During the configuration of Task Connect, an integration between ServiceNow and SAP Task center, we devoted significant effort to addressing security concerns, particularly focusing on user authentication and user provisioning. Given the widespread use of Azure as an identity and token provider, we developed a method to synchronize users and groups across ServiceNow, SAP Task Center, and Azure.
In this document, you will find the scenario overview, related architectural diagrams presenting the different components and how they interact with each other and what are the steps to follow to configure the connection between ServiceNow, SAP Task Center and Azure.
1. Scenario overview
The starting point in this scenario is the user’s authentication and access token issued by the SAP Cloud Identity tenant’s authentication service (IAS), indicated as AT (IAS) APP in returned by step 2 in figure 1 below and following the notation <token type> (<issuer>) <audience>. The complete token exchange is orchestrated by the OAuth 2.0 and OpenID Connect (OIDC) authorization and authentication frameworks and their respective token types, which are access tokens (AT), refresh tokens (RT), and identity tokens (ID). Thus, AT (IAS) IAS is an access token, issued by the IAS tenant’s OAuth 2.0 authorization server, with an audience set to the IAS tenant’s client ID. All tokens except for refresh tokens are formatted as JWTs. Compared to the token exchange in the previous parts of this blog series (see part I, Interoperability and standards, for more details), SAML 2.0 – or more precisely the SAML assertion as an OAuth 2.0 authorization grant defined in section 2.1 of RFC 7522 – is no longer used in this scenario. Instead of transforming between different token formats (JWT to SAML and back to JWT), this scenario only uses JWTs for the token exchange. It is important to note that for this token exchange no direct trust relationship between the application on BTP and Azure AD is required. The application only has a trust relationship to the IAS tenant, and the IAS tenant maintains the trust relationship to the Azure AD tenant (and vice versa).
All authentication requests for the business application on BTP (SAP TASK CENTER) are forwarded by the IAS tenant to the Azure AD tenant which is configured as a corporate identity provider (IdP) in IAS. IAS acts as a proxy and delegates authentication to Azure AD in the role of the relying party to the corporate identity provider. The IAS tenant therefore requires an application registration in Azure AD.
Note: For the TaskConnect integration configuration to work, the SAP Task Center should be configured according to the following documentation: https://help.sap.com/docs/task-center/sap-task-center/initial-setup
2. Users authentication and token exchange
The user accesses the BTP business application’s SAP Task Center. The app delegates authentication to the IAS tenant using OIDC. It starts the authentication process by redirecting the user’ browser to the IAS tenant’s OAuth server authorization endpoint at https://<IAS tenant name>.accounts.ondemand.com/oauth2/authorize and sending an OAuth authorization request. Because the user is not yet authenticated at the IAS tenant, the user’s browser is redirected to the IAS tenant’s single sign-on (SSO) endpoint at https://<IAS tenant name>.accounts.ondemand.com/saml2/idp/sso. The business application is configured in IAS to pass all authentication requests to Azure AD as its corporate IdP. Therefore, IAS sends an OAuth authorization request to the Azure AD tenant’s OAuth authorization endpoint. The user gets prompted by Azure AD to enter the credentials. Upon successful authentication, Azure AD sends the authorization code to IAS by redirecting the user’s web browser to the URI specified in the previous request. IAS receives the authorization code and sends an access token request to Azure AD’s token. Azure AD issues an access token and refresh token (RT(AAD)IAS which is cached for later use in step for the authenticated user with an audience set to the IAS tenant’s OIDC name. The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant’s OIDC proxy. The client application sends a token request to the IAS tenant’s token endpoint. The POST request is authenticated with the client ID and secret of the business application in IAS. The client assertion from IAS takes the form of a signed JWT that proofs the application’s identity to AAD when requesting tokens via the IAS corporate IdP OIDC proxy. The business application exchanges the IAS-issued ID token into an Azure AD-issued access token via the IAS tenant’s OIDC proxy token exchange endpoint. The POST request uses the assertion parameter to pass the base64-encoded IAS ID token of the user. IAS token service sends a refresh token request using RT(AAD)IAS cached in step 5 to obtain a new access token AT(AAD)APP for the business application, The business application uses the Azure AD On-behalf-Of (ObO) flow for requesting the access token Finally, the business application calls the ServiceNow to take actions to the signed-in user’s tasks. ServiceNow validate the token using OIDC provider to verify ID tokens configuration with the same application registered in Azure which issues an access token and refresh token in step 5.
