abstract image
·
4 min read

Announcing public preview of expanded Single Sign-On authentication options for SAP Connectors 

  • By Shailja Nