Click, read, type, send and repeat. Approvals look quick and easy, says the promotional video of SAP Task Center.
No doubt about it. The unified inbox for approvals across multiple applications offers a straightforward and intuitive interface. The real challenge, however, lies in the initial setup of all related services and applications. Let’s see!
For employee A in your company to approve tasks from business applications X, Y, Z in the SAP Task Center, you, as an integration expert, need to configure the following components to work together:
SAP BTP subaccount for SAP Task Center applicationSAP Cloud Identity Services: Identity Authentication, Identity Provisioning and Identity DirectoryBusiness applications, known as task providersSAP cloud connector, if task providers are on-premise systemsCorporate identity provider (IdP) if present in the customer landscape
This blog post focuses on the key role of SAP Cloud Identity Services in ensuring that the right users will get access to the right tasks in the SAP Task Center. It aims to clarify some misunderstandings that customers face when setting up Identity Authentication as a proxy for delegating the authentication to the corporate IdP Microsoft Entra ID and using Identity Provisioning for replicating users and groups to SAP S/4HANA acting as a task provider.
1. Establish Trust with Identity Authentication
The identity and access management of SAP Task Center fully relies on SAP Cloud Identity Services (SCI). Therefore, you must configure Identity Authentication as the trusted identity provider for the SAP BTP subaccount for SAP Task Center. See Establish Trust and Federation Between SAP Authorization and Trust Management Service and Identity Authentication.
Proposed approach:
Use Identity Authentication as single identity provider for SAP BTP.
SAP BTP comes preconfigured with a default, SAP-managed identity provider (SAP ID service), which is different from Identity Authentication – a service that you, as a customer, can fully manage yourself. It is important to move to Identity Authentication and use it as your custom IdP. See Onboard to SAP Cloud Identity Services.
If more than one SCI tenants are available for establishing the trust, select the tenant that is used by your task provider (that is, SAP S/4HANA). Although customers may have several tenants for various reasons, the rule is: Your SAP BTP subaccount and all task providers must trust the same SCI tenant. Having one central tenant is key for SSO across applications.Opt for the automatic, one-click Establish Trust option using the OpenID Connect protocol instead of manually exchanging SAML metadata. As a result, an OIDC application representing the SAP BTP subaccount for SAP Task Center will be created automatically in the SCI admin console.
2. Things to Consider when Configuring Global User ID
The correlation between users and their tasks in the SAP Task Center fully relies on the Global User ID attribute. Therefore, you must ensure that the logged-in user in the SAP Task Center application has the same Global User ID in SAP Cloud Identity Services and all task providers.
Proposed approach:
Although you can provide your own unique identifier, we recommend that you generate and distribute it using SAP Cloud Identity Services. See Global User ID in Integration Scenarios.The Global User ID must be included in the token issued by the IdP. SAP Task Center uses the Global User ID from the user_uuid claim in the token to correlate the logged-in users with their tasks. It does not rely on the subject name identifier (SNI) for this purpose.
Claims in the token (or assertion attributes in SAML) are defined in the application representing the SAP BTP subaccount for SAP Task Center under: Trust -> Single Sign-On -> Attributes -> Self-defined Attributes. See User Attributes.
In principal propagation scenarios, when the logged-in user approves tasks on the task provider side, SAP Task Center must communicate the identity of the principal (user) to the task provider, which then determines whether to permit or reject the operation.
For identifying the user, the task provider relies on the Name ID in the SAML assertion, which is populated with the value of the subject name identifier. If the subject name identifier (e.g., email) is not unique within the task provider, you can configure the userIdSource destination property in the SAP Task Center to point to the user_uuid claim in the token. Once configured (e.g., userIdsource=user_uuid), the Name ID will be determined by the value specified in userIdSource.
3. Sync the Trusted IdP with the Cloud Connector
After configuring Identity Authentication as the trusted IdP for the SAP BTP subaccount, you must synchronize it as a trusted IdP in the SAP cloud connector, which serves as the link between the BTP applications and the SAP S/4HANA on-premise system. See Configure Trusted Entities in the Cloud Connector.
By default, the cloud connector does not trust any entity that issues tokens for principal propagation. If you forget to synchronize your IdP with the cloud connector, your users will get the ‘SSO Token Validation Error’ when opening their tasks in the SAP Task Center.
4. Establish Trust with MS Entra ID
Configure Microsoft Entra ID as the trusted corporate IdP in SAP Cloud Identity Services. For more information, see Configure Trust with OpenID Connect Corporate Identity Provider.
Do not configure the SAP BTP subaccount for SAP Task Center to directly trust the corporate IdP. Instead, establish trust between the subaccount and SAP Cloud Identity Services, which should then trust the corporate IdP.
If the subaccount for SAP Task Center trusts MS Entra ID directly, that is – bypassing the Identity Authentication proxy, users will be able to log into the SAP Task Center but will not be able to open their tasks.
Define the corporate identity provider to be the default IdP for the application representing the BTP subaccount. For more information, see Choose a Corporate Identity Provider as Default.
5. Enable Identity Federation
In this scenario, Identity Authentication is not just a proxy passing user attributes from the corporate IdP to the application during authentication. It plays a more active role by providing attributes from its own user store – the Identity Directory, to the token.
Configure Identity Authentication as the leading IdP for attributes sent to the application, while allowing the corporate IdP to provide additional attributes, if needed. Enable the Use Identity Authentication user store option under Corporate Identity Provider -> Identity Federation. See Configure Identity Federation.Review the attributes expected by the SAP Task Center application in the SCI admin console and decide on their source and value. See Map User Attributes from a Corporate Identity Provider for Business Users.
Ensure the Identity Directory remains the source for user_uuid and groups, as illustrated in step 2. This is necessary if the IdP needs to provide information about the user’s group membership to the Task Center application. For example, you might have created a user group in the Identity Directory for SAP Task Center admin users and mapped this group to the role collection that includes the TaskCenterAdmin and TaskCenterTenantOperator roles in the SAP BTP subaccount.
Note: SAP Task Center does not provide specific roles to end users for granting permissions to the application. All logged-in users have access to their task lists. If there are no tasks assigned to a user, their task list will simply be empty. By correlating users to tasks based on the Global User ID, users can only view their own list of tasks.
SAP Task Center provides roles for admin users: TaskCenterAdmin and TaskCenterTenantOperator. See Authorization Configuration.
6. Sync Users from MS Entra ID to Identity Directory
Users authenticating to SAP Task Center must be present in the user store of SAP Cloud Identity. Therefore, you need to import/provision your MS Entra ID users to the Identity Directory. Choose one of the following options:
Set up Microsoft Entra ID to automatically provision and deprovision users to SAP Cloud Identity. See Configure SAP Cloud Identity Services for automatic user provisioning.Use Identity Provisioning for provisioning users from MS Entra ID to SAP Cloud Identity. See Microsoft Entra ID (Source) and Local Identity Directory (Target).
7. Sync Users from SAP S/4HANA to Identity Directory
In a standard scenario, customers have one system of origin for their identities and provision them to as many target SAP applications as needed using Identity Provisioning. In this particular scenario, SAP S/4HANA is the second system of origin along with MS Entra ID.
The goal of this setup – provisioning from SAP S/4HANA to Identity Directory and back to SAP S/4HANA – is to generate a Global User ID for every SAP S/4HANA user in the directory and then sync it back.
Proposed approach:
Start the user provisioning from SAP AS ABAP source system to the Identity Directory target system. This is needed because SAP AS ABAP serves as the user base for SAP S/4HANA. See SAP Application Server ABAP (Source) and Local Identity Directory (Target).
When using multiple sources to provision identities to one target (Identity Directory), refer to Merging Data from Multiple Sources to control which user attributes come from each source system and avoid overwriting them in the target system.
The default read transformation of AS ABAP does not support the display name user attribute. Since SAP Task Center requires every user to have the Display Name, E-Mail, and Global User ID, you need to modify an attribute mapping of your choice to populate it with the display name value. For example, map the ADDRESS.FIRSTNAME to the displayName as follows:
The first name of the user will be provisioned to the Identity Directory as its display name.
Always test your configuration with the Validate and Simulate jobs before running an actual provisioning job. For more information, see Validate Provisioning Job (verifies the content of the user) and Simulate Provisioning Job (estimates the number of provisioned users).
8. Update SAP S/4HANA Users with Global User ID
Sync back the users with their newly generated Global User IDs from the Identity Directory to SAP S/4HANA. Your target Local Identity Directory from the previous steps must now be configured as a source system for provisioning to both SAP AS ABAP and SAP S/4HANA On-Premise targets.
You might have created a user group, such as ‘S4HANA’, in the Identity Directory to group together your SAP S/4HANA users, allowing you to filter and provision only those specific users. To ensure proper filtering, refer to the supported filtering parameters in the Identity Directory API available on the SAP Business Accelerator Hub. Incorrect filtering may result in failed provisioning jobs.
Every integration scenario is unique and requires careful planning, customization and testing. Hopefully, this blog post offers you some guidance through the myriad of configuration options, choices, and alternatives.
