Skip to Content

Corporate User Store

Authenticating user credentials on the SAP Cloud Platform using a Corporate User Store within the customers on premise network. 

This blueprint provides common information, guidance, and direction for implementing a Corporate User Store as a user repository along with the SAP Cloud Platform Identity Authentication service for applications on the SAP Cloud Platform. It will allow you to use a common source of identities for all your cloud based applications.  It provides a standard, internationally adopted method for authentication using SAML assertions.

Overview

SAP Cloud Platform is an essential part of SAP’s digital strategy. It is the platform for our customers’ and partners’ transformation journey toward digital business models. This open platform as a service (PaaS) provides unique in-memory database and application services. It is the proven cloud platform that enables you to rapidly develop new applications or extend existing ones, all in the cloud.

User authentication is the method of determining whether someone is who they say they are. There are several ways of authenticating uses in the SAP Cloud Platform. In this particular scenario we will look at authentication using a Corporate User Store.

Customers have already spent time and resources implementing an LDAP (Lightweight Directory Access Protocol) server or other user store for other application systems within their corporations.  This process allows them to make use of those resources with the SAP Cloud Platform. 

Technical Scenario

For almost all applications a business runs, they have the need to verify (authenticate) who the user is of that application.  On the SAP Cloud Platform, one of the ways to do that is have the application use a corporate user store that the customer has already established in their network to authenticate application users. 

Solution Description

In this setup, SAP Cloud Platform uses an existing LDAP system within the customer’s own network along with the SAP Cloud Platform Identity Authentication service for user authentication. For the integration, you must set the trust between the SAP Cloud Platform tenant and the SAP Cloud Platform Identity Authentication tenant.  The authentication request is then proxied to the customer’s network though the cloud connector to the user store.  When you have deployed an application to SAP Cloud Platform that has protected resources and requires SAML authentication, the user is redirected to the logon page of the identity authentication service to provide credentials.

Once the above configuration is done, the Corporate User Store acts as the repository for the user identities and the SAP Cloud Platform Identity Authentication service acts as a trusted IdP for SAP Cloud Platform. All the services in the SAP Cloud Platform would be authenticated via the SAP Cloud Platform Identity Authentication service.  For the integration you need to make configurations in the cockpit of SAP Cloud Platform. You will also need access to the administration capabilities of the user store in the on premise network. The configurations made in the SAP Cloud Platform administration console do not affect the authentication for the cockpit, which is carried out via the SAP-defined tenant, SAP ID service, but the cockpit access can be configured to use the Corporate User Store if desired.

When developing applications for the SAP Cloud platform, it is up to the application developers to implement the authentication process in their application code by selecting the authentication method.  For this solution the method would be Form/SAML2.

Solution Benefits

Having a standardized method of authentication means that you only have to do the system authentication configuration once.  All application programs can use the same already developed APIs for implementing authentication. SAML is a standardized format designed to interoperate with any system independent how it is implemented.

Standardization also provides a common user experience.  It includes the look and feel of the logon screens but also allows for SAML’s ability for users to securely access multiple applications with a single set of credentials entered only once.

Security is of utmost importance when it comes to enterprise applications especially in the cloud. The IdP is used to provide a single point of authentication. SAML is used to assert the identity to others. This means that applications do not have to keep identities, which in turn ensures that there are fewer places for identities to be breached or stolen.

Since the Corporate User Store has already been implemented by the customer there is a high probability that they have also established an SSO connection to their backend on premise systems.  This will save time when configuring the third method of the security process, Single Sign-on.

Background Information

SAP Cloud Platform offers many methods of authentication to verify and validate the identities of application users so it is important to understand some of the types. The most common type of authentication between the user and cloud base application is FORM or SAML2.

Authentication Types

FORM or SAML2 - FORM authentication implemented over the Security Assertion Markup Language (SAML) 2.0 protocol. Authentication is delegated to SAP ID service or custom identity provider.

BASIC - HTTP BASIC authentication delegated to SAP ID service or an on premise SAP NetWeaver AS Java system. Web browsers prompt users to enter a user name and password. By default, SAP ID service is used.

CERT - Used for authentication only with client certificate.

BASICCERT - Used for authentication either with client certificate or with user name and password.

OAUTH - Authentication according to the OAuth 2.0 protocol with an OAuth access token.

