Set up Microsoft Entra ID, Azure API Management, and SAP for SSO from SAP OData connector
You can set up the Power Platform SAP OData connector to use Microsoft Entra ID credentials for single sign-on (SSO) to SAP. Your users can access SAP data and run SAP Remote Function Calls (RFCs) in Power Platform solutions without having to sign in multiple times to multiple services. This article walks you through the process, including setting up a trust between SAP and Microsoft Entra ID and configuring Azure API Management to convert the Microsoft Entra ID OAuth token to a SAML token that's used to make OData calls to SAP.
Prerequisites
- SAP instance
- Azure API Management resource
Set up SAP as a local SAML provider
To set up a trust relationship between SAP and Microsoft Entra ID using SAML 2.0, first set up SAP as a SAML provider.
Take these steps as an SAP Basis admin in SAP GUI.
To start the SAML 2.0 wizard, enter SAML2 in the Command field.
Select Enable SAML 2.0 Support if it isn't already selected.
Enter a URI-compliant Provider Name.
Microsoft Entra ID requires this value to be URI-compliant. If Provider Name is already set and isn't URI-compliant, don't change it without first consulting your SAP Basis team. Changing the Provider Name can break existing SAML configurations. The steps for changing it are beyond the scope of this article. Check with your SAML Basis team for guidance.
Select Metadata, and then select Download Metadata.
You'll upload the SAP SAML metadata to Microsoft Entra ID in a later step.
Create a Microsoft Entra ID enterprise application
With the SAP side of the trust relationship in place, create the other side, a Microsoft Entra ID enterprise application for the SAP system.
Perform these steps as a Microsoft Entra ID admin in the Azure portal.
Select Microsoft Entra ID > Enterprise applications.
Select New application.
Search for SAP Netweaver.
Give the enterprise application a name, and then select Create.
Go to Single sign-on and select SAML.
Select Upload metadata file and select the metadata file that you downloaded from SAP.
Select Add.
Change the Reply URL (Assertion Consumer Service URL) to the SAP OAuth token endpoint.
The SAP OAuth token endpoint is the URL that Azure API Management uses to obtain tokens on behalf of users. The URL is in the format
https://<SAP server>:<port>/sap/bc/sec/oauth2/token.Change the Sign-on URL to a URI-compliant value.
This parameter isn't used and can be set to any value that's URI-compliant.
Select Save.
Under Attributes & Claims, select Edit.
Confirm that Claim name Unique User Identifier (Name ID) is set to user.userprincipalname [nameid=format:emailAddress].
Under SAML Certificates, select Download for Certificate (Base64) and Federation Metadata XML.
Set up SAP to trust Microsoft Entra ID
With both sides of the trust relationship in place, set up SAP to trust the Microsoft Entra ID enterprise application.
Perform these steps as an SAP Basis admin in SAP GUI.
Run the transaction SAML2.
Select the Trusted Providers tab.
From the Show: dropdown list, select OAuth 2.0 Identity Providers.
Select Add, and then select Upload Metadata File.
Select the metadata XML file that was downloaded from Microsoft Entra ID, and then select Next.
Select the base64 certificate that was downloaded from Microsoft Entra ID, and then select Next.
Select Finish.
In the List of Trusted Providers, select the Microsoft Entra ID entry.
Under Supported NameID Formats, select Add.
Select Email, select OK, and then select Save.
Select Enable, and then select OK.
Create a Microsoft Entra ID application to act as a client
Set up a Microsoft Entra ID application that grants access to the Microsoft Power Platform SAP OData app registration. This application allows an Azure API Management resource to convert OAuth tokens to SAML ones.
Perform these steps as a Microsoft Entra ID admin in the Azure portal.
Select Microsoft Entra ID > App registrations > New Registration.
Enter a Name, and then select Register.
Select Certificates & secrets > New client secret.
Enter a Description, and then select Add.
Copy and save this secret somewhere secure.
Select API Permissions > Add a permission.
Select Microsoft Graph > Delegated permissions.
Search for and select openid.
Select Add permissions.
Select Authentication > Add a platform > Web.
Set Redirect URIs to
https://localhost:44326/signin-oidc.Select Access tokens and ID tokens, and then select Configure.
Select Expose an API.
Next to Application ID URI, select Add.
Accept the default value and select Save.
Select Add a scope.
Set Scope name to user_impersonation.
Set Who can consent? to Admins and users.
Select Add a scope.
Copy the Application (client) ID.
When a Microsoft Entra ID enterprise application is created, it creates a matching app registration. Find the App registration that matches the Microsoft Entra ID enterprise application that you created.
Select Expose an API > Add a client application.
Paste the Application (client) ID into Client ID.
Select the user_impersonation scope, and then select Add application.
Configure SAP OAuth
Create an OAuth 2.0 client in SAP that allows Azure API Management to obtain tokens on behalf of users.
Perform these steps as an SAP Basis admin in SAP GUI.
Run the transaction /nsoauth2.
Select Create.
On the Client ID page:
- For OAuth 2.0 Client ID, select an SAP system user.
- Enter a Description, and then select Next.
On the Client Authentication page, select Next.
On the Grant Type Settings page:
- For Trusted OAuth 2.0 IdP, select the Microsoft Entra ID entry.
- Select Refresh Allowed, and then select Next.
On the Scope Assignment page, select Add, select the OData services that Azure API Management uses, and then select Next.
Select Finish.
Configure Azure API Management
Convert the SAP OData XML metadata to an OpenAPI JSON specification and upload it to Azure API Management. Then, apply an Azure API Management policy to convert the tokens.
In your browser, go to the SAP OData metadata XML and save this file to your desktop.
Use OData Transformer to convert your OData metadata XML file to an OpenAPI JSON specification. Save this file to your desktop.
Open the Azure portal and go to your Azure API management resource.
Select APIs > Add API.
In the Create from definition dropdown list, select OpenAPI.
Select Select a file, and then select the OpenAPI JSON specification file that you saved to your desktop.
Under APIs, select Named values.
Add the following key/value pairs:
| Key | Value |
|---|---|
| AADSAPResource | SAP local provider URI |
| AADTenantId | Your tenant GUID |
| APIMAADRegisteredAppClientId | Microsoft Entra ID Application GUID |
| APIMAADRegisteredAppClientSecret | Client secret from earlier step |
| SAPOAuthClientID | SAP system user |
| SAPOAuthClientSecret | SAP system user password |
| SAPOAuthRefreshExpiry | Token refresh expiration |
| SAPOAuthScope | OData scopes chosen during SAP OAuth configuration |
| SAPOAuthServerAddressForTokenEndpoint | SAP endpoint for Azure API Management to call to perform the token acquisition |
| SapOdataFirstParty | Microsoft Power Platform SAP OData connector first-party application GUID. This value should always be 6bee4d13-fd19-43de-b82c-4b6401d174c3 |
Apply the Azure API Management token policy
Use Azure API Management policies to convert Microsoft Entra ID tokens into SAML tokens that SAP accepts.
Copy the example Azure API Management policy from Microsoft's GitHub page.
Open the Azure portal.
Go to your Azure API Management resource.
Select APIs, and then select the API that you created by uploading the OpenAPI JSON specification file.
Select All operations.
Under Inbound processing, select Policies </>.
Delete the existing policy and paste the policy that you copied.
Select Save.
Related content
- SAP OData connector
- SAP OData connector now supports OAuth2 and SAP Principal Propagation | Power Automate community blog