AWS IAM Identity Center (successor to AWS SSO) Integration Guide for SAP Cloud Platform Neo

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for SAP Cloud Platform Neo using SAML.

Topics

Prerequisites

You’ll need the following to set up SSO access to SAP Cloud Platform Neo:

Setup instructions

  1. On the Configure page, in the Details section, fill in the Display name and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

  1. Login to SAP Cloud Platform Cockit as an Administrator.

  2. Choose Neo.

  3. Click on Security, then choose Trust.

  4. Click on the Local Service Provider tab, then click on Edit.

  5. Insert these values:

Field Value
Configuration Type Custom
Principal Propagation Disabled
Force Authentication Disabled

  1. Click on Generate Key Pair, then choose Save.

  2. Click on Get Metadata to download SAP Cloud Platform metadata file.

  3. Click on the Application Identity Provider tab, then choose Add Trusted Identity Provider.

  4. Download IAM Identity Center metadata file from the URL below and upload to Metadata File, by choosing Browse....

  1. For Assertion Consumer Service, choose Assertion Consumer Service.

  2. Click on Save.

  3. Click on Attributes tab, under Assertion-Based Attributes, insert these values: Then choose Save.

Assertion Attribute Principal Attribute
mail email
first_name firstname
last_name lastname

  1. In the SAP Cloud Platform Neo console, click on Security, then choose Authorizations.

  2. To add users, enter the email address in the User field and then assign the subaccount, application and role for the selected user.

  3. Go back to the IAM Identity Center console page where you are configuring the Application.

  4. Under Application metadata, choose Browse and select the Metadata downloaded in step 8.

  5. Choose Save Changes.

  6. Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Verifying Service Provider Initiated SSO from SAP Cloud Platform Neo

  1. Access the SAP Cloud Platform Neo Application URL.

  2. On the IAM Identity Center user portal, type the credentials of a user assigned to the application in the IAM Identity Center user portal.

  3. Choose Sign In.

  4. On the SAP Cloud Platform Application Neo home page, verify that both SAP Cloud Platform Neo Application and IAM Identity Center are logged in with the same user.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error Issue Solution
Other When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' field (if they are present) from the connected directory to populate the 'Email' in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields. Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of: