AWS IAM Identity Center (successor to AWS SSO) Integration Guide for SAP Cloud Platform Cloud Foundry

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for SAP Cloud Platform Cloud Foundry using SAML.

Topics

Prerequisites
Setup instructions
Verification
Troubleshooting

Prerequisites

You’ll need the following to set up SSO access to SAP Cloud Platform Cloud Foundry:

Access to the IAM Identity Center console with permissions to manage applications.
An SAP Cloud Platform Cloud Foundry account along with an administrator account to configure SAML SSO.
SAP Cloud Platform Cloud Foundry supports only Service Provider (SP) initiated flow.
A published Application on SAP Cloud Platform Cloud Foundry.

Setup instructions

On the Configure page, in the Details section, fill in the Display name and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

Login to SAP Cloud Platform Cockit as an Administrator.
Choose Cloud Foundry.
Click on Subaccounts, then choose your account.
Click on Security, then choose Trust Configuration.
Click on New Trust Configuration.
Download IAM Identity Center Metadata file and import into SAP Cloud Platform by clicking on Upload. Then choose Parse.

Insert these values, then click on Save.

Field	Value
Name	AWS SSO
Description	AWS SSO
Status	Active
Show SAML Login Link on Login Page	checked
Link Text	AWS SSO
Create Shadow Users During Login	checked

Get tenant name and region in your SAP Cloud Platform Cloud Foundry account.
Download the SAP Cloud Platform Cloud Foundry metadata file from the URL below. Replace the tenantname and region with your account information.

https://tenantname.authentication.region.hana.ondemand.com/saml/metadata

Go back to the IAM Identity Center console page where you are configuring the Application.
Under Application metadata, choose Browse and select the Metadata downloaded in step 10.
Choose Save Changes.
Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Verifying Service Provider Initiated SSO from SAP Cloud Platform Cloud Foundry

Access the SAP Cloud Platform Cloud Foundry Application URL.
On the IAM Identity Center user portal, type the credentials of a user assigned to the application in the IAM Identity Center user portal.
Choose Sign In.
On the SAP Cloud Platform Cloud Foundry Application home page, verify that both SAP Cloud Platform Cloud Foundry Application and IAM Identity Center are logged in with the same user.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error	Issue	Solution
Other	When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' field (if they are present) from the connected directory to populate the 'Email' in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields.	Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

Preprovisioned users

Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.
JIT users

JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.