SAP CRM for ABAP

With Centrify as your identity service, you can choose single-sign-on (SSO) access to the SAP CRM for ABAP web application with IdP-initiated SAML SSO (for SSO access through the Centrify user portal) or SP-initiated SAML SSO (for SSO access directly through the SAP CRM for ABAP web application) or both. Providing both methods gives you and your users maximum flexibility.

If SAP CRM for ABAP is the first application you are configuring for SSO through Centrify Identity Services, read these topics before you get started: Introduction to application management

Configuring Single Sign-On (SSO)

Note This document is written with SAP CRM 7 EHP 3 for ABAP 7.4. If you are not using version 7.4, your interface may differ from the illustrations.

Continue with SAP CRM for ABAP SSO requirements.

SAP CRM for ABAP SSO requirementsBefore you configure the SAP CRM for ABAP web application for SSO, you need the following: SAP CRM for ABAP.

An active SAP CRM for ABAP account with administrator rights for your organization.

SAML2 and other services are activated as described in SAP Note 517484.

Note To access SAP Note 517484, you must have a SAP Service Marketplace login account.

SAP Cryptographic library installed as described in: https://help.sap.com/viewer/a017d0089ae44f879c89d67dbdafd121/2.0/en-US/6baad7178e414716a8fe56d91e6556d5.html

Continue with Adding and configuring SAP CRM for ABAP in Admin Portal.

1

Adding and configuring SAP CRM for ABAP in Admin Portal

To add and configure the SAP CRM for ABAP application in Admin Portal:

1 In Admin Portal, click Apps, then click Add Web Apps.

The Add Web Apps screen appears.

2 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

3 Next to the application, click Add.

4 In the Add Web App screen, click Yes to confirm.

Admin Portal adds the application.

5 Click Close to exit the Application Catalog.

The application that you just added opens to the Settings page.

6 Click the Trust page to begin configuring the application.

The UI is evolving in order to simplify application configuration. For example, many of the settings previously found on the Application Settings page are now on the Trust page.

• 2

You might have to select Manual Configuration to expose those settings, as shown in the following example.

Any previously configured applications retain their configuration and do not require reconfiguration. If you are configuring an application for the first time, refer to the Trust page for any settings previously found on the Application Settings page.

In addition, the description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a certificate file for the latest information.

7 Click Save.

8 Leave the browser tab open to the Admin Portal. You will use it again in Configuring SSO for SAP CRM for ABAP.

9 Continue with Configuring SSO for SAP CRM for ABAP.

Configuring SSO for SAP CRM for ABAPThe following steps are specific to the SAP CRM for ABAP application and are required in order to enable SSO for SAP CRM for ABAP. For information on optional Centrify Admin

Admin Portal user’s guide 3

Portal configuration settings that you may wish to customize for your app, see Optional configuration settings.

To enable and configure SAML 2.0:

1 Open a new browser tab and log in to WebGUI as a SAML2 administrator.

Note If you have pop-ups blocked in your browser, you need to unblock them before the next step, or add an exception for this URL.

2 Call transaction SAML2.

A browser window opens to load the SAML 2.0 Configuration UI. If you have not enabled SAML 2.0 before, you will see the message, “Client is not configured to support SAML 2.0” and the button Enable SAML 2.0 Support. If you do not see this message and button, SAML 2.0 is already enabled and you can skip to Step 5.

3 If visible, click Enable SAML 2.0 Support.

4 Select Create SAML 2.0 Local Provider.

5 At Step 1, in Provider Name, enter CentrifySAML and click Next.

Note If you enter a different provider name here, you must also enter it in the Local Provider Name field in Application Settings of your SAML application. See Step 30 for details.

6 At Step 2, click Next.

7 At Step 3, click Finish to create a Local Provider.

The SAML 2.0 Configuration of ABAP System page appears showing the Local Provider you just created.

8 Click Trusted Providers.

9 Select Add > Uploading Metadata File.

10 In the SAML 2.0 Configuration pop-up window, click Browse and select the metadata file you downloaded in Adding and configuring SAP CRM for ABAP in Admin Portal.

11 Click Next.

12 (Optional) Enter Centrify as the Alias.

If entered, SAP CRM for ABAP will show the name of the alias on the IdP selection screen; if not entered the selection screen will show the IdP’s Entity ID that was provided in the IdP Metadata.

13 Click Next.

14 On the screen that appears, leave all the default values unchanged and click Next again.

15 Select HTTP Post and click Next.

• 4

16 On the screen that appears, leave all the default values unchanged and click Next again.

17 Continue to click Next until you see the Finish button.

18 Click Finish.

19 Select the trusted provider you just created under the List of Trusted Providers.

20 Click Edit.

21 Click Identity Federation under Details of trusted provider.

22 Click Add.

23 Select Unspecified as the Supported NameID Format and click OK.

Note With this option, SAP ABAP will map SAML Response NameID to SAP Logon ID. For more NameID options, see https://help.sap.com/viewer/f118a8960caf41808bd374e28a834f58/7.40.16/en-US/f4a4aa9a3f9e47e09f5cc2eeb017c1ec.html

24 Select User ID source as Assertion Subject NameID.

25 Select User ID Mapping Mode as Email.

26 Select YES for Allow Identity Provider to create NameID.

27 Click Save.

28 Click Enable.

29 Click OK to confirm.

The Active icon changes from a gray diamond to a green square.