3. User provisioning – Azure SAP
Use SAP Cloud Identity Services – Identity Provisioning to provision users from Microsoft Azure Active Directory to SAP Cloud Identity Services – Identity Authentication.
4. User provisioning & SSO – Azure-ServiceNow
Use ServiceNow enterprise application in Azure to provision users from Microsoft Azure Active Directory to ServiceNow instance Use the same ServiceNow enterprise application created in step 13 in Azure to authenticate users from Microsoft Azure Active Directory to ServiceNow instance
5. Technical service flow
You need to create integration user for SAP Technical connection and choose how SAP Task Center will authenticate when technical connection is used (delta jobs in SAP are using this technical connection)
For example, you can use Basic Auth or OAuth:
For basic auth provide username and password to the team who is configuring the connection to ServiceNow. The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant’s OIDC proxy.For OAuth follow these steps in ServiceNow (account with admin role is required) Open System OAuth -> Application Registry. Click New and choose “Create an OAuth API endpoint for external clients”. Configure the record and share username, user password, client id and client secret with the team configuring the connection to ServiceNow
6. Register the applications in Azure AD for IAS tenant and SN OIDC provider to verify ID tokens.
The token exchange and OIDC proxy setup between the SN, IAS, and the Azure AD tenant, requires a trust relationship which is established by registering one application in the Azure AD tenant
“SAPIASTenant” represents the SAP Cloud Identity Service tenant.
Step 1
Login to Azure Portal (e.g. with your Microsoft 365 E5 developer subscription’s admin account) and select Azure Active Directory from the portal menu.
Select App registrations from the left-side menu.
Step 2
Click + New registration
Step 3
Enter “<SAP IAS Tenant>” for the Name of the new application registration.
Replace <SAP IAS Tenant> with your friendly name
Select “Web” from the dropdown list in the Redirect UR I section.
Enter your IAS tenant’s redirect UR Iin the Redirect URI section’s text field:https://<IAStenant name>.accounts.ondemand.com/oauth2/callback.Replace <IAS tenant name> with your tenant’s name.
Click Register.
Step 4
Copy the newly generated Application (client) ID to a temporary text file. You will need it in the next step for deploying the sample application.
Step 5
Select Manifest from the navigation menu to edit the application registration’s manifest file.
Change the value for the field “accessTokenAcceptedVersion” from null to 2.
Click Save.
7. Configure trust to the IAS tenant in Azure AD
Trust to the IAS tenant is configured in Azure AD with a new federated identity credential. In addition, a client secret is required for the initial token exchange in step 5 of figure 1. Both credentials will be configured for the application registrations in the following step.
Step 6
Select the SAPIASTenant app from the list. (created in step 3)
Select Certificates & secrets from the menu and switch to the Client secrets tab.
Click + New client secret.
Step 7
Enter “<SAPOIDCProxy>” for the Description.
Click Add.
Step 8
Click Copy to clipboard in the Value column and paste it to a temporary text file. You will need it later in the setup process.
Step 9
Create another one secret for ServiceNow
Enter “<ServiceNow>” for the Description.
Click Add.
8. Configure permissions and scopes in Azure AD
To request the Outlook calendar event on behalf of the user, the business application (SAPBTPGraphApp) requires the Graph API permission Calendars.Read. SAPBTPGraphApp also exposes the custom scope “token.exchange”.This scope is referred to as a (downstream) API permission for the SAPIASTenant application registration and required for steps 7 and 8 in figure 1. For the initial token request to Azure AD (see step 5 in figure 1 and figure 2), the SAPIASTenant application exposes the custom scope “ias.access“.
Step 10
Go to Expose an API in the navigation menu.
Click + Add a scope.
Step 11
Accept the default value for the Application ID URI.
Click Save and continue.
Step 12
Enter “ias.access” for the new Scope name. Provide an Admin consent display name and description.
Click Add scope.
