Set up Microsoft Entra ID, Azure API Management, and SAP for SSO from SAP OData connector

You can set up the SAP OData connector for Power Platform to use Microsoft Entra ID credentials for single sign-on (SSO) to SAP. By using this method, your users can access SAP data in Power Platform solutions without signing in multiple times to multiple services. The solution respects their authorizations and assigned roles in SAP.

This article walks you through the process, including setting up a trust between SAP and Microsoft Entra ID and configuring Azure API Management to convert the Microsoft Entra ID OAuth token to a SAML token that's used to make OData calls to SAP.

For additional insights and context into the setup process, see the blog post Hurray! SAP OData connector now supports OAuth2 and SAP Principal Propagation.

Prerequisites

Before you begin the setup process, make sure you have the following resources in place:

• SAP instance
• Microsoft Entra ID
• Azure API Management (APIM) resource
• Admin privileges:
  • SAP Basis admin
  • Microsoft Entra ID – cloud or app admin

Named values

This section lists named values to make the examples easier to follow. These values are reused throughout the article and referenced in later sections. When following the examples in this article, be sure to replace the named values with your own values.

Step 1: Download local provider SAML metadata from SAP

Set up a trust relationship between SAP and Microsoft Entra ID using SAML 2.0. To get started, download the SAP SAML 2.0 metadata XML file. As an SAP Basis admin, take these steps in SAP GUI:

1. Run the transaction code SAML2 to open the SAP client-dependent SAML 2.0 configuration wizard. If you need to enable SAML 2.0, go to the SAP Help Portal.
2. Select the Local Provider tab, and save the SAP local provider name, AADSAPResource, by following the sample value guidance in the named values table. It must be URI-compliant.
3. Select Metadata and then select Download Metadata. You'll upload the SAP SAML metadata XML file to Microsoft Entra ID in a later step.

For more information, see SAP's official documentation.

Step 2: Import SAP SAML metadata XML into Microsoft Entra ID enterprise application

Create a Microsoft Entra ID enterprise application and import the SAP SAML 2.0 metadata XML file. As a Microsoft Entra ID administrator, take these steps in the Azure portal:

1. Create Microsoft Entra ID enterprise application:

   1. Search for and select Microsoft Entra ID.
   2. In the left navigation pane, expand Manage > Enterprise applications.
   3. Select New application.
   4. Search for SAP Netweaver.
   5. Enter a name for the enterprise application, select Create, and save the Application (client) ID as SAP NetWeaver Enterprise Application Client ID as seen in the named values table.

2. Import the SAP SAML 2.0 metadata XML file:

   1. Go to Single sign-on and select SAML.
   2. Select Upload metadata file and upload the SAP SAML metadata XML file.
   3. Select Add.
   4. Verify that the Identifier (Entity ID) matches the value of AADSAPResource. This value is case-sensitive.
   5. Update the Reply URL (Assertion Consumer Service URL) to the SAP OAuth token endpoint in the following format: https://<SAP server>:<port>/sap/bc/sec/oauth2/token?sap-client=<client ID>.
   6. Update the Sign-on URL to any URI-compliant value. SAP doesn't use this value.
   7. Select Save.

3. Confirm the correct attribute is set:

   1. Go to the Attributes & Claims section.
   2. Select Edit.
   3. Confirm that Claim name Unique User Identifier (Name ID) is set to user.userprincipalname [nameid="{email address}"].

4. Download the certificates:

   1. Go to the SAML Certificates section.

   2. Select the download links for:

      • Certificate (Base64).
      • Federation Metadata XML.

5. Add users and groups:

   1. Go to the Users and groups section.
   2. Select Add users/group.
   3. Select Users and groups.
   4. Search and select ALL Company and then select assign.

Step 3: Configure Microsoft Entra ID as a trusted identity provider for OAuth 2.0 in SAP

Configure SAP to allow Microsoft Entra ID to issue tokens for SAP OAuth 2.0 authentication. As an SAP Basis admin, take these steps in SAP GUI:

1. Run transaction SAML2.
2. Select the Trusted Provider tab, and then choose Oauth2.0 Identify provider.
3. Select Add, choose Upload Metadata File, and upload the Federation Metadata XML file and the Certificate (Base64) file that you downloaded from Microsoft Entra ID.
4. Save the configuration, select Edit, and then select Add.
5. Select Email as the supported NameID format, then save and enable the provider.

Step 4: Create and map an SAP user to the Microsoft Entra ID user

Create and map an SAP user that maps to the Microsoft Entra ID user (james@contoso.com) who uses SSO from Power Platform. As an SAP Basis admin, take these steps in SAP GUI:

1. Run transaction SU01 to create a new user.
2. Enter a Last Name (for example, OAUTH-JAMES). Save this value as "SAPOAuthClientID" in the named values table.
3. Enter james@contoso.com as the Email address.
4. Select the Logon Data tab, set User Type to System.
5. Create a password for the user. Save this password as SAPOAuthClientSecret as seen in the named values table.

Step 5: Create an OAuth 2.0 client in SAP

Create an OAuth 2.0 client in SAP so Azure API Management can get tokens on behalf of users. As an SAP Basis admin, follow these steps in SAP GUI:

1. Run transaction SOAUTH2.

2. Select Create.

3. On the Client ID page:

   1. Go to OAuth 2.0 Client ID and select the SAP system user: OAUTH-JAMES.
   2. Enter a description, and then select Next.

4. On the Client Authentication page, select Next.

5. On the Grant Type Settings page:

   • Go to Trusted OAuth 2.0 IdP and select the Microsoft Entra ID entry.
   • Select Refresh Allowed, and then select Next.

