP BTP, a new enterprise application must be created.
- Log in to the Microsoft Entra Admin Center.
- Open the Enterprise Applications area and click on New Application.
- Select the SAP Cloud Platform option.
- Create and save the application.
Note: In order to use the application, users or groups must be authorized accordingly.
3. Configuration of SSO in Entra ID
Once the company application has been created, Single Sign-On is configured using the SAML protocol.
- Call up the Single Sign-On (SSO) area in the newly created application.
- Select SAML as the authentication method.
- Upload the SAML metadata file previously exported from SAP BTP.
4. Customization of the SAML configuration
After uploading the metadata, some configuration values must be checked under Basic SAML configuration and adjusted if necessary.
- Enter the entity ID and the login URL from the BTP metadata.
- Save the changes.
Note: The URL for the subaccount is composed according to the following scheme – https://<subdomain>.authentication.<region>.hana.ondemand.com
5. Export of federation metadata from Entra ID
Once the configuration in Entra ID has been completed, the group metadata must be exported in order to store it later in SAP BTP.
- Download the federated metadata XML in the SAML certificates area.
6. Uploading the Entra ID SAML metadata to SAP BTP
The downloaded federated metadata XML must now be imported from Entra ID into SAP BTP.
- Switch to Trust Configuration again in the SAP BTP Cockpit.
- Create a new SAML Trust Configuration.
- Upload, name and save the XML file exported from Entra ID.
Result
After completing these steps, the SSO authentication for the SAP BTP subaccount with Entra ID has been successfully set up. Users can now log in securely and conveniently with their Microsoft accounts without having to manage separate access data for SAP BTP.
Contact us!