Click, read, type, send and repeat. Approvals look quick and easy, says the promotional video of SAP Task Center.No doubt about it. The unified inbox for approvals across multiple applications offers a straightforward and intuitive interface. The real challenge, however, lies in the initial setup of all related services and applications. Let’s see!For employee A in your company to approve tasks from business applications X, Y, Z in the SAP Task Center, you, as an integration expert, need to configure the following components to work together:SAP BTP subaccount for SAP Task Center applicationSAP Cloud Identity Services: Identity Authentication, Identity Provisioning and Identity DirectoryBusiness applications, known as task providersSAP cloud connector, if task providers are on-premise systemsCorporate identity provider (IdP) if present in the customer landscapeThis blog post focuses on the key role of SAP Cloud Identity Services in ensuring that the right users will get access to the right tasks in the SAP Task Center. It aims to clarify some misunderstandings that customers face when setting up Identity Authentication as a proxy for delegating the authentication to the corporate IdP Microsoft Entra ID and using Identity Provisioning for replicating users and groups to SAP S/4HANA acting as a task provider. 1. Establish Trust with Identity AuthenticationThe identity and access management of SAP Task Center fully relies on SAP Cloud Identity Services (SCI). Therefore, you must configure Identity Authentication as the trusted identity provider for the SAP BTP subaccount for SAP Task Center. See Establish Trust and Federation Between SAP Authorization and Trust Management Service and Identity Authentication.Proposed approach:Use Identity Authentication as single identity provider for SAP BTP.SAP BTP comes preconfigured with a default, SAP-managed identity provider (SAP ID service), which is different from Identity Authentication – a service that you, as a customer, can fully manage yourself. It is important to move to Identity Authentication and use it as your custom IdP. See Onboard to SAP Cloud Identity Services.If more than one SCI tenants are available for establishing the trust, select the tenant that is used by your task provider (that is, SAP S/4HANA). Although customers may have several tenants for various reasons, the rule is: Your SAP BTP subaccount and all task providers must trust the same SCI tenant. Having one central tenant is key for SSO across applications.Opt for the automatic, one-click Establish Trust option using the OpenID Connect protocol instead of manually exchanging SAML metadata. As a result, an OIDC application representing the SAP BTP subaccount for SAP Task Center will be created automatically in the SCI admin console. 2. Things to Consider when Configuring Global User IDThe correlation between users and their tasks in the SAP Task Center fully relies on the Global User ID attribute. Therefore, you must ensure that the logged-in user in the SAP Task Center application has the same Global User ID in SAP Cloud Identity Services and all task providers.Proposed approach:Although you can provide your own unique identifier, we recommend that you generate and distribute it using SAP Cloud Identity Services. See Global User ID in Integration Scenarios.The Global User ID must be included in the token issued by the IdP. SAP Task Center uses the Global User ID from the user_uuid claim in the token to correlate the logged-in users with their tasks. It does not rely on the subject name identifier (SNI) for this purpose.Claims in the token (or assertion attributes in SAML) are defined in the application representing the SAP BTP subaccount for SAP Task Center under: Trust -> Single Sign-On -> Attributes -> Self-defined Attributes. See User Attributes.In principal propagation scenarios, when the logged-in user approves tasks on the task provider side, SAP Task Center must communicate the identity of the principal (user) to the task provider, which then determines whether to permit or reject the operation.For identifying the user, the task provider relies on the Name ID in the SAML assertion, which is populated with the value of the subject name identifier. If the subject name identifier (e.g., email) is not unique within the task provider, you can configure the userIdSource destination property in the SAP Task Center to point to the user_uuid claim in the token. Once configured (e.g., userIdsource=user_uuid), the Name ID will be determined by the value specified in userIdSource. 3. Sync the Trusted IdP with the Cloud ConnectorAfter configuring Identity Authentication as the trusted IdP for the SAP BTP subaccount, you must synchronize it as a trusted IdP in the SAP cloud connector, which serves as the link between the BTP applications and the SAP S/4HANA on-premise system. See Configure Trusted Entities in the Cloud Connector.By default, the cloud connector does not trust any entity that issues tokens for principal propagation. If you forget to synchronize your IdP with the cloud connector, your users will get the ‘SSO Token Validation Error’ when opening their tasks in the SAP Task Center. 