Integration of SAP Task Center, Azure and ServiceNow – SSO, User Provisioning and Token exchange

Estimated read time 31 min read

During the configuration of Task Connect, an integration between ServiceNow and SAP Task center, we devoted significant effort to addressing security concerns, particularly focusing on user authentication and user provisioning. Given the widespread use of Azure as an identity and token provider, we developed a method to synchronize users and groups across ServiceNow, SAP Task Center, and Azure. 

In this document, you will find the scenario overview, related architectural diagrams presenting the different components and how they interact with each other and what are the steps to follow to configure the connection between ServiceNow, SAP Task Center and Azure. 

1. Scenario overview

The starting point in this scenario is the user’s authentication and access token issued by the SAP Cloud Identity tenant’s authentication service (IAS), indicated as AT (IAS) APP in returned by step 2 in figure 1 below and following the notation <token type> (<issuer>) <audience>. The complete token exchange is orchestrated by the OAuth 2.0 and OpenID Connect (OIDC) authorization and authentication frameworks and their respective token types, which are access tokens (AT), refresh tokens (RT), and identity tokens (ID). Thus, AT (IAS) IAS is an access token, issued by the IAS tenant’s OAuth 2.0 authorization server, with an audience set to the IAS tenant’s client ID. All tokens except for refresh tokens are formatted as JWTs. Compared to the token exchange in the previous parts of this blog series (see part I, Interoperability and standards, for more details), SAML 2.0 – or more precisely the SAML assertion as an OAuth 2.0 authorization grant defined in section 2.1 of RFC 7522 – is no longer used in this scenario. Instead of transforming between different token formats (JWT to SAML and back to JWT), this scenario only uses JWTs for the token exchange. It is important to note that for this token exchange no direct trust relationship between the application on BTP and Azure AD is required. The application only has a trust relationship to the IAS tenant, and the IAS tenant maintains the trust relationship to the Azure AD tenant (and vice versa).   

All authentication requests for the business application on BTP (SAP TASK CENTER) are forwarded by the IAS tenant to the Azure AD tenant which is configured as a corporate identity provider (IdP) in IAS. IAS acts as a proxy and delegates authentication to Azure AD in the role of the relying party to the corporate identity provider. The IAS tenant therefore requires an application registration in Azure AD.  

Note: For the TaskConnect integration configuration to work, the SAP Task Center should be configured according to the following documentation: https://help.sap.com/docs/task-center/sap-task-center/initial-setup

2. Users authentication and token exchange

The user accesses the BTP business application’s SAP Task Center. The app delegates authentication to the IAS tenant using OIDC. It starts the authentication process by redirecting the user’ browser to the IAS tenant’s OAuth server authorization endpoint at https://<IAS tenant name>.accounts.ondemand.com/oauth2/authorize and sending an OAuth authorization request. Because the user is not yet authenticated at the IAS tenant, the user’s browser is redirected to the IAS tenant’s single sign-on (SSO) endpoint at https://<IAS tenant name>.accounts.ondemand.com/saml2/idp/sso. The business application is configured in IAS to pass all authentication requests to Azure AD as its corporate IdP. Therefore, IAS sends an OAuth authorization request to the Azure AD tenant’s OAuth authorization endpoint. The user gets prompted by Azure AD to enter the credentials. Upon successful authentication, Azure AD sends the authorization code to IAS by redirecting the user’s web browser to the URI specified in the previous request. IAS receives the authorization code and sends an access token request to Azure AD’s token. Azure AD issues an access token and refresh token (RT(AAD)IAS which is cached for later use in step for the authenticated user with an audience set to the IAS tenant’s OIDC name. The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant’s OIDC proxy. The client application sends a token request to the IAS tenant’s token endpoint. The POST request is authenticated with the client ID and secret of the business application in IAS. The client assertion from IAS takes the form of a signed JWT that proofs the application’s identity to AAD when requesting tokens via the IAS corporate IdP OIDC proxy. The business application exchanges the IAS-issued ID token into an Azure AD-issued access token via the IAS tenant’s OIDC proxy token exchange endpoint. The POST request uses the assertion parameter to pass the base64-encoded IAS ID token of the user. IAS token service sends a refresh token request using RT(AAD)IAS cached in step 5 to obtain a new access token AT(AAD)APP for the business application, The business application uses the Azure AD On-behalf-Of (ObO) flow for requesting the access token  Finally, the business application calls the ServiceNow to take actions to the signed-in user’s tasks. ServiceNow validate the token using OIDC provider to verify ID tokens configuration with the same application registered in Azure which issues an access token and refresh token in step 5. 

3. User provisioning – Azure SAP

Use SAP Cloud Identity Services – Identity Provisioning to provision users from Microsoft Azure Active Directory to SAP Cloud Identity Services – Identity Authentication. 

4. User provisioning & SSO – Azure-ServiceNow

Use ServiceNow enterprise application in Azure to provision users from Microsoft Azure Active Directory to ServiceNow instance Use the same ServiceNow enterprise application created in step 13 in Azure to authenticate users from Microsoft Azure Active Directory to ServiceNow instance 

5. Technical service flow

You need to create integration user for SAP Technical connection and choose how SAP Task Center will authenticate when technical connection is used (delta jobs in SAP are using this technical connection)

For example, you can use Basic Auth or OAuth: 

For basic auth provide username and password to the team who is configuring the connection to ServiceNow. The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant’s OIDC proxy.For OAuth follow these steps in ServiceNow (account with admin role is required) Open System OAuth -> Application Registry. Click New and choose “Create an OAuth API endpoint for external clients”. Configure the record and share username, user password, client id and client secret with the team configuring the connection to ServiceNow 

6. Register the applications in Azure AD for IAS tenant and SN OIDC provider to verify ID tokens. 

The token exchange and OIDC proxy setup between the SN, IAS, and the Azure AD tenant, requires a trust relationship which is established by registering one application in the Azure AD tenant    

“SAPIASTenant” represents the SAP Cloud Identity Service tenant.

Step 1
Login to Azure Portal (e.g. with your Microsoft 365 E5 developer subscription’s admin account) and select Azure Active Directory from the portal menu.  

Select App registrations from the left-side menu.  

Step 2
Click + New registration 

Step 3 
Enter “<SAP IAS Tenant>” for the Name of the new application registration.  

Replace <SAP IAS Tenant> with your friendly name  

Select “Web” from the dropdown list in the Redirect UR I section.  

Enter your IAS tenant’s redirect UR Iin the Redirect URI section’s text field:https://<IAStenant name>.accounts.ondemand.com/oauth2/callback.Replace <IAS tenant name> with your tenant’s name.

Click Register.  

Step 4
Copy the newly generated Application (client) ID to a temporary text file. You will need it in the next step for deploying the sample application.  

Step 5
Select Manifest from the navigation menu to edit the application registration’s manifest file.  
Change the value for the field “accessTokenAcceptedVersion” from null to 2.    
Click Save.  


7. Configure trust to the IAS tenant in Azure AD

Trust to the IAS tenant is configured in Azure AD with a new federated identity credential. In addition, a client secret is required for the initial token exchange in step 5 of figure 1. Both credentials will be configured for the application registrations in the following step.  

Step 6
Select the SAPIASTenant app from the list. (created in step 3)  
Select Certificates & secrets from the menu and switch to the Client secrets tab.  
Click + New client secret.  

Step 7
Enter “<SAPOIDCProxy>” for the Description.  
Click Add.  

Step 8
Click Copy to clipboard in the Value column and paste it to a temporary text file. You will need it later in the setup process.

Step 9
Create another one secret for ServiceNow   
Enter “<ServiceNow>” for the Description.  
Click Add.  


8. Configure permissions and scopes in Azure AD

To request the Outlook calendar event on behalf of the user, the business application (SAPBTPGraphApp) requires the Graph API permission Calendars.Read. SAPBTPGraphApp also exposes the custom scope “token.exchange”.This scope is referred to as a (downstream) API permission for the SAPIASTenant application registration and required for steps 7 and 8 in figure 1. For the initial token request to Azure AD (see step 5 in figure 1 and figure 2), the SAPIASTenant application exposes the custom scope “ias.access“.  

Step 10
Go to Expose an API in the navigation menu.  
Click + Add a scope.  

Step 11
Accept the default value for the Application ID URI.  
Click Save and continue.  

Step 12
Enter “ias.access” for the new Scope name. Provide an Admin consent display name and description.  
Click Add scope.  

Scope name: 
ias.access 

Admin consent display name: 
IAS Tenant Access 

Admin consent description: 
Access to SAP Cloud Identity service Application

Step 13
Copy the full-qualified URI of the new scope (api://<client id>/ias.access) from the clipboard to temporary text file. It will be used in a later setup step.  

Step 14
Add Optional claim to the token.  
Navigate to Token configuration  
+ Add optional claim  
Token Type – ID  
Select “email” and add  

Step 15
If message about API permissions required appear  
select the checkbox – Turn On Microsoft Graph email permission (required for claim to appear in token)  
Click “add”

Step 16
Grant Admin Consent 

Step 17
Navigate to authentication  
Scroll down to Implicit grant and hybrid flows  
Select the tokens you would like to be issued by the authorization endpoint:  
Select the checkbox ID tokens  
Click Save 


9. Configure Azure as an OAUTH OIDC provider on ServiceNow

Step 18
Open the ServiceNow instance  
Navigate to All > System OAuth > Application Registry.  
Click New, click Configure an OIDC provider to verify ID tokens.

Step 19
Fill the form.    

Field  

Description  

Name  

A unique name that identifies the OAuth OIDC entity.  

Client ID  

The client ID of the application registered in Azure in step 4. The instance uses the client ID when requesting an access token.  

Client Secret  

The client secret of the application registered in Azure in step 31.  

OAuth OIDC Provider Configuration  

The OIDC provider (ADFS, Auth0, Azure AD, Google, Okta) can be used to validate the JWT token. Click the record of your OIDC provider configuration to validate the User Claim and User Field are set appropriately. If you check Enable JTI claim verification, the ServiceNow JWT token validation also validates the JTI sent by the provider.  

See next step for more details  

  

Clock Skew  

The number, in seconds, for the constraint to be considered valid. The default is 300.  

Comments  

Additional information to associate with the application.  

Application  

The name of the application containing this entity.  

Accessible from  

Select an option to make it accessible from all application scopes, or this application scope only. (all scope by default)  

Enforce Token Restrictions  

Select to only allow tokens to be used with APIs set to allow the authentication profile. You can set grant access using an API access policy. For more information, seeCreate REST API access policy.  

Default: Unselected.  

Active  

Select the check box to make the OAuth application active.  

Redirect URL  

The URL of the OAuth application for receiving the authorization code. (automatically added when save the application  

End Session Endpoint URL  

The URL endpoint which enables after a session ends.(not required  

Enable force authentication  

Option to enable force authentication for users. (not required)  

Step 20
OAuth OIDC Provider Configuration  
Click on the search icon and then New

OIDC Provider – A unique name that identifies the OIDC provider  

OIDC Metadata URL – the OIDC provider OpenID Connect metadata document  (details in next step)  

User claim: email  
User Field: the field in SN which contain mail value  

Enable JTI claim verification: Disable

Step 21
Navigate to azure application which created in step 3 – Overview – Endpoints – OpenID Connect metadata document  

Step 22
Navigate to Oauth Entity Scope and add  
offline_access,   
Open id  

Click Update.

Step 23
Navigate to the Oauth Entity Profiles which is automatically created when Save Oauth OIDC entity.  

Verify that the Grant type is is Resource Owner Password Credentials and then add the OAuth Entity Scopes created in the above step.

Step 24
Add Auth Scope: 
useraccount

Step 25
Navigate to the created in step 34 Oauth OIDC Entity and copy the redirect url  

Step 26
Navigate to Azure App registered in step 3  
Authentication  
Add the url from the previous step. (do not remove or replace the url added in step 3 when create the application)  
Save

10. Setup user provisioning – Azure >> SAP

Step 27
Launch a browser window and access your Azure portal using the URL: https://portal.azure.com/

You will need to authenticate to your Azure AD using your admin credentials. 

Step 28
Click Microsoft Entra ID. 

Step 29
Click App Registration >> New registration

Step 30
Specify a name for your app and click Register 

Step 31
Click API permission >> Add a permission

Step 32
Select Microsoft Graph.

Step 33
Click Application permissions

Step 34
From the list of API permissions, expand User and select User.Read.All. 

Step 35
From the API list also select Group >> Read.All and Directory >> Read.All.  Click Add permissions at the bottom of the screen once done. 