6. On the Scope Assignment page, select Add and choose the OData services that Azure API Management uses (for example, ZAPI_BUSINESS_PARTNER_0001), and then select Next. Save ZAPI_BUSINESS_PARTNER_0001 as SAPOAuthScope as seen in the named values table.

7. Select Finish.

For more information, see the SAP documentation and SAP's official documentation about SAP NETWEAVER for additional details.

Step 6: Register the Microsoft Entra ID application

Register the Microsoft Entra ID application that represents the Azure API Management resource and grants access to the Microsoft Power Platform SAP OData connector. By using this application, Azure API Management can exchange OAuth tokens for SAML tokens.

As a Microsoft Entra ID administrator, take these steps in the Azure portal:

1. Name and register the application:

   1. Select Microsoft Entra ID > App registrations > New Registration.
   2. Enter a Name, and then select Register. Save the client ID as APIMAADRegisteredAppClientId as seen in the named values table.
   3. Go to Certificates & secrets, select New client secret, enter a description, and select Add. Save the secret value as APIMAADRegisteredAppClientSecret as seen in the named values table.

2. Configure API permissions:

   1. Select API Permissions > Add a permission.
   2. Select Microsoft APIS > Microsoft Graph > Delegated permissions, search for and select openid, and then select Add permissions.
   3. Select Add a permission again.
   4. Select APIs my organization uses > search for the SAP NetWeaver application you created earlier, and select user_impersonation.
   5. Return to the API permissions page and select Grant admin consent for both permissions.

3. Expose the API for Azure API Management:

   1. Select Expose an API.

   2. Next to Application ID URI, select Add, accept the default value, and select Save. Save this value as "Microsoft Entra ID Resource URI (Application ID URI)" in the named values table.

   3. Select Add a scope and take these steps:

      1. Set Scope name to user_impersonation.
      2. Set Who can consent? to Admins and users, and then selectAdd scope.

4. Authorize Azure API Management and the Microsoft Power Platform SAP OData connector:

   1. On the Expose an API page, select Add a client application.
   2. Enter the "SAP NetWeaver Enterprise Application Client ID" from named values table, check Authorized sopes, and then select Add application.
   3. Select Add a client application again.
   4. Enter 6bee4d13-fd19-43de-b82c-4b6401d174c3 as the Client ID, check Authorized scopes, and then select Add application. This is the client ID of the Power Platform SAP OData connector.

Step 7: Create a user-assigned managed identity for Azure API Management

Create a user-assigned managed identity and assign it to your Azure API Management instance. By using a user-assigned managed identity with Azure API Management, the platform handles authentication automatically, eliminating the need to manage or rotate APIMAADRegisteredAppClientSecret.

As a Microsoft Entra ID administrator, take the following steps in the Azure portal:

1. Create a user-assigned managed identity:

   1. Select Create a resource > search for and select User Assigned Managed Identity by Microsoft
   2. Enter the name and resource group, and then select Review + create. Save the Client ID as APIMUserAssignedManagedIdentityId as seen in the named values table.

2. Assign the managed identity to Azure API Management:

   1. Open your Azure API Management instance.
   2. Go to Security > Managed identities.
   3. Select the User assigned tab, select Add, choose the managed identity you created, and then select Add.

Step 8: Configure Azure API Management

Import the SAP OData metadata into Azure API Management, and then apply an API Management policy to handle token conversion. As a Microsoft Entra ID administrator, take the following steps in the Azure portal:

1. Retrieve the SAP OData metadata:

   1. Call the SAP service metadata endpoint. For example: https://<SAPendpoint>:<port>/sap/opu/odata/sap/API_BUSINESS_PARTNER/$metadata. The exact URL depends on your SAP service configuration.
   2. Save the response as an SAP OData metadata XML file.

2. Import the OData API into Azure API Management:

   1. Open your Azure API Management instance.
   2. Select APIs > Add API > OData.
   3. Upload the SAP OData metadata XML file.
   4. Enter a name and the API URL suffix. For example, jms/sap/opu/odata/sap.
   5. Save the Base URL as "Odata Base URI" in the named values table.
   6. Under All APIs, verify that your API (for example, API_BUSINESS_PARTNER_Entities) appears and that the entity sets and functions are listed.

3. Configure named values:

   1. In APIs, select Named values.
   2. Add the following key/value pairs that are in the named values table: AADSAPResource, AADTenantId, APIMAADRegisteredAppClientId, APIMAADRegisteredAppClientSecret, APIMUserAssignedManagedIdentityId, SAPOAuthClientID, SAPOAuthClientSecret, SAPOAuthRefreshExpiry, SAPOAuthScope, SAPOAuthServerAddressForTokenEndpoint.

Step 9: Apply the Azure API Management token policy

Use Azure API Management policies to convert a Microsoft Entra ID–issued token into a token accepted by SAP NetWeaver. For more information, see official SAP documentation.

As a Microsoft Entra ID administrator, take the following steps:

1. Copy the Azure API Management policy from the Microsoft GitHub repository: Azure API Management policy.

2. Sign in to the Azure portal.

3. Open your Azure API Management resource.

4. Select APIs, and then select the OData API you created earlier.

5. Select All operations.

6. In the Inbound processing section, select Policies </>.

7. Replace the existing policy with the policy that you copied.

8. Select Save.

Related content

• SAP OData connector
• SAP OData connector now supports OAuth2 and SAP Principal Propagation | Power Automate community blog
• Azure API Management policy for SAP SuccessFactors | GitHub
• SAP OData connector for SAP SuccessFactors | SAP community blog
• The SAP Business Accelerator Hub also offers content related to the SAP integration suite policy for SuccessFactors and NetWeaver. You must have an SAP account to access this content.