30 Click the Local Provider tab, then click Select Service Provider Settings.

31 Under RelayState Mapping, click on Add.

32 Enter crm for the RelayState.

33 Enter your application path as the Path, for example:/sap/bc/gui/sap/its/webgui

34 Click Ok.

35 Copy the Endpoint Path under Assertion Consumer Service to your clipboard.

36 Click Metadata to download SP metadata and save the file to your computer.

37 Configure the following.

The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field in the Centrify Identity Services Admin

Admin Portal user’s guide 5

Portal and paste it into the corresponding field on the SAP CRM for ABAP Company Dashboard.

38 Choose one of the two following methods for synchronizing the Metadata file between the Centrify Admin Portal and the SAP CRM for ABAP Admin Dashboard:

Admin Portal >Application Settings

Copy/Paste

Direction

SAP CRM for ABAP Admin Dashboard

What you do

N/A N/A Alias Enter the value, for example Centrify Identity Services.

N/A N/A Bindings Select Http POST as the default binding.

N/A N/A Supported NameID Formats Unspecified

N/A N/A User ID Source Assertion Subject NameID

N/A N/A User ID Mapping Mode Email

N/A N/A Allow Identity Provider to create NameID

Yes

Download Identity Provider Metadata File

Upload Metadata File 1. Click on Download Identity Provider Metadata File on the Application Settings page in Admin Portal, and save it to your computer.

2. Click on Upload Metadata File on the SAP CRM for ABAP Admin Dashboard.

3. Select the metadata file you downloaded from the Admin Portal.

Admin Portal >Application Settings

Copy/Paste

Direction

SAP CRM for ABAP Admin Dashboard

What you do

Upload SP Metadata Metadata 1. Click on Upload SP Metadata in the Application Settings page in Admin Portal.

2. Select the option Upload SP Metadata from a file.

3. Choose the metadata file you downloaded from the SAP CRM for ABAP Admin Dashboard above.

4. Add the following to the script on the Advanced page in Admin Portal:

setRelayState(‘erp’);

• 6

Or:

39 Click Save in both browser windows.

40 (Optional) To configure the SAP CRM for ABAP application for automatic provisioning, see SAP CRM for ABAP provisioning.

SAP CRM for ABAP provisioning

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see www.simplecloud.info.

If your application supports SCIM, you can set it up to enable provisioning by entering the Access Token and SCIM URL.

For more information about provisioning your app, see Setting up generic SCIM provisioning.

For more information about SAP CRM for ABAPContact SAP CRM for ABAP for more information about configuring SAP CRM for ABAP for SSO.

Articles that may be helpful: SAP Single Sign On using SAML2 documentation

https://help.sap.com/viewer/621bb4e3951b4a8ca633ca7ed1c0aba2/7.4.16/en-US/176d45fc91e84ef1bf0152f2b947dc35.html

User Authentication and Single Sign On

Admin Portal >Application Settings

Copy/Paste

Direction

SAP CRM for ABAP Admin Dashboard

What you do

Service Provider Assertion Consumer Service URL

Assertion Consumer Service Copy the Assertion Consumer Service > Endpoint from Service Provider Settings on SAML 2.0 Configuration of ABAP System's Local Provider tab and paste it in the Application Settings page in Admin Portal, appending to https://<FQDN>:<PORT>. For example:

https://acme:5200/sap/saml2/sp/acs/001

Local Provider Name Provider Name Copy the Provider Name from the SAP CRM for ABAP Admin Dashboard and paste it in the Application Settings page in Admin Portal.

Admin Portal user’s guide 7

https://help.sap.com/viewer/621bb4e3951b4a8ca633ca7ed1c0aba2/7.4.16/en-US/e54344b6d24a05408ca4faa94554e851.html

SAP CRM for ABAP specificationsEach SAML application is different. The following table lists features and functionality specific to SAP CRM for ABAP.

Capability Supported? Support details

Web browser client Yes

Desktop client Yes SAPGui

Mobile client No

SAML 2.0 Yes

SP-initiated SSO Yes

IdP-initiated SSO Yes

Force user login via SSO only No User may also login with their own credential using the SSO Bypass URL: <LoginURL>?saml2=disabled

For example: https://crm.censap.com:8080/sap/bc/gui/sap/its/webgui?saml2=disabled

Separate administrator login after SSO is enabled

No

User or Administrator lockout risk No User may also login with their own credential using the SSO Bypass URL: <LoginURL>?saml2=disabled

For example: https://crm.censap.com:8080/sap/bc/gui/sap/its/webgui?saml2=disabled

Automatic user provisioning No

Multiple User Types No

Self-service password Yes

Access restriction using a corporate IP range

Yes You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

• 8