Step 36
The permissions are not granted by default.  To grant the permissions, click Grant admin consent for Default Directory

Step 37
Click Yes on the popup message and confirm that all permissions are granted.

Step 38
Click Overview from the left panel.  Make a note of the Application (client) ID.  You will need this later when creating the source system in IPS.   Click Add a certificate or secret

Step 39
Click New client secret

Step 40
Specify a description and expiry time for the client secret.

Step 41
You should have client secret added successfully.  Make a note of the value field as you will need it later when creating the source system in IPS. 

Step 42
Navigate to the main overview page of Azure AD and make a note of your Primary domain.  You will need this value when creating the source system in IPS. 

Step 43
Follow the blog  https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services/ba-p/13546054 and specific hint on filtering users by a group in Identiy Provisionning Source system Properties, add aad.group.filter=displayName eq ‘<group_name>’: 


11. Establish trust between task sub account and IAS

Step 44
Go to BTP Cockpit->Security->Trust Configuration 

Step 45
Select “Establish trust” and choose the IAS

Step 46
Select “Establish trust” and choose the IAS 

Note: This creates an OIDC application in IAS for the subaccount 

NB: Task Center/Service Now integration works only with OIDC trust between Task Center subaccount and IAS

Step 47
This would create an application in iAS 

For more information, you can check: https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication

12. Setup the corporate identity provider and OIDC proxy in SAP Cloud Identity tenant

Step 48
Login as an administrator to your SAP Cloud Identity service administration console at 
https://<IAStenant name>.accounts.ondemand.com/admin 

Step 49
Go to Identity Providers > Corporate Identity Providers and click Create.  
Enter a Display name(e.g. “Azure Active Directory”) and click Save

Step 50
Click on Identity Provider Type from the Trust settings of the new corporate identity provider.

Step 51
Select OpenID Connect Compliant from the list.  
Click Save.

Step 52
Click on OpenID Connect Configuration from the Trust settings of the new corporate identity provider.

Step 53
Enter your Azure AD tenant’s OIDC Discovery URL (https://login.microsoftonline.com/<AAD tenant ID>/v2.0) Click Load.  

The Issuer field gets populated from the loaded Azure AD tenant’s OIDC metadata.

Step 54
Enter the SAPIASTenant’s client ID in the Client ID field. In the Client Secret field, enter the value of theOIDCProxysecret copied in step 8.  

Click Validate

Step 55
Verify a successful validation of the OIDC configuration.  

Click OK

Step 56
Click + Add  

Step 57
Copy and paste the full-qualified URI of the SAPIASTenant application’s custom scope (api://<client id>/ias.access) copied in step 13 for the new scope.  

Click Save.  

Step 58
Click+ Add again and add the scope: 
“email” 
“openid” 
“offline_access” 

Click Save

Step 59
Click Save.  

Step 60
Go to Applications & Resources > Applications  
Select the application from “Establish trust between Task subaccount and IAS” step – step 47

Click Attributes

Step 61
Navigate to Attributes and add  

Name: “xsuaa-persist-corporate-idp-token” 
Source: Expression 
Value: true 

Save

Step 62
Select “Conditional Authentication”  
In the “Default Identity Provider”, choose the Azure provider configured in steps 48-59, Click Save

13. Configure destinations for SAP in the BTP sub-account

SAP Task Center uses destinations to connect to Service Now task provider 

Client Specific configuration: 

aadTokenEndpoint: Azure AD token endpoint athttps://login.microsoftonline.com/<AAD tenant ID>/oauth2/v2.0/token  iasTokenEndpoint: SAP Cloud Identity service tenant’s token endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/token  iasTokenExchange: SAP Cloud Identity service’s token exchange service endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/exchange/corporateidp  

Step 63
Go back to the SAP BTP Cockpit and navigate to your CF subaccount.  
Select Connectivity > Destinations from the navigation menu.  
Click New Destination.

Step 64
Enter the following values for the first destination:  
Refer to 6. TECHNICAL SERVICE FLOW

Click Save.

Step 65
Repeat steps 63 and 64 with following values for the second destination:  

Refer to 10. CONFIGURE AZURE AS AN OAUTH OIDC PROVIDER ON THE SERVICENOW , step 21.

AuthnContextClassRef = urn:oasis:names:tc:SAML:2.0:ac:classes:X509 
clientKey = token service password=client secret 
Token service user = client id 

Task Center documentation for Third Party destination setup: https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task-center  

Click Save.  

