Identity and Authentication Management in SAP Business One

With 10.0 FP 2208, SAP Business One introduces the Identity and Authentication Management (IAM) service, allowing users to authenticate with their Identity Provider’s (IDP) user when Signing-in to SAP Business One.

Connecting SAP Business One with an Identity provider can help you manage user access in a secured manner without compromising on user experience during sign-in to SAP Business One.

What are the main benefits from using IAM solution in SAP Business One?

  • Single sign-on (SSO) experience.
  • Reduce Password fatigue – users do not need to remember an excessive amount of passwords.
  • Enhance security during sign-in by utilizing IDP’s Multi Factor Authentication and reduce potential attack surface.
  • A central user management solution, allowing Landscape administrators to setup IDP users (under one or more IDPs), bind them to SAP Business One company users and manage users from across all company databases in one place.

Identity Providers Management

IAM can be activated by configuring IDPs and Users under newly added ‘Identity Providers’ and ‘Users’ tabs in SAP Business One System Landscape Directory (SLD) control center.
After upgrading to 10.0 FP 2208, The following Identity Providers appear by default under ‘Identity Provider’ tab in SLD:

  • SAP Business One Authentication Server – Built-in Authentication Service
  • Active Directory Domain Services –  Built-in Authentication Service

It is also possible to add OIDC (Open ID Connect) IDP by clicking on ‘Add’

  • OIDC (Open ID Connect)Note: with 10.0 FP 2208, it is possible to register ‘AD FS‘ or ‘Azure Active Directory‘ as external identity providers in OIDC.

Identity%20Providers%20tab%20in%20SLD

Identity Providers tab in SLD

By default, to preserve backward compatibility, IDPs are set to ‘inactive‘ after upgrade. There is no change to the Sign-in experience for SAP Business One users unless an IDP is activated.

Before an IDP is activated, there are a few important prerequisites that need to be fulfilled:

  • There must be at least one corresponding Landscape Admin user configured under ’Users’ tab in SLD.
  • IDP users created and bound to SAP Business One company users across all companies.
  • IDP property for add-ons was adopted.

User Management

The newly added ‘Users’ Tab in SLD, acts as a ‘one stop shop’ for:

  • Adding / removing IDP users.
  • Binding IDP users to SAP Business One users across company databases.
  • Central user management solution: change PwD and activate / deactivate unified users (users created under SAP Business One Authentication Server IDP), assign users with Landscape Admin role.

Note: The licenses assigned to SAP Business One company users remain unchanged after enabling the identity and authentication management.

Sign-in to SAP Business One with an IDP

Once an IDP is activated in SLD, SAP Business One users will experience a new Sign-in window. Depending on the IDP configuration (IDP type, number of IDPs activated…), users may be redirected to their IDP within SAP Business One Sign-in window to authenticate prior to company selection.

Click here to watch a quick demo on setting up Azure as identity provider in SAP Business One.

How-to-guide

As IAM has a noticeable footprint on user’s Sign-in journey in addition to behavioral changes in SAP Business One, it is highly recommended reviewing Identify and authentication management in SAP Business One‘ How-to-guide on SAP Help portal to learn more about the following topics:

  • IAM Setup and Configuration [Chapters 1-2]
  • Recovery / Reset of IAM [Chapters 3]
  • Behavior changes, Supported SAP Business One Components in 10 FP 2208 [Chapters 4]
  • Extenstion adaptations [Chapters 5]


Roll out plan

The Identity and authentication management service is planned be rolled out in a phased manner.
With 10.0 FP 2208, IAM is supported by the following SAP Business One Products:

  • SAP Business One
  • SAP Business One, version for SAP HANA

Please note that with 10.0 FP release, The IAM service is not supported by existing SAP Business One Cloud versions. It is planned to be supported in SAP Business One Cloud in later versions.

Hope this Blog was useful to you as an introduction to SAP Business One’s Identification and Authentication Management service. I’m looking forward to hear about your experience from working with IAM in SAP Business One, be sure to leave your feedback in the comments section below.