SAP Cloud Platform Identity Authentication application
You must be signed in as a super administrator for this task.
Using Security Assertion Markup Language (SAML), your users can use their Google Cloud credentials to sign in to enterprise-cloud applications.
Set up SSO via SAML for SAP Cloud Platform Identity Authentication
Here's how to set up Single Sign-On (SSO) via SAML for the SAP® Cloud Platform Identity Authentication application.Step 1: Set up SAP Cloud Platform Identity Authentication as a SAML 2.0 service provider (SP)
From the Admin console Home page, go to Security Set up single sign-on (SSO).
To see Security, you might have to click More controls at the bottom.
- Click the Download button to download the Google IdP metadata and the X.509 Certificate.
- Copy the SSO URL and the Entity ID (Issuer ID).
- In a new browser tab, sign in to your production SAP tenant account.
- Go to https://your-domain.accounts.ondemand.com/admin/.
- Go to Identity Providers > Corporate Identity Providers.
- Click +Plus to add the Google Identity Provider.
- Go to SAML 2.0 Configuration.
- Upload the Google IdP metadata and the X.509 Certificate required for SSO setup you downloaded in Step 3.
- Save the changes.
- Go to Applications & Resources > Tenant Settings > SAML 2.0 Configuration.
- Copy the ACS URL and download the SP tenant metadata.
- Sign in to the SAP Cloud Platform using your account.
- Go to Security > Trust.
- Under the Local Service Provider tab, switch to edit mode.
- Change the Configuration Type to Custom.
- Click Save.
- Click Get Metadata to download the SAP Cloud Platform Identity Authentication account metadata.
- Go to the Application Identity Provider tab.
- Click Add Trusted Identity Provider.
- Upload the metadata of your Identity Authentication tenant you downloaded in Step 13.
- Go to tenant account https://your-domain.accounts.ondemand.com/admin/#/applications/.
- Click the Add button to register your application.
- Go to Authenticating Identity Provider and make sure you’ve selected Google as your IdP.
- Go to SAML 2.0 Configuration.
- Upload the SAP Cloud Platform Identity Authentication account metadata you downloaded in Step 19.
- Deploy your own application in the SAP Cloud. Learn more.
- Proceed to the next section to set up Google as a SAML identity provider (IdP).
- In a new browser tab, sign in to your Admin console as a super administrator.
- Click Apps > SAML apps.
- Click the plus (+) icon in the bottom corner.
- Select the SAP Cloud Platform Identity Authentication item from the list. The values on the Google IDP Information page automatically populate.
- In the Basic application information window, the Application name and Description values automatically populate.
- Click Next.
- In the Service Provider Details section, enter the following URLs into the Entity ID, ACS URL, and Start URL fields:
ACS URL: https://your-domain.accounts.ondemand.com/saml2/idp/acs/your-domain.accounts.ondemand.com
Entity ID: https://your-domain.accounts.ondemand.com
Start URL: None
- Uncheck Signed Response.
When the Signed Response checkbox is unchecked, only the assertion is signed. When the Signed Response checkbox is checked, the entire response is signed.
- The default Name ID is the primary email. Multi-value input is not supported.
- Click Finish.
- Sign in to your Admin console.
- Go to Apps > SAML apps.
- Select SAP Cloud Platform Identity Authentication.
At the top right of the gray box, click Edit Service .
To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.
To turn on or off a service only for users in an organizational unit:
- At the left, select the organizational unit.
- Select On or Off.
- To keep the service turned on or off even when the service is turned on or off for the parent organizational unit, click Override.
- If the organization's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent.
- Save—Saves your new setting (even if the parent setting changes).
Learn more about organizational structure.
- Ensure that your SAP Cloud Platform Identity Authentication user account email IDs match those in your Google domain.
- Start your application using the URL which you got after deploying the application in the SAP Cloud.
- Enter your sign in credentials.
- After your sign in credentials are authenticated you will be automatically redirected back to your application.
As a super administrator, you can automatically provision users in the SAP Cloud Platform Identity Authentication application.