14. Test the scenario 

Step 66
Use SAP Task Center Administration app to check the status of the configured connector destination, following: https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-app

Step 67
Use SAP Task Center Web app, to validate that tasks from the new destination are seen by business users (for more information, see: https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app)

 

​ During the configuration of Task Connect, an integration between ServiceNow and SAP Task center, we devoted significant effort to addressing security concerns, particularly focusing on user authentication and user provisioning. Given the widespread use of Azure as an identity and token provider, we developed a method to synchronize users and groups across ServiceNow, SAP Task Center, and Azure. In this document, you will find the scenario overview, related architectural diagrams presenting the different components and how they interact with each other and what are the steps to follow to configure the connection between ServiceNow, SAP Task Center and Azure. 1. Scenario overviewThe starting point in this scenario is the user’s authentication and access token issued by the SAP Cloud Identity tenant’s authentication service (IAS), indicated as AT (IAS) APP in returned by step 2 in figure 1 below and following the notation <token type> (<issuer>) <audience>. The complete token exchange is orchestrated by the OAuth 2.0 and OpenID Connect (OIDC) authorization and authentication frameworks and their respective token types, which are access tokens (AT), refresh tokens (RT), and identity tokens (ID). Thus, AT (IAS) IAS is an access token, issued by the IAS tenant’s OAuth 2.0 authorization server, with an audience set to the IAS tenant’s client ID. All tokens except for refresh tokens are formatted as JWTs. Compared to the token exchange in the previous parts of this blog series (see part I, Interoperability and standards, for more details), SAML 2.0 – or more precisely the SAML assertion as an OAuth 2.0 authorization grant defined in section 2.1 of RFC 7522 – is no longer used in this scenario. Instead of transforming between different token formats (JWT to SAML and back to JWT), this scenario only uses JWTs for the token exchange. It is important to note that for this token exchange no direct trust relationship between the application on BTP and Azure AD is required. The application only has a trust relationship to the IAS tenant, and the IAS tenant maintains the trust relationship to the Azure AD tenant (and vice versa).   All authentication requests for the business application on BTP (SAP TASK CENTER) are forwarded by the IAS tenant to the Azure AD tenant which is configured as a corporate identity provider (IdP) in IAS. IAS acts as a proxy and delegates authentication to Azure AD in the role of the relying party to the corporate identity provider. The IAS tenant therefore requires an application registration in Azure AD.  Note: For the TaskConnect integration configuration to work, the SAP Task Center should be configured according to the following documentation: https://help.sap.com/docs/task-center/sap-task-center/initial-setup2. Users authentication and token exchangeThe user accesses the BTP business application’s SAP Task Center. The app delegates authentication to the IAS tenant using OIDC. It starts the authentication process by redirecting the user’ browser to the IAS tenant’s OAuth server authorization endpoint at https://<IAS tenant name>.accounts.ondemand.com/oauth2/authorize and sending an OAuth authorization request. Because the user is not yet authenticated at the IAS tenant, the user’s browser is redirected to the IAS tenant’s single sign-on (SSO) endpoint at https://<IAS tenant name>.accounts.ondemand.com/saml2/idp/sso. The business application is configured in IAS to pass all authentication requests to Azure AD as its corporate IdP. Therefore, IAS sends an OAuth authorization request to the Azure AD tenant’s OAuth authorization endpoint. The user gets prompted by Azure AD to enter the credentials. Upon successful authentication, Azure AD sends the authorization code to IAS by redirecting the user’s web browser to the URI specified in the previous request. IAS receives the authorization code and sends an access token request to Azure AD’s token. Azure AD issues an access token and refresh token (RT(AAD)IAS which is cached for later use in step for the authenticated user with an audience set to the IAS tenant’s OIDC name. The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant’s OIDC proxy. The client application sends a token request to the IAS tenant’s token endpoint. The POST request is authenticated with the client ID and secret of the business application in IAS. The client assertion from IAS takes the form of a signed JWT that proofs the application’s identity to AAD when requesting tokens via the IAS corporate IdP OIDC proxy. The business application exchanges the