Scope name:
ias.access
Admin consent display name:
IAS Tenant Access
Admin consent description:
Access to SAP Cloud Identity service Application
Step 13
Copy the full-qualified URI of the new scope (api://<client id>/ias.access) from the clipboard to temporary text file. It will be used in a later setup step.
Step 14
Add Optional claim to the token.
Navigate to Token configuration
+ Add optional claim
Token Type – ID
Select “email” and add
Step 15
If message about API permissions required appear
select the checkbox – Turn On Microsoft Graph email permission (required for claim to appear in token)
Click “add”
Step 16
Grant Admin Consent
Step 17
Navigate to authentication
Scroll down to Implicit grant and hybrid flows
Select the tokens you would like to be issued by the authorization endpoint:
Select the checkbox ID tokens
Click Save
9. Configure Azure as an OAUTH OIDC provider on ServiceNow
Step 18
Open the ServiceNow instance
Navigate to All > System OAuth > Application Registry.
Click New, click Configure an OIDC provider to verify ID tokens.
Step 19
Fill the form.
Field
Description
Name
A unique name that identifies the OAuth OIDC entity.
Client ID
The client ID of the application registered in Azure in step 4. The instance uses the client ID when requesting an access token.
Client Secret
The client secret of the application registered in Azure in step 31.
OAuth OIDC Provider Configuration
The OIDC provider (ADFS, Auth0, Azure AD, Google, Okta) can be used to validate the JWT token. Click the record of your OIDC provider configuration to validate the User Claim and User Field are set appropriately. If you check Enable JTI claim verification, the ServiceNow JWT token validation also validates the JTI sent by the provider.
See next step for more details
Clock Skew
The number, in seconds, for the constraint to be considered valid. The default is 300.
Comments
Additional information to associate with the application.
Application
The name of the application containing this entity.
Accessible from
Select an option to make it accessible from all application scopes, or this application scope only. (all scope by default)
Enforce Token Restrictions
Select to only allow tokens to be used with APIs set to allow the authentication profile. You can set grant access using an API access policy. For more information, seeCreate REST API access policy.
Default: Unselected.
Active
Select the check box to make the OAuth application active.
Redirect URL
The URL of the OAuth application for receiving the authorization code. (automatically added when save the application
End Session Endpoint URL
The URL endpoint which enables after a session ends.(not required
Enable force authentication
Option to enable force authentication for users. (not required)
Step 20
OAuth OIDC Provider Configuration
Click on the search icon and then New
OIDC Provider – A unique name that identifies the OIDC provider
OIDC Metadata URL – the OIDC provider OpenID Connect metadata document (details in next step)
User claim: email
User Field: the field in SN which contain mail value
Enable JTI claim verification: Disable
Step 21
Navigate to azure application which created in step 3 – Overview – Endpoints – OpenID Connect metadata document
Step 22
Navigate to Oauth Entity Scope and add
offline_access,
Open id
Click Update.
Step 23
Navigate to the Oauth Entity Profiles which is automatically created when Save Oauth OIDC entity.
Verify that the Grant type is is Resource Owner Password Credentials and then add the OAuth Entity Scopes created in the above step.
Step 24
Add Auth Scope:
useraccount
Step 25
Navigate to the created in step 34 Oauth OIDC Entity and copy the redirect url
Step 26
Navigate to Azure App registered in step 3
Authentication
Add the url from the previous step. (do not remove or replace the url added in step 3 when create the application)
Save
10. Setup user provisioning – Azure >> SAP
Step 27
Launch a browser window and access your Azure portal using the URL: https://portal.azure.com/.
You will need to authenticate to your Azure AD using your admin credentials.
Step 28
Click Microsoft Entra ID.
Step 29
Click App Registration >> New registration.
Step 30
Specify a name for your app and click Register
Step 31
Click API permission >> Add a permission.
Step 32
Select Microsoft Graph.
Step 33
Click Application permissions.
Step 34
From the list of API permissions, expand User and select User.Read.All.
Step 35
From the API list also select Group >> Read.All and Directory >> Read.All. Click Add permissions at the bottom of the screen once done.
Step 36
The permissions are not granted by default. To grant the permissions, click Grant admin consent for Default Directory.
Step 37
Click Yes on the popup message and confirm that all permissions are granted.
Step 38
Click Overview from the left panel. Make a note of the Application (client) ID. You will need this later when creating the source system in IPS. Click Add a certificate or secret.
Step 39
Click New client secret.
Step 40
Specify a description and expiry time for the client secret.
Step 41
You should have client secret added successfully. Make a note of the value field as you will need it later when creating the source system in IPS.
Step 42
Navigate to the main overview page of Azure AD and make a note of your Primary domain. You will need this value when creating the source system in IPS.
Step 43
Follow the blog https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services/ba-p/13546054 and specific hint on filtering users by a group in Identiy Provisionning Source system Properties, add aad.group.filter=displayName eq ‘<group_name>’:
11. Establish trust between task sub account and IAS
Step 44
Go to BTP Cockpit->Security->Trust Configuration
Step 45
Select “Establish trust” and choose the IAS
Step 46
Select “Establish trust” and choose the IAS
Note: This creates an OIDC application in IAS for the subaccount
NB: Task Center/Service Now integration works only with OIDC trust between Task Center subaccount and IAS
Step 47
This would create an application in iAS
For more information, you can check: https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication
12. Setup the corporate identity provider and OIDC proxy in SAP Cloud Identity tenant
Step 48
Login as an administrator to your SAP Cloud Identity service administration console at
https://<IAStenant name>.accounts.ondemand.com/admin
Step 49
Go to Identity Providers > Corporate Identity Providers and click Create.
Enter a Display name(e.g. “Azure Active Directory”) and click Save.
Step 50
Click on Identity Provider Type from the Trust settings of the new corporate identity provider.
Step 51
Select OpenID Connect Compliant from the list.
Click Save.
Step 52
Click on OpenID Connect Configuration from the Trust settings of the new corporate identity provider.
Step 53
Enter your Azure AD tenant’s OIDC Discovery URL (https://login.microsoftonline.com/<AAD tenant ID>/v2.0) Click Load.
The Issuer field gets populated from the loaded Azure AD tenant’s OIDC metadata.
Step 54
Enter the SAPIASTenant’s client ID in the Client ID field. In the Client Secret field, enter the value of theOIDCProxysecret copied in step 8.
Click Validate.
Step 55
Verify a successful validation of the OIDC configuration.
Click OK.
Step 56
Click + Add
Step 57
Copy and paste the full-qualified URI of the SAPIASTenant application’s custom scope (api://<client id>/ias.access) copied in step 13 for the new scope.
Click Save.
Step 58
Click+ Add again and add the scope:
“email”
“openid”
“offline_access”
Click Save.
Step 59
Click Save.
Step 60
Go to Applications & Resources > Applications
Select the application from “Establish trust between Task subaccount and IAS” step – step 47
Click Attributes
Step 61
Navigate to Attributes and add
Name: “xsuaa-persist-corporate-idp-token”
Source: Expression
Value: true
Save
Step 62
Select “Conditional Authentication”
In the “Default Identity Provider”, choose the Azure provider configured in steps 48-59, Click Save
13. Configure destinations for SAP in the BTP sub-account
SAP Task Center uses destinations to connect to Service Now task provider
Client Specific configuration:
aadTokenEndpoint: Azure AD token endpoint athttps://login.microsoftonline.com/<AAD tenant ID>/oauth2/v2.0/token iasTokenEndpoint: SAP Cloud Identity service tenant’s token endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/token iasTokenExchange: SAP Cloud Identity service’s token exchange service endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/exchange/corporateidp
Step 63
Go back to the SAP BTP Cockpit and navigate to your CF subaccount.
Select Connectivity > Destinations from the navigation menu.
Click New Destination.
Step 64
Enter the following values for the first destination:
Refer to 6. TECHNICAL SERVICE FLOW
Click Save.
Step 65
Repeat steps 63 and 64 with following values for the second destination:
Refer to 10. CONFIGURE AZURE AS AN OAUTH OIDC PROVIDER ON THE SERVICENOW , step 21.
AuthnContextClassRef = urn:oasis:names:tc:SAML:2.0:ac:classes:X509
clientKey = token service password=client secret
Token service user = client id
Task Center documentation for Third Party destination setup: https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task-center
Click Save.