Solution Diagram

SAP Cloud Platform is the extension platform for SAP. It enables developers to develop loosely coupled extension applications securely, thus implementing additional workflows or modules on top of the existing solution they already have.

SAP Cloud Platform supports application scenarios for consumers (B2C), for partners (B2B), and for employees (B2E). The solution provided in this blueprint is available for all three scenarios. All types of users will be asked to authenticate. 

Reference Solution Diagram

The following graphical diagram of the solution illustrates a basic architectural pattern for implementing authentication using a Corporate User Store that resides in the customers on premise network. 

  1. Employee opens the app and requests service access
  2. Service request redirected to IDP for authentication
  3. User challenged for credentials
  4. The user provides credentials
  5. The request from the user is forwarded to the SAP Cloud Platform Identity Authentication service and then proxied to the Corporate User Store through cloud connector for authentication
  6. IdP issues a valid SAML assertion
  7. The request returns to the service on the cloud platform with the SAML assertion (Authentication is completed at this point)

Note: The on premise systems and the other cloud systems are depicted above for completeness of the overall landscape picture. In the case of authentication using a Corporate User Store, the user identity has been established on the cloud platform.  The next steps of authorization (determining what a user has access to) and single sign-on (accessing other system resources without authenticating again) will be covered in other blueprints. For more information, visit the SAP Cloud Platform authorization blueprint.

 

Watch the solution diagram video that shows the basic architectural pattern for implementing authentication using a Corporate User Store that resides in the customers on premise network.

Solution Components 

The following list describes the main components needed to implement this scenario and the role they play in the overall solution: 

User Network

End user – This is the person who is running the SAP Cloud Platform application.  They will be the entity being authenticated.

SAP Cloud Platform

SAP Cloud Platform Identity Authentication service – A cloud solution for identity lifecycle management for SAP Cloud Platform applications, and for on premise applications. It provides services for authentication, single sign-on, and on premise integration.

Connectivity Service - The connectivity service allows SAP Cloud Platform applications to access securely remote services that run on the Internet or on premise.

Generic SAP Cloud Platform service – To keep the blueprint simplified a generic icon is used since any SAP Cloud Platform Services requiring authentication will act the same way.

On-Premise

Corporate User Store – A repository of user identity information usually stored in an LDAP directory server.

Cloud Connector – Serves as the link between on-demand applications in SAP Cloud Platform and existing on-premise systems.

High Level Implementation Process

This is an overview of the steps needed to implement this blueprint:

  1. Map Corporate user store on cloud connector to make available to SAP Cloud Platform
  2. Create OAuth client on SAP Cloud Platform with the right scope
  3. Configure Corporate User Store on SAP Cloud Platform Identity Authentication service using the OAuth client ID
  4. Get the SAP Cloud Platform Identity Authentication service metadata – this contain information about the IdP URL, certificate, etc.
  5. Bind IdP to SP (SAP Cloud Platform) – this will configure the SAP Cloud Platform to use IdP for authentication
  6. Get SP (SAP Cloud Platform) metadata – this contains information about the SP URL, certificate, etc.
  7. Bind SP to IdP – this configuration will allow the SAP Cloud Platform to use SAP Cloud Platform Identity Authentication service with the corporate user store for authentication
  8. Configure SAML attributes – There are attributes that IdP should pass in the SAML token to help identify the identity of the user.
    1. “NameID” – This value helps identify the user ID that the SAP Cloud Platform may use.
    2. Group – This value is recommended to help with identity federation during role assignment in SAP Cloud Platform.

NOTE: If your corporate user store uses a different field for user identity than NameID or if you need additional fields, you must map the fields in the cloud connector 

Learn more

This blueprint highlights important considerations companies need to analyze when implementing authentication for cloud platform applications. It only provide a high level overview of the process. It is recommended to review further information to help you implement your authentication design and develop applications using a cloud based IdP. The following resources are a starting point:

Corporate User Store - on line documentation on how to implement and configure figure the SAP Cloud Platform to use a corporate user store

Enabling Authentication for Java applications – On line documentation for how to do authentication in your Java applications.

Configuring SAML 2.0 Authentication for SAP HANA applications – On line documentation for how to do authentication in your SAP HANA applications.

Authentication for HTML5 applications – On line documentation for how to do authentication in your HTML5 applications.

Back to top