IAS-issued ID token into an Azure AD-issued access token via the IAS tenant’s OIDC proxy token exchange endpoint. The POST request uses the assertion parameter to pass the base64-encoded IAS ID token of the user. IAS token service sends a refresh token request using RT(AAD)IAS cached in step 5 to obtain a new access token AT(AAD)APP for the business application, The business application uses the Azure AD On-behalf-Of (ObO) flow for requesting the access token  Finally, the business application calls the ServiceNow to take actions to the signed-in user’s tasks. ServiceNow validate the token using OIDC provider to verify ID tokens configuration with the same application registered in Azure which issues an access token and refresh token in step 5. 3. User provisioning – Azure SAPUse SAP Cloud Identity Services – Identity Provisioning to provision users from Microsoft Azure Active Directory to SAP Cloud Identity Services – Identity Authentication. 4. User provisioning & SSO – Azure-ServiceNowUse ServiceNow enterprise application in Azure to provision users from Microsoft Azure Active Directory to ServiceNow instance Use the same ServiceNow enterprise application created in step 13 in Azure to authenticate users from Microsoft Azure Active Directory to ServiceNow instance 5. Technical service flowYou need to create integration user for SAP Technical connection and choose how SAP Task Center will authenticate when technical connection is used (delta jobs in SAP are using this technical connection)For example, you can use Basic Auth or OAuth: For basic auth provide username and password to the team who is configuring the connection to ServiceNow. The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant’s OIDC proxy.For OAuth follow these steps in ServiceNow (account with admin role is required) Open System OAuth -> Application Registry. Click New and choose “Create an OAuth API endpoint for external clients”. Configure the record and share username, user password, client id and client secret with the team configuring the connection to ServiceNow 6. Register the applications in Azure AD for IAS tenant and SN OIDC provider to verify ID tokens. The token exchange and OIDC proxy setup between the SN, IAS, and the Azure AD tenant, requires a trust relationship which is established by registering one application in the Azure AD tenant    “SAPIASTenant” represents the SAP Cloud Identity Service tenant.Step 1Login to Azure Portal (e.g. with your Microsoft 365 E5 developer subscription’s admin account) and select Azure Active Directory from the portal menu.  Select App registrations from the left-side menu.  Step 2Click + New registration Step 3 Enter “<SAP IAS Tenant>” for the Name of the new application registration.  Replace <SAP IAS Tenant> with your friendly name  Select “Web” from the dropdown list in the Redirect UR I section.  Enter your IAS tenant’s redirect UR Iin the Redirect URI section’s text field:https://<IAStenant name>.accounts.ondemand.com/oauth2/callback.Replace <IAS tenant name> with your tenant’s name.Click Register.  Step 4Copy the newly generated Application (client) ID to a temporary text file. You will need it in the next step for deploying the sample application.  Step 5Select Manifest from the navigation menu to edit the application registration’s manifest file.  Change the value for the field “accessTokenAcceptedVersion” from null to 2.    Click Save.  7. Configure trust to the IAS tenant in Azure ADTrust to the IAS tenant is configured in Azure AD with a new federated identity credential. In addition, a client secret is required for the initial token exchange in step 5 of figure 1. Both credentials will be configured for the application registrations in the following step.  Step 6Select the SAPIASTenant app from the list. (created in step 3)  Select Certificates & secrets from the menu and switch to the Client secrets tab.  Click + New client secret.  Step 7Enter “<SAPOIDCProxy>” for the Description.  Click Add.  Step 8Click Copy to clipboard in the Value column and paste it to a temporary text file. You will need it later in the setup process.Step 9Create another one secret for ServiceNow   Enter “<ServiceNow>” for the Description.  Click Add.  8. Configure permissions and scopes in Azure ADTo request the Outlook calendar event on behalf of the user, the business application (SAPBTPGraphApp) requires the Graph API permission Calendars.Read. SAPBTPGraphApp also exposes the custom scope “token.exchange”.This scope is referred to as a (downstream) API permission for the SAPIASTenant application registration and required for steps 7 and 8 in figure 1. For the initial token request to Azure AD (see step 5 in figure 1 and figure 2), the SAPIASTenant application exposes the custom scope “ias.access”.  Step 10Go to Expose an API in the navigation menu.  Click + Add a scope.  Step 11Accept the default value for the Application ID URI.  Click Save and continue.  