cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO Using Azure AD and SAP Netweaver

Go to solution
Mattias
Active Participant

on ‎08-30-2019 7:24 AM

0 Kudos

Hello,

We have a scenario where users want to authenticate using Azure AD and access OData services via SAP gateway in SAP CRM ( Netweaver 7.5 ). Currently we have a setup working where the flow is:

1) The user authenticates to a app registration in Azure AD and gets a JWT token

2) Our web app (server side) uses an Azure Enterprise App to exchange this JWT for a SAML

3) CRM is setup to trust the Enterprise App from step 2, and the web app (server side) calls CRM to gett an access token

4) The access token is sent as authentication bearer in the Odata Call to CRM

This works for us, but I'm curious about the other OAuth flow availble, with authorization codes instead of SAML2, since this would align our SAP SSO more with our existing authentication flows. HOwever when I try from postman I get different error messages, and I cannot really find which endpoints I should use

This is what I'm currently trying to get my access token from Azure

Then I try to get my bearer from SAP, but fail.

POST /sap/bc/sec/oauth2/token?code=<acces_code_from_step_before>&grant_type=authorization_code&redirect_uri=<redirect_uri_to_our_web_app<br>

{ "error":"invalid_grant","error_description":"Authorization code has invalid length." }

Since the SAML2 flow works I'm pretty sure the trust is setup correctly, but I'm not sure which endpoints and parameters to use

This is the Oauth setup

Grateful for all hints

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Mattias
Active Participant
‎09-18-2019 10:45 AM
0 Kudos

In the end we ended up with a service that created our own SAML Assertion and signed it with a cert that is trusted by Netwear.

Show replies
Show replies
former_member224650
Explorer
‎10-22-2019 6:25 AM

Hi ,

I am trying to achieve something similar maybe you can answer some questions for me 🙂

2) Our web app (server side) uses an Azure Enterprise App to exchange this JWT for a SAML

I did the same but used an OBO flow from my registered application to the SAP NetWeaver Enterprise Application. and passing my SAML Bearer to my Token Service via the Trusted IDP setup but got a incorrect Recipient error. How did you get past this issue? How did you generate your SAML assertion? The recipient is tied to the redirect URL and it can't point to the Token service I was sending it to as it would break if you connected through the browser.

3) CRM is setup to trust the Enterprise App from step 2, and the web app (server side) calls CRM to get an access token

What calls did you make here?

Appreciate the help!

former_member1272325
Discoverer
‎11-27-2019 9:38 PM

Hello Mattias,

I'm looking to implement the service to service scenario using Azure Enterprise App.

Could you please provide more details into how this was done?

Thanks

Saleel

Mattias
Active Participant
‎12-02-2019 11:55 AM
0 Kudos

We generate the SAML from Azure AD by posting to this URL

https://login.microsoftonline.com/<tenant id>/oauth2/token

with the following body as form data

grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:<JWT>
client_id:<client id of Azure AD App>
client_secret:<client secret>
resource: <local provider name>
requested_token_use:on_behalf_of
requested_token_type:urn:ietf:params:oauth:token-type:saml2

However you could use the Nodejs-service below to generate a SAML, och take the route we finally did and use SAP API Management

Answers (1)

Answers (1)

former_member510741
Discoverer
‎12-02-2019 5:53 AM
0 Kudos

Hello everyone,


I’ve been pulling my hair out the whole day with a similar scenario. We have a web app that uses Azure AD for authentication, which will consume oData from Sap Gateway. I’m trying to find a way to exchange the JWT for a SAML token but didn’t have any luck so far.

Can someone please shed a light on how to achieve this please?

Any help will be much appreciated!

Regards,

Christiano

Show replies
Show replies
Mattias
Active Participant
‎12-02-2019 9:05 AM
0 Kudos

I will try to do a write up of what we did, it's to big for just a comment though

But in short what you need to do is

  • Create an enterprise app in Azure, there's a preconfigured image for Netweaver
  • Setup Netweaver for SAML (tx SOAUTH2) and a trust to Azure, here the devil's in the details

I followed this guide to set it all up

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-netweaver-tutorial

The flow that we used is

  1. The user logs on and receives a JWT from the app registration created in Azure
  2. We call Azure AD to exchange this for a SAML2 assertion.
  3. We call SAP NW to exchange this assertion for a access token
  4. Finally the access token can be used to access the OData service

We had issues with step 1, since we have multiple Azure applications that need to access the same SAP system, so we have since then moved on to using SAP API Management instead, so I don't have the details of our setup left, but reading and following the tutorial above should be enough to get you started. Also we use postman to be able to easily test all this.

I also created a small node JS service that basically takes a JWT, verifies it and then create a SAML token that can be used by SAP NW, without needing to juggle with Azure AD, I'll upload it to github

Mattias
Active Participant
‎12-02-2019 9:59 AM
0 Kudos

Please see this github repo, https://github.com/trr-official/saml_sap_jwt

It's very basic right now and not alot of documentation. We're not using it anymore so I did not spend alot of time on cleaning it up.

Please create issues in the github repo if you have issues, so everyone can follow them

dominic_wong
Member
‎04-27-2020 10:31 AM
0 Kudos

Hello,

I have followed this guide to set everything up.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-netweaver-tutorial

I have passed the tests and the SSO is working, but I don't understand the part of SAP Netweaver for OAuth. I have configured the OData Service in SAP Gateway and OAuth 2.0 Client. What would be the next step to test it? How to call the Azure AAD to get the SAML assertion that can be consumed by SAP NW and call SAP NW with that assertion to exchange for an access token? Is it possible that you can list out the endpoints with parameters that you have called?

In the above comments, a JWT token is received from Azure. What is the endpoint to call and get this token in Azure?

From the guide, the reply URL in the Enterprise Application should be "[SAP NW server name]/sap/saml2/sp/acs/[client no]", but for OAuth, the reply URL should be "[SAP NW server name]/sap/bc/sec/oauth2/token?sap-client=[client no]". How to resolve this?

I am sorry that I have so many questions.

Dominic

Ask a Question