In this blog post I am going to explain how you can bypass Azure AD when Azure AD is setup as the identity provider for SSO and identity federation is disabled. As I could not find the information I needed within appropriate time I want to share my limited knowledge on the topic with you.
Lets start with the basics – how does the integration between Azure AD, IAS and S/4HANA Cloud work?
Azure AD provides a user, usually identified by the email address. Once this user successfully logs on to Windows he/she is authorized. When this user now tries to access S/4HANA Cloud the request is passed on to IAS as the central identity and access management for S/4HANA Cloud. IAS receives the information of the successful login and in our case forwards the login name and the successful authentication to S/4HANA Cloud. This usually happens so fast that we won´t even recognize it. User is good to go to use the application. The concept of only logging on to e.g. Azure AD as identity provider is known as Single Sign On (SSO).
If you use an InPrivate window to access the link to S/4HANA, SSO won´t work. However you still need to authenticate with Azure AD:
Also note the link when seeing the screen in the previous picture referencing Microsoft:
In SAP help it says regarding the integration of Microsoft Azure AD:
“Identity Authentication supports the Identity Federation option. This option allows the application to check if the users authenticated by the corporate identity provider exist in the user store of Identity Authentication. In the default setting, the Identity Federation option is disabled. If Identity Federation is enabled, only the users that are imported in Identity Authentication are able to access the application.”
In our case this means in default you have an Azure AD account and an S/4HANA user but no IAS user as this is not required. If you want to bypass however, an IAS user is required.
User Management Process
In the respective case the business users are created using the “Import Employees” functionality (Import Employees App) in the S/4HANA Public Cloud instance. This then creates the system users in the target application.
Once the users are correctly maintained and authorized, they also need to be uploaded in the IAS directly. This can be done using the Import Users functionality requiring a CSV file with very limited information. After they are created, the information can be enhanced under User Management and an initial password needs to be set.
After that the user is good to go via the previously provided link. Once the first login with initial password is successful, the user is prompted to set his/her own password.
Bypass
Users can bypass SSO using a special link, actively addressing IAS directly and referencing the target application explicitly.
https://<IAS_Tenant_ID>.accounts.ondemand.com/saml2/idp/sso?sp=https://<S4_Tenant_ID>.s4hana.ondemand.com&idp=<IAS_Tenant_ID>.accounts.ondemand.com
Using this link results in accessing IAS, which is easily to be seen from the logon page:
And from the logon the user is redirected to the application.
Summary
In order to bypass Azure AD you need to:
- create the target application user
- create (and map) an IAS user
- use a link to force the authentication on the target application via IAS
Let me know if this post was of help and please share any feedback or additional insights in the comments.
Further Reading
SAP Cloud Identity Services | SAP Community
Integrating the Service with Microsoft Azure AD | SAP Help Portal