Step 12Enter “ias.access” for the new Scope name. Provide an Admin consent display name and description.  Click Add scope.  Scope name: ias.access Admin consent display name: IAS Tenant Access Admin consent description: Access to SAP Cloud Identity service ApplicationStep 13Copy the full-qualified URI of the new scope (api://<client id>/ias.access) from the clipboard to temporary text file. It will be used in a later setup step.  Step 14Add Optional claim to the token.  Navigate to Token configuration  + Add optional claim  Token Type – ID  Select “email” and add  Step 15If message about API permissions required appear  select the checkbox – Turn On Microsoft Graph email permission (required for claim to appear in token)  Click “add”Step 16Grant Admin Consent Step 17Navigate to authentication  Scroll down to Implicit grant and hybrid flows  Select the tokens you would like to be issued by the authorization endpoint:  Select the checkbox ID tokens  Click Save 9. Configure Azure as an OAUTH OIDC provider on ServiceNowStep 18Open the ServiceNow instance  Navigate to All > System OAuth > Application Registry.  Click New, click Configure an OIDC provider to verify ID tokens.Step 19Fill the form.    Field  Description  Name  A unique name that identifies the OAuth OIDC entity.  Client ID  The client ID of the application registered in Azure in step 4. The instance uses the client ID when requesting an access token.  Client Secret  The client secret of the application registered in Azure in step 31.  OAuth OIDC Provider Configuration  The OIDC provider (ADFS, Auth0, Azure AD, Google, Okta) can be used to validate the JWT token. Click the record of your OIDC provider configuration to validate the User Claim and User Field are set appropriately. If you check Enable JTI claim verification, the ServiceNow JWT token validation also validates the JTI sent by the provider.  See next step for more details    Clock Skew  The number, in seconds, for the constraint to be considered valid. The default is 300.  Comments  Additional information to associate with the application.  Application  The name of the application containing this entity.  Accessible from  Select an option to make it accessible from all application scopes, or this application scope only. (all scope by default)  Enforce Token Restrictions  Select to only allow tokens to be used with APIs set to allow the authentication profile. You can set grant access using an API access policy. For more information, seeCreate REST API access policy.  Default: Unselected.  Active  Select the check box to make the OAuth application active.  Redirect URL  The URL of the OAuth application for receiving the authorization code. (automatically added when save the application  End Session Endpoint URL  The URL endpoint which enables after a session ends.(not required  Enable force authentication  Option to enable force authentication for users. (not required)  Step 20OAuth OIDC Provider Configuration  Click on the search icon and then NewOIDC Provider – A unique name that identifies the OIDC provider  OIDC Metadata URL – the OIDC provider OpenID Connect metadata document  (details in next step)  User claim: email  User Field: the field in SN which contain mail value  Enable JTI claim verification: DisableStep 21Navigate to azure application which created in step 3 – Overview – Endpoints – OpenID Connect metadata document  Step 22Navigate to Oauth Entity Scope and add  offline_access,   Open id  Click Update.Step 23Navigate to the Oauth Entity Profiles which is automatically created when Save Oauth OIDC entity.  Verify that the Grant type is is Resource Owner Password Credentials and then add the OAuth Entity Scopes created in the above step.Step 24Add Auth Scope: useraccountStep 25Navigate to the created in step 34 Oauth OIDC Entity and copy the redirect url  Step 26Navigate to Azure App registered in step 3  Authentication  Add the url from the previous step. (do not remove or replace the url added in step 3 when create the application)  Save10. Setup user provisioning – Azure >> SAPStep 27Launch a browser window and access your Azure portal using the URL: https://portal.azure.com/. You will need to authenticate to your Azure AD using your admin credentials. Step 28Click Microsoft Entra ID. Step 29Click App Registration >> New registration. Step 30Specify a name for your app and click Register Step 31Click API permission >> Add a permission. Step 32Select Microsoft Graph.Step 33Click Application permissions. Step 34From the list of API permissions, expand User and select User.Read.All. Step 35From the API list also select Group >> Read.All and Directory >> Read.All.  Click Add permissions at the bottom of the screen once done. Step 36The permissions are not granted by default.  To grant the permissions, click Grant admin consent for Default Directory. Step 37Click Yes on the popup message and confirm that all permissions are granted.Step 38Click Overview from the left panel.  