14. Test the scenario
Step 66
Use SAP Task Center Administration app to check the status of the configured connector destination, following: https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-app
Step 67
Use SAP Task Center Web app, to validate that tasks from the new destination are seen by business users (for more information, see: https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app)
During the configuration of Task Connect, an integration between ServiceNow and SAP Task center, we devoted significant effort to addressing security concerns, particularly focusing on user authentication and user provisioning. Given the widespread use of Azure as an identity and token provider, we developed a method to synchronize users and groups across ServiceNow, SAP Task Center, and Azure. In this document, you will find the scenario overview, related architectural diagrams presenting the different components and how they interact with each other and what are the steps to follow to configure the connection between ServiceNow, SAP Task Center and Azure. 1. Scenario overviewThe starting point in this scenario is the user’s authentication and access token issued by the SAP Cloud Identity tenant’s authentication service (IAS), indicated as AT (IAS) APP in returned by step 2 in figure 1 below and following the notation <token type> (<issuer>) <audience>. The complete token exchange is orchestrated by the OAuth 2.0 and OpenID Connect (OIDC) authorization and authentication frameworks and their respective token types, which are access tokens (AT), refresh tokens (RT), and identity tokens (ID). Thus, AT (IAS) IAS is an access token, issued by the IAS tenant’s OAuth 2.0 authorization server, with an audience set to the IAS tenant’s client ID. All tokens except for refresh tokens are formatted as JWTs. Compared to the token exchange in the previous parts of this blog series (see part I, Interoperability and standards, for more details), SAML 2.0 – or more precisely the SAML assertion as an OAuth 2.0 authorization grant defined in section 2.1 of RFC 7522 – is no longer used in this scenario. Instead of transforming between different token formats (JWT to SAML and back to JWT), this scenario only uses JWTs for the token exchange. It is important to note that for this token exchange no direct trust relationship between the application on BTP and Azure AD is required. The application only has a trust relationship to the IAS tenant, and the IAS tenant maintains the trust relationship to the Azure AD tenant (and vice versa). All authentication requests for the business application on BTP (SAP TASK CENTER) are forwarded by the IAS tenant to the Azure AD tenant which is configured as a corporate identity provider (IdP) in IAS. IAS acts as a proxy and delegates authentication to Azure AD in the role of the relying party to the corporate identity provider. The IAS tenant therefore requires an application registration in Azure AD. Note: For the TaskConnect integration configuration to work, the SAP Task Center should be configured according to the following documentation: https://help.sap.com/docs/task-center/sap-task-center/initial-setup2. Users authentication and token exchangeThe user accesses the BTP business application’s SAP Task Center. The app delegates authentication to the IAS tenant using OIDC. It starts the authentication process by redirecting the user’ browser to the IAS tenant’s OAuth server authorization endpoint at https://<IAS tenant name>.accounts.ondemand.com/oauth2/authorize and sending an OAuth authorization request. Because the user is not yet authenticated at the IAS tenant, the user’s browser is redirected to the IAS tenant’s single sign-on (SSO) endpoint at https://<IAS tenant name>.accounts.ondemand.com/saml2/idp/sso. The business application is configured in IAS to pass all authentication requests to Azure AD as its corporate IdP. Therefore, IAS sends an OAuth authorization request to the Azure AD tenant’s OAuth authorization endpoint. The user gets prompted by Azure AD to enter the credentials. Upon successful authentication, Azure AD sends the authorization code to IAS by redirecting the user’s web browser to the URI specified in the previous request. IAS receives the authorization code and sends an access token request to Azure AD’s token. Azure AD issues an access token and refresh token (RT(AAD)IAS which is cached for later use in step for the authenticated user with an audience set to the IAS tenant’s OIDC name. The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant’s OIDC proxy. The client application sends a token request to the IAS tenant’s token endpoint. The POST request is authenticated with the client ID and secret of the business application in IAS. The client assertion from IAS takes the form of a signed JWT that proofs the application’s identity to AAD when requesting tokens via the IAS corporate IdP OIDC proxy. The