Integrate SAP Cloud Portal and Launchpad Service into Microsoft Teams including SSO

Dear community,

Integrating SAP PaaS services from Business Technology Platform (BTP) into other portal environments is still en vogue nowadays. So, here goes a short guide how to make it happen with SAP Cloud Portal (same for Launchpad service) and Microsoft Teams as an example for the approach.

Off we go through the gate to find that new species of life that lives in both worlds – SAP and Microsoft – at the same time! (Stargate still a thing? Just curious)

Fig.1 Illustration of embedded BTP service in Teams; source for stargate illustration: Wikipedia, by Stefan Xp, CC BY-SA 3.0, image used as overlay as is

Embedding an external page into a web app (including the Teams desktop or web client) is straightforward. iFrames are an popular option to get it done.

Fig.2 Click path to embed external website

The beefy part starts with the ever present Single-Sign-On (SSO) requirement. By default, BTP comes with the SAP ID service. To pursue SSO you need to establish trust between the Identity Provider (IdP) that is attached to your hosting app and the SAP ID service. In my example case that is Azure Active Directory (AAD). In addition to that we need to configure XSUAA for CloudFoundry (excluding NEO environment here. See this post for more details).

Let’s look at the moving parts

First, we establish trust with our IdP (Azure AD). The configuration is quite “established”, so it still reads “SAP Cloud Platform” on the Azure portal screen 😀 Find the official docs for the process here.

Fig.3 Setup trust between AAD and BTP

See below example for reference to “flesh out” the official guidance a little more.

Fig.4 SSO config example on AAD for BTP CF domain ms-demo

Once you have established trust you end up with two IdPs being available on your BTP Subaccount. Note that both are available for logon. We will come back to that a little further down.

Fig.5 Additional registered IdP on BTP Subaccount

Trust: Check! What about embedding?

Nowadays, web applications and particularly PaaS or SaaS apps prohibit embedding by default to protect user experience, limit attack vectors, or for branding reasons for instance. Fortunately, BTP allows selective relaxation of that policy. We are looking at the content-security-policy header.

Both the Launchpad and the Portal Service have the same setting and view to maintain it:

frame-ancestors iframe frame object embed 'self' https://teams.microsoft.com;

Fig.6 CSP setting in BTP Portal Service for Teams embedding

Ok great, but the initial login goes to the XSUAA before it hits either of the two available IdPs.

So, next we need to configure our “SAP Authorization and Trust Management Service in CF” (XSUAA) instance to allow embedding by our web application (Microsoft Teams in this example). There are differences by BTP Feature Set. Below example is described for Feature Set B. See the official SAP docs for the other parts.

Fig.7 Subaccount settings for embedding

During my testing I needed to use the Security REST API and PATCH the iframeDomains attribute from Postman instead of the cockpit, because it was not fully functional yet.

Awesome, let’s test!

Fig.8 SAP XSUAA login before redirect to IdP

Not quite there yet. On the upside, we have working trust and embedding! But on the downside, we don’t have immediate SSO, because our portal service doesn’t know which IdP it shall select. How do fix this?

On the NEO environment you were lucky because you could just add the smart URL parameter “saml2idp” to pick the IdP. Unfortunately for CF, SAP decided not to implement something like this yet. Check the customer voice to upvote.

Alternatively, design your CF subaccount in such a way that you can get away with switching off the SAP ID service for your subaccount for login completely.

Fig.9 Switch off default IdP for logon

With that, every single service and app running on that subaccount can only be logged-on using your custom IdP. That might be problematic though: Imagine you have a user split for end-users and developers. Often developers access Business Application Studio (BAS) running on that subaccount with their S-Users. After the switch, this is not possible anymore.

Possible mitigations could be onboarding all users only through the custom IdP or moving all services/apps that require default IdP to another subaccount. Speaking of BAS for instance, you can easily deploy to other subaccounts and CF spaces.

Choose wisely 😉 and once you did, you will find that breath-taking life form on the other end of our “Portal-Gate” illustrated in figure 1, that thrives both in the SAP and the Microsoft world…

Fig.10 Successful SSO from Microsoft Teams and SAP Cloud Portal Service

Beautiful, isn’t it?

Note: CF approuters offer custom config to “pre-pick” the IdP. However, it is currently not possible to front the Cloud Portal Service with a custom CF approuter, because the managed approuter of the PaaS service conflicts with that setting. Have a look at this blog post by Radu for more details.

For now we need to stick to the subaccount design, if you want to avoid the “IdP picker-screen” (see fig.8).

What about self-hosted Fiori Launchpad?

The same challenges (trust domain, maintain CSP and allow embedding) as for the BTP PaaS applications need to be overcome. For the SAP Gateway there are some nice KBAs/SAP notes I would like to mention to point you in the right direction:

Not too bad, huh? Today, we investigated BTP application and service embedding challenges and shed some light on how to configure SSO with a custom Identity Provider. We used the SAP Cloud Portal Service, Azure AD and Microsoft Teams as examples to support the approach.

What do you think @community? Anything to add?

As always feel free to ask lots of follow-up questions.

Best Regards

Martin