4. Establish Trust with MS Entra IDConfigure Microsoft Entra ID as the trusted corporate IdP in SAP Cloud Identity Services. For more information, see Configure Trust with OpenID Connect Corporate Identity Provider. Do not configure the SAP BTP subaccount for SAP Task Center to directly trust the corporate IdP. Instead, establish trust between the subaccount and SAP Cloud Identity Services, which should then trust the corporate IdP.If the subaccount for SAP Task Center trusts MS Entra ID directly, that is – bypassing the Identity Authentication proxy, users will be able to log into the SAP Task Center but will not be able to open their tasks.Define the corporate identity provider to be the default IdP for the application representing the BTP subaccount. For more information, see Choose a Corporate Identity Provider as Default. 5. Enable Identity FederationIn this scenario, Identity Authentication is not just a proxy passing user attributes from the corporate IdP to the application during authentication. It plays a more active role by providing attributes from its own user store – the Identity Directory, to the token.Configure Identity Authentication as the leading IdP for attributes sent to the application, while allowing the corporate IdP to provide additional attributes, if needed. Enable the Use Identity Authentication user store option under Corporate Identity Provider -> Identity Federation. See Configure Identity Federation.Review the attributes expected by the SAP Task Center application in the SCI admin console and decide on their source and value. See Map User Attributes from a Corporate Identity Provider for Business Users.Ensure the Identity Directory remains the source for user_uuid and groups, as illustrated in step 2. This is necessary if the IdP needs to provide information about the user’s group membership to the Task Center application. For example, you might have created a user group in the Identity Directory for SAP Task Center admin users and mapped this group to the role collection that includes the TaskCenterAdmin and TaskCenterTenantOperator roles in the SAP BTP subaccount.Note: SAP Task Center does not provide specific roles to end users for granting permissions to the application. All logged-in users have access to their task lists. If there are no tasks assigned to a user, their task list will simply be empty. By correlating users to tasks based on the Global User ID, users can only view their own list of tasks.SAP Task Center provides roles for admin users: TaskCenterAdmin and TaskCenterTenantOperator. See Authorization Configuration.6. Sync Users from MS Entra ID to Identity DirectoryUsers authenticating to SAP Task Center must be present in the user store of SAP Cloud Identity. Therefore, you need to import/provision your MS Entra ID users to the Identity Directory. Choose one of the following options:Set up Microsoft Entra ID to automatically provision and deprovision users to SAP Cloud Identity. See Configure SAP Cloud Identity Services for automatic user provisioning.Use Identity Provisioning for provisioning users from MS Entra ID to SAP Cloud Identity. See Microsoft Entra ID (Source) and Local Identity Directory (Target). 7. Sync Users from SAP S/4HANA to Identity Directory In a standard scenario, customers have one system of origin for their identities and provision them to as many target SAP applications as needed using Identity Provisioning. In this particular scenario, SAP S/4HANA is the second system of origin along with MS Entra ID.The goal of this setup – provisioning from SAP S/4HANA to Identity Directory and back to SAP S/4HANA – is to generate a Global User ID for every SAP S/4HANA user in the directory and then sync it back.Proposed approach:Start the user provisioning from SAP AS ABAP source system to the Identity Directory target system. This is needed because SAP AS ABAP serves as the user base for SAP S/4HANA. See SAP Application Server ABAP (Source) and Local Identity Directory (Target).When using multiple sources to provision identities to one target (Identity Directory), refer to Merging Data from Multiple Sources to control which user attributes come from each source system and avoid overwriting them in the target system.The default read transformation of AS ABAP does not support the display name user attribute. Since SAP Task Center requires every user to have the Display Name, E-Mail, and Global User ID, you need to modify an attribute mapping of your choice to populate it with the display name value. For example, map the ADDRESS.FIRSTNAME to the displayName as follows:The first name of the user will be provisioned to the Identity Directory as its display name.Always test your configuration with the Validate and Simulate jobs before running an actual provisioning job. For more information, see Validate Provisioning Job (verifies the content of the user) and Simulate Provisioning Job (estimates the number of provisioned users). 8. Update SAP S/4HANA Users with Global User IDSync back the users with their newly generated Global User IDs from the Identity Directory to SAP S/4HANA. Your target Local Identity Directory from the previous steps must now be configured as a source system for provisioning to both SAP AS ABAP and SAP S/4HANA On-Premise targets.You might have created a user group, such as ‘S4HANA’, in the Identity Directory to group together your SAP S/4HANA users, allowing you to filter and provision only those specific users. To ensure proper filtering, refer to the supported filtering parameters in the Identity Directory API available on the SAP Business Accelerator Hub. Incorrect filtering may result in failed provisioning jobs. Every integration scenario is unique and requires careful planning, customization and testing. Hopefully, this blog post offers you some guidance through the myriad of configuration options, choices, and alternatives. Read More Technology Blogs by SAP articles
#SAP
#SAPTechnologyblog