business application exchanges the IAS-issued ID token into an Azure AD-issued access token via the IAS tenant’s OIDC proxy token exchange endpoint. The POST request uses the assertion parameter to pass the base64-encoded IAS ID token of the user. IAS token service sends a refresh token request using RT(AAD)IAS cached in step 5 to obtain a new access token AT(AAD)APP for the business application, The business application uses the Azure AD On-behalf-Of (ObO) flow for requesting the access token Finally, the business application calls the ServiceNow to take actions to the signed-in user’s tasks. ServiceNow validate the token using OIDC provider to verify ID tokens configuration with the same application registered in Azure which issues an access token and refresh token in step 5. 3. User provisioning – Azure SAPUse SAP Cloud Identity Services – Identity Provisioning to provision users from Microsoft Azure Active Directory to SAP Cloud Identity Services – Identity Authentication. 4. User provisioning & SSO – Azure-ServiceNowUse ServiceNow enterprise application in Azure to provision users from Microsoft Azure Active Directory to ServiceNow instance Use the same ServiceNow enterprise application created in step 13 in Azure to authenticate users from Microsoft Azure Active Directory to ServiceNow instance 5. Technical service flowYou need to create integration user for SAP Technical connection and choose how SAP Task Center will authenticate when technical connection is used (delta jobs in SAP are using this technical connection)For example, you can use Basic Auth or OAuth: For basic auth provide username and password to the team who is configuring the connection to ServiceNow. The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant’s OIDC proxy.For OAuth follow these steps in ServiceNow (account with admin role is required) Open System OAuth -> Application Registry. Click New and choose “Create an OAuth API endpoint for external clients”. Configure the record and share username, user password, client id and client secret with the team configuring the connection to ServiceNow 6. Register the applications in Azure AD for IAS tenant and SN OIDC provider to verify ID tokens. The token exchange and OIDC proxy setup between the SN, IAS, and the Azure AD tenant, requires a trust relationship which is established by registering one application in the Azure AD tenant “SAPIASTenant” represents the SAP Cloud Identity Service tenant.Step 1Login to Azure Portal (e.g. with your Microsoft 365 E5 developer subscription’s admin account) and select Azure Active Directory from the portal menu. Select App registrations from the left-side menu. Step 2Click + New registration Step 3 Enter “<SAP IAS Tenant>” for the Name of the new application registration. Replace <SAP IAS Tenant> with your friendly name Select “Web” from the dropdown list in the Redirect UR I section. Enter your IAS tenant’s redirect UR Iin the Redirect URI section’s text field:https://<IAStenant name>.accounts.ondemand.com/oauth2/callback.Replace <IAS tenant name> with your tenant’s name.Click Register. Step 4Copy the newly generated Application (client) ID to a temporary text file. You will need it in the next step for deploying the sample application. Step 5Select Manifest from the navigation menu to edit the application registration’s manifest file. Change the value for the field “accessTokenAcceptedVersion” from null to 2. Click Save. 7. Configure trust to the IAS tenant in Azure ADTrust to the IAS tenant is configured in Azure AD with a new federated identity credential. In addition, a client secret is required for the initial token exchange in step 5 of figure 1. Both credentials will be configured for the application registrations in the following step. Step 6Select the SAPIASTenant app from the list. (created in step 3) Select Certificates & secrets from the menu and switch to the Client secrets tab. Click + New client secret. Step 7Enter “<SAPOIDCProxy>” for the Description. Click Add. Step 8Click Copy to clipboard in the Value column and paste it to a temporary text file. You will need it later in the setup process.Step 9Create another one secret for ServiceNow Enter “<ServiceNow>” for the Description. Click Add. 8. Configure permissions and scopes in Azure ADTo request the Outlook calendar event on behalf of the user, the business application (SAPBTPGraphApp) requires the Graph API permission Calendars.Read. SAPBTPGraphApp also exposes the custom scope “token.exchange”.This scope is referred to as a (downstream) API permission for the SAPIASTenant application registration and required for steps 7 and 8 in figure 1. For the initial token request to Azure AD (see step 5 in figure 1 and figure 2), the SAPIASTenant application exposes the custom scope “ias.access”. Step 10Go to Expose an API in the navigation menu. Click + Add a scope. Step 11Accept the default value for the Application ID