Configure authentication for SAP Procurement solutions
The SAP ERP connector is designed so multiple people can access and use an application at once; therefore, the connections aren't shared. The user credentials are provided in the connection, while other details required to connect to the SAP system (like server details and security configuration) are provided as part of the action.
Enabling single sign-on (SSO) makes it easy to refresh data from SAP while adhering to user-level permissions configured in SAP. There are several ways you can set up SSO for streamlined identity and access management.
The SAP ERP connector supports the following authentication types:
| Authentication type | How a user connects | Configuration steps |
|---|---|---|
| SAP authentication | Use SAP user name and password to access SAP server. | Step 4 |
| Windows authentication | Use Windows user name and password to access SAP server. | Steps 1, 2, 3, 4 |
| Microsoft Entra ID authentication | Use Microsoft Entra ID to access SAP server. | Steps 1, 2, 3, 4 |
Note
Specific administrative privileges are required to set up SSO in Microsoft Entra ID and SAP. Be sure to obtain the necessary admin privileges for each system before setting up SSO.
More information:
Step 1: Configure Kerberos constrained delegation
Kerberos constrained delegation (KCD) provides secure user or service access to resources permitted by administrators without multiple requests for credentials. Configure Kerberos constrained delegation for Windows and Microsoft Entra ID authentication.
Run the gateway Windows service as a domain account with Service Principal Names (SPNs) (SetSPN).
Configuration tasks:
Configure an SPN for the gateway service account. As a domain administrator, use the Setspn tool that comes with Windows to enable delegation.
Adjust communication settings for the gateway. Enable outbound Microsoft Entra ID connections and review your firewall and port setups to ensure communication.
Configure for standard Kerberos constrained delegation. As a domain administrator, configure a domain account for a service so it restricts the account to run on a single domain.
Grant the gateway service account local policy rights on the gateway machine.
Add gateway service account to Windows Authorization and Access Group.
Set user-mapping configuration parameters on the gateway machine.
Change the gateway service account to a domain account. In a standard installation, the gateway runs as the default machine-local service account, NT Service\PBIEgwService. It must run as a domain account in order to facilitate Kerberos tickets for SSO.
More information:
Step 2: Configure SAP ERP to enable using CommonCryptoLib (sapcrypto.dll)
To use SSO to access your SAP server, make sure:
- You configure your SAP server for Kerberos SSO using CommonCryptoLib as its Secure Network Communication (SNC) library.
- Your SNC name starts with CN.
Important
Ensure that SAP Secure Login Client (SLC) isn't running on the computer the gateway is installed on. SLC caches Kerberos tickets in a way that can interfere with the gateway's ability to use Kerberos for SSO. For more information, review SAP Note 2780475 (s-user required).
Download 64-bit CommonCryptoLib (
sapcrypto.dll) version 8.5.25 or later from the SAP Launchpad, and copy it to a folder on your gateway machine.In the same directory where you copied
sapcrypto.dll, create a file namedsapcrypto.ini, with the following content:ccl/snc/enable_kerberos_in_client_role = 1The
.inifile contains configuration information required by CommonCryptoLib to enable SSO in the gateway scenario. Ensure that the path (such as,c:\sapcryptolib\) contains bothsapcrypto.iniandsapcrypto.dll. The.dlland.inifiles must exist in the same location.Grant permissions to both the
.iniand.dllfiles to the Authenticated Users group. Both the gateway service user and the Active Directory user that the service user impersonates need read and execute permissions for both files.Create a
CCL_PROFILEsystem environment variable and set its value to the pathsapcrypto.ini.Restart the gateway service.
More information: Use Kerberos single sign-on for SSO to SAP BW using CommonCryptoLib
Step 3: Enable SAP SNC for Azure AD and Windows authentication
The SAP ERP connector supports Microsoft Entra ID, and Windows server AD authentication by enabling SAP's Secure Network Communication (SNC). SNC is a software layer in the SAP system architecture that provides an interface to external security products so secure single sign-on to SAP environments can be established. The following property guidance helps with setup.
| Property | Description |
|---|---|
| Use SNC | Set to Yes if you want to enable SNC. |
| SNC library | The SNC library name or path relative to NCo installation location or absolute path. Examples are sapcrypto.dll, or c:\sapcryptolib\sapcryptolib.dll. |
| SNC SSO | Specifies whether the connector uses the identity of the service or the end user credentials. Set to On to use the identity of the end user. |
| SNC Partner Name | The name of the back-end SNC server. Example, p:CN=SAPserver. |
| SNC Quality of Protection | The quality of service used for SNC communication of this particular destination or server. The default value is defined by the back-end system. The maximum value is defined by the security product used for SNC. |
The SAP SNC name for the user must equal the user's Active Directory fully qualified domain name. For example, p:CN=JANEDOE@REDMOND.CORP.CONTOSO.COM must equal JANEDOE@REDMOND.CORP.CONTOSO.COM.
Note
Microsoft Entra ID auth only—the Active DirectorySAP Service Principal account must have AES 128 or AES 256 defined on the msDS-SupportedEncryptionType attribute.
Step 4: Set up SAP server and user accounts to allow actions
Review SAP Note 460089 - Minimum authorization profiles for external RFC programs to learn more about the supported user-account types and the minimum required authorization for each action type, like remote function call (RFC), business application programming interface (BAPI), and intermediate document (IDOC).
SAP user accounts need to access the RFC_Metadata function group and the respective function modules for the following operations:
| Operations | Access to function modules |
|---|---|
| RFC actions | RFC_GROUP_SEARCH and DD_LANGU_TO_ISOLA |
| Read Table action | Either RFC BBP_RFC_READ_TABLE or RFC_READ_TABLE |
| Grant strict minimum access to SAP server for your SAP connection | RFC_METADATA_GET and RFC_METADATA_GET_TIMESTAMP |
Related content
- [SAP Single Sign-On](https://help.sap.com/docs/SAP_SINGLE_SIGN-ON
- Secure Login for SAP Single Sign-On Implementation Guide
- SAP Identity and Access Management (IAM) Help Portal
- SAP ERP connector
- Azure Logic Apps SAP connector
- Data loss prevention (DLP) policies
- Hybrid architecture design
Next step
Install the SAP Procurement template
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for