Configure authentication for SAP Procurement solutions

The SAP ERP connector is designed so multiple people can access and use an application at once; therefore, the connections aren't shared. The user credentials are provided in the connection, while other details required to connect to the SAP system (like server details and security configuration) are provided as part of the action.

Enabling single sign-on (SSO) makes it easy to refresh data from SAP while adhering to user-level permissions configured in SAP. There are several ways you can set up SSO for streamlined identity and access management.

The SAP ERP connector supports the following authentication types:

Authentication type	How a user connects	Configuration steps
SAP authentication	Use SAP user name and password to access SAP server.	Step 4
Windows authentication	Use Windows user name and password to access SAP server.	Steps 1, 2, 3, 4
Microsoft Entra ID authentication	Use Microsoft Entra ID to access SAP server.	Steps 1, 2, 3, 4

Note

Specific administrative privileges are required to set up SSO in Microsoft Entra ID and SAP. Be sure to obtain the necessary admin privileges for each system before setting up SSO.

More information:

• Microsoft Entra documentation
• SAP Identity and Access Management (IAM) Help Portal

Step 1: Configure Kerberos constrained delegation

Kerberos constrained delegation (KCD) provides secure user or service access to resources permitted by administrators without multiple requests for credentials. Configure Kerberos constrained delegation for Windows and Microsoft Entra ID authentication.

Run the gateway Windows service as a domain account with Service Principal Names (SPNs) (SetSPN).

Configuration tasks:

1. Configure an SPN for the gateway service account. As a domain administrator, use the Setspn tool that comes with Windows to enable delegation.

2. Adjust communication settings for the gateway. Enable outbound Microsoft Entra ID connections and review your firewall and port setups to ensure communication.

3. Configure for standard Kerberos constrained delegation. As a domain administrator, configure a domain account for a service so it restricts the account to run on a single domain.

4. Grant the gateway service account local policy rights on the gateway machine.

5. Add gateway service account to Windows Authorization and Access Group.

6. Set user-mapping configuration parameters on the gateway machine.

7. Change the gateway service account to a domain account. In a standard installation, the gateway runs as the default machine-local service account, NT Service\PBIEgwService. It must run as a domain account in order to facilitate Kerberos tickets for SSO.

More information:

• Kerberos constrained delegation overview
• Configure Kerberos-based SSO to on-premises data sources

Step 2: Configure SAP ERP to enable using CommonCryptoLib (sapcrypto.dll)

To use SSO to access your SAP server, make sure:

• You configure your SAP server for Kerberos SSO using CommonCryptoLib as its Secure Network Communication (SNC) library.
• Your SNC name starts with CN.

Important

Ensure that SAP Secure Login Client (SLC) isn't running on the computer the gateway is installed on. SLC caches Kerberos tickets in a way that can interfere with the gateway's ability to use Kerberos for SSO. For more information, review SAP Note 2780475 (s-user required).

1. Download 64-bit CommonCryptoLib (sapcrypto.dll) version 8.5.25 or later from the SAP Launchpad, and copy it to a folder on your gateway machine.

2. In the same directory where you copied sapcrypto.dll, create a file named sapcrypto.ini, with the following content:

   ccl/snc/enable_kerberos_in_client_role = 1

   The .ini file contains configuration information required by CommonCryptoLib to enable SSO in the gateway scenario. Ensure that the path (such as,c:\sapcryptolib\) contains both sapcrypto.ini and sapcrypto.dll. The .dll and .ini files must exist in the same location.

3. Grant permissions to both the .ini and .dll files to the Authenticated Users group. Both the gateway service user and the Active Directory user that the service user impersonates need read and execute permissions for both files.

4. Create a CCL_PROFILE system environment variable and set its value to the path sapcrypto.ini.

5. Restart the gateway service.

More information: Use Kerberos single sign-on for SSO to SAP BW using CommonCryptoLib

Step 3: Enable SAP SNC for Azure AD and Windows authentication

The SAP ERP connector supports Microsoft Entra ID, and Windows server AD authentication by enabling SAP's Secure Network Communication (SNC). SNC is a software layer in the SAP system architecture that provides an interface to external security products so secure single sign-on to SAP environments can be established. The following property guidance helps with setup.

Property	Description
Use SNC	Set to Yes if you want to enable SNC.
SNC library	The SNC library name or path relative to NCo installation location or absolute path. Examples are sapcrypto.dll, or c:\sapcryptolib\sapcryptolib.dll.
SNC SSO	Specifies whether the connector uses the identity of the service or the end user credentials. Set to On to use the identity of the end user.
SNC Partner Name	The name of the back-end SNC server. Example, p:CN=SAPserver.
SNC Quality of Protection	The quality of service used for SNC communication of this particular destination or server. The default value is defined by the back-end system. The maximum value is defined by the security product used for SNC.

The SAP SNC name for the user must equal the user's Active Directory fully qualified domain name. For example, p:CN=JANEDOE@REDMOND.CORP.CONTOSO.COM must equal JANEDOE@REDMOND.CORP.CONTOSO.COM.

Note

Microsoft Entra ID auth only—the Active DirectorySAP Service Principal account must have AES 128 or AES 256 defined on the msDS-SupportedEncryptionType attribute.

Step 4: Set up SAP server and user accounts to allow actions

Review SAP Note 460089 - Minimum authorization profiles for external RFC programs to learn more about the supported user-account types and the minimum required authorization for each action type, like remote function call (RFC), business application programming interface (BAPI), and intermediate document (IDOC).

SAP user accounts need to access the RFC_Metadata function group and the respective function modules for the following operations:

Operations	Access to function modules
RFC actions	RFC_GROUP_SEARCH and DD_LANGU_TO_ISOLA
Read Table action	Either RFC BBP_RFC_READ_TABLE or RFC_READ_TABLE
Grant strict minimum access to SAP server for your SAP connection	RFC_METADATA_GET and RFC_METADATA_GET_TIMESTAMP

Related content

• [SAP Single Sign-On](https://help.sap.com/docs/SAP_SINGLE_SIGN-ON
• Secure Login for SAP Single Sign-On Implementation Guide
• SAP Identity and Access Management (IAM) Help Portal
• SAP ERP connector
• Azure Logic Apps SAP connector
• Data loss prevention (DLP) policies
• Hybrid architecture design

Next step

Install the SAP Procurement template

See also

Get started with the SAP Procurement template