URI. Click Save and continue. Step 12Enter “ias.access” for the new Scope name. Provide an Admin consent display name and description. Click Add scope. Scope name: ias.access Admin consent display name: IAS Tenant Access Admin consent description: Access to SAP Cloud Identity service ApplicationStep 13Copy the full-qualified URI of the new scope (api://<client id>/ias.access) from the clipboard to temporary text file. It will be used in a later setup step. Step 14Add Optional claim to the token. Navigate to Token configuration + Add optional claim Token Type – ID Select “email” and add Step 15If message about API permissions required appear select the checkbox – Turn On Microsoft Graph email permission (required for claim to appear in token) Click “add”Step 16Grant Admin Consent Step 17Navigate to authentication Scroll down to Implicit grant and hybrid flows Select the tokens you would like to be issued by the authorization endpoint: Select the checkbox ID tokens Click Save 9. Configure Azure as an OAUTH OIDC provider on ServiceNowStep 18Open the ServiceNow instance Navigate to All > System OAuth > Application Registry. Click New, click Configure an OIDC provider to verify ID tokens.Step 19Fill the form. Field Description Name A unique name that identifies the OAuth OIDC entity. Client ID The client ID of the application registered in Azure in step 4. The instance uses the client ID when requesting an access token. Client Secret The client secret of the application registered in Azure in step 31. OAuth OIDC Provider Configuration The OIDC provider (ADFS, Auth0, Azure AD, Google, Okta) can be used to validate the JWT token. Click the record of your OIDC provider configuration to validate the User Claim and User Field are set appropriately. If you check Enable JTI claim verification, the ServiceNow JWT token validation also validates the JTI sent by the provider. See next step for more details Clock Skew The number, in seconds, for the constraint to be considered valid. The default is 300. Comments Additional information to associate with the application. Application The name of the application containing this entity. Accessible from Select an option to make it accessible from all application scopes, or this application scope only. (all scope by default) Enforce Token Restrictions Select to only allow tokens to be used with APIs set to allow the authentication profile. You can set grant access using an API access policy. For more information, seeCreate REST API access policy. Default: Unselected. Active Select the check box to make the OAuth application active. Redirect URL The URL of the OAuth application for receiving the authorization code. (automatically added when save the application End Session Endpoint URL The URL endpoint which enables after a session ends.(not required Enable force authentication Option to enable force authentication for users. (not required) Step 20OAuth OIDC Provider Configuration Click on the search icon and then NewOIDC Provider – A unique name that identifies the OIDC provider OIDC Metadata URL – the OIDC provider OpenID Connect metadata document (details in next step) User claim: email User Field: the field in SN which contain mail value Enable JTI claim verification: DisableStep 21Navigate to azure application which created in step 3 – Overview – Endpoints – OpenID Connect metadata document Step 22Navigate to Oauth Entity Scope and add offline_access, Open id Click Update.Step 23Navigate to the Oauth Entity Profiles which is automatically created when Save Oauth OIDC entity. Verify that the Grant type is is Resource Owner Password Credentials and then add the OAuth Entity Scopes created in the above step.Step 24Add Auth Scope: useraccountStep 25Navigate to the created in step 34 Oauth OIDC Entity and copy the redirect url Step 26Navigate to Azure App registered in step 3 Authentication Add the url from the previous step. (do not remove or replace the url added in step 3 when create the application) Save10. Setup user provisioning – Azure >> SAPStep 27Launch a browser window and access your Azure portal using the URL: https://portal.azure.com/. You will need to authenticate to your Azure AD using your admin credentials. Step 28Click Microsoft Entra ID. Step 29Click App Registration >> New registration. Step 30Specify a name for your app and click Register Step 31Click API permission >> Add a permission. Step 32Select Microsoft Graph.Step 33Click Application permissions. Step 34From the list of API permissions, expand User and select User.Read.All. Step 35From the API list also select Group >> Read.All and Directory >> Read.All. Click Add permissions at the bottom of the screen once done. Step 36The permissions are not granted by default. To grant the permissions, click Grant admin consent for Default Directory. Step 37Click Yes on the popup message and confirm that all permissions are granted.Step 38Click Overview from the left panel. Make a note of the Application (client) ID. You will need this later when creating the source system in IPS. Click Add a certificate or secret. Step 39Click New client secret. Step 40Specify a description and expiry time for the client secret.Step 41You should have client secret added successfully. Make a note of the value field as you will need it later when creating the source system in IPS. Step 42Navigate to the main overview page of Azure AD and make a note of your Primary domain. You will need this value when creating the source system in IPS. Step 43Follow the blog https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services/ba-p/13546054 and specific hint on filtering users by a group in Identiy Provisionning Source system Properties, add aad.group.filter=displayName eq ‘<group_name>’: 11. Establish trust between task sub account and IASStep 44Go to BTP Cockpit->Security->Trust Configuration Step 45Select “Establish trust” and choose the IASStep 46Select “Establish trust” and choose the IAS Note: This creates an OIDC application in IAS for the subaccount NB: Task Center/Service Now integration works only with OIDC trust between Task Center subaccount and IASStep 47This would create an application in iAS For more information, you can check: https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication12. Setup the corporate identity provider and OIDC proxy in SAP Cloud Identity tenantStep 48Login as an administrator to your SAP Cloud Identity service administration console at https://<IAStenant name>.accounts.ondemand.com/admin Step 49Go to Identity Providers > Corporate Identity Providers and click Create. Enter a Display name(e.g. “Azure Active Directory”) and click Save. Step 50Click on Identity Provider Type from the Trust settings of the new corporate identity provider.Step 51Select OpenID Connect Compliant from the list. Click Save.Step 52Click on OpenID Connect Configuration from the Trust settings of the new corporate identity provider. Step 53Enter your Azure AD tenant’s OIDC Discovery URL (https://login.microsoftonline.com/<AAD tenant ID>/v2.0) Click Load. The Issuer field gets populated from the loaded Azure AD tenant’s OIDC metadata.Step 54Enter the SAPIASTenant’s client ID in the Client ID field. In the Client Secret field, enter the value of theOIDCProxysecret copied in step 8. Click Validate. Step 55Verify a successful validation of the OIDC configuration. Click OK. Step 56Click + Add Step 57Copy and paste the full-qualified URI of the SAPIASTenant application’s custom scope (api://<client id>/ias.access) copied in step 13 for the new scope. Click Save. Step 58Click+ Add again and add the scope: “email” “openid” “offline_access” Click Save. Step 59Click Save. Step 60Go to Applications & Resources > Applications Select the application from “Establish trust between Task subaccount and IAS” step – step 47Click AttributesStep 61Navigate to Attributes and add Name: “xsuaa-persist-corporate-idp-token” Source: Expression Value: true SaveStep 62Select “Conditional Authentication” In the “Default Identity Provider”, choose the Azure provider configured in steps 48-59, Click Save13. Configure destinations for SAP in the BTP sub-accountSAP Task Center uses destinations to connect to Service Now task provider Client Specific configuration: aadTokenEndpoint: Azure AD token endpoint athttps://login.microsoftonline.com/<AAD tenant ID>/oauth2/v2.0/token iasTokenEndpoint: SAP Cloud Identity service tenant’s token endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/token iasTokenExchange: SAP Cloud Identity service’s token exchange service endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/exchange/corporateidp Step 63Go back to the SAP BTP Cockpit and navigate to your CF subaccount. Select Connectivity > Destinations from the navigation menu. Click New Destination.Step 64Enter the following values for the first destination: Refer to 6. TECHNICAL SERVICE FLOWClick Save.Step 65Repeat steps 63 and 64 with following values for the second destination: Refer to 10. CONFIGURE AZURE AS AN OAUTH OIDC PROVIDER ON THE SERVICENOW , step 21.AuthnContextClassRef = urn:oasis:names:tc:SAML:2.0:ac:classes:X509 clientKey = token service password=client secret Token service user = client id Task Center documentation for Third Party destination setup: https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task-center Click Save. 14. Test the scenario Step 66Use SAP Task Center Administration app to check the status of the configured connector destination, following: https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-appStep 67Use SAP Task Center Web app, to validate that tasks from the new destination are seen by business users (for more information, see: https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app) Read More Technology Blogs by Members articles
#SAP
#SAPTechnologyblog
+ There are no comments
Add yours