Make a note of the Application (client) ID.  You will need this later when creating the source system in IPS.   Click Add a certificate or secret. Step 39Click New client secret. Step 40Specify a description and expiry time for the client secret.Step 41You should have client secret added successfully.  Make a note of the value field as you will need it later when creating the source system in IPS. Step 42Navigate to the main overview page of Azure AD and make a note of your Primary domain.  You will need this value when creating the source system in IPS. Step 43Follow the blog  https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services/ba-p/13546054 and specific hint on filtering users by a group in Identiy Provisionning Source system Properties, add aad.group.filter=displayName eq ‘<group_name>’: 11. Establish trust between task sub account and IASStep 44Go to BTP Cockpit->Security->Trust Configuration Step 45Select “Establish trust” and choose the IASStep 46Select “Establish trust” and choose the IAS Note: This creates an OIDC application in IAS for the subaccount NB: Task Center/Service Now integration works only with OIDC trust between Task Center subaccount and IASStep 47This would create an application in iAS For more information, you can check: https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication12. Setup the corporate identity provider and OIDC proxy in SAP Cloud Identity tenantStep 48Login as an administrator to your SAP Cloud Identity service administration console at https://<IAStenant name>.accounts.ondemand.com/admin Step 49Go to Identity Providers > Corporate Identity Providers and click Create.  Enter a Display name(e.g. “Azure Active Directory”) and click Save. Step 50Click on Identity Provider Type from the Trust settings of the new corporate identity provider.Step 51Select OpenID Connect Compliant from the list.  Click Save.Step 52Click on OpenID Connect Configuration from the Trust settings of the new corporate identity provider. Step 53Enter your Azure AD tenant’s OIDC Discovery URL (https://login.microsoftonline.com/<AAD tenant ID>/v2.0) Click Load.  The Issuer field gets populated from the loaded Azure AD tenant’s OIDC metadata.Step 54Enter the SAPIASTenant’s client ID in the Client ID field. In the Client Secret field, enter the value of theOIDCProxysecret copied in step 8.  Click Validate. Step 55Verify a successful validation of the OIDC configuration.  Click OK. Step 56Click + Add  Step 57Copy and paste the full-qualified URI of the SAPIASTenant application’s custom scope (api://<client id>/ias.access) copied in step 13 for the new scope.  Click Save.  Step 58Click+ Add again and add the scope: “email” “openid” “offline_access” Click Save. Step 59Click Save.  Step 60Go to Applications & Resources > Applications  Select the application from “Establish trust between Task subaccount and IAS” step – step 47Click AttributesStep 61Navigate to Attributes and add  Name: “xsuaa-persist-corporate-idp-token” Source: Expression Value: true SaveStep 62Select “Conditional Authentication”  In the “Default Identity Provider”, choose the Azure provider configured in steps 48-59, Click Save13. Configure destinations for SAP in the BTP sub-accountSAP Task Center uses destinations to connect to Service Now task provider  Client Specific configuration: aadTokenEndpoint: Azure AD token endpoint athttps://login.microsoftonline.com/<AAD tenant ID>/oauth2/v2.0/token  iasTokenEndpoint: SAP Cloud Identity service tenant’s token endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/token  iasTokenExchange: SAP Cloud Identity service’s token exchange service endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/exchange/corporateidp  Step 63Go back to the SAP BTP Cockpit and navigate to your CF subaccount.  Select Connectivity > Destinations from the navigation menu.  Click New Destination.Step 64Enter the following values for the first destination:  Refer to 6. TECHNICAL SERVICE FLOWClick Save.Step 65Repeat steps 63 and 64 with following values for the second destination:  Refer to 10. CONFIGURE AZURE AS AN OAUTH OIDC PROVIDER ON THE SERVICENOW , step 21.AuthnContextClassRef = urn:oasis:names:tc:SAML:2.0:ac:classes:X509 clientKey = token service password=client secret Token service user = client id Task Center documentation for Third Party destination setup: https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task-center  Click Save.  14. Test the scenario Step 66Use SAP Task Center Administration app to check the status of the configured connector destination, following: https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-appStep 67Use SAP Task Center Web app, to validate that tasks from the new destination are seen by business users (for more information, see: https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app)   Read More Technology Blogs by Members articles 

#SAP

#SAPTechnologyblog

You May Also Like

More From Author

+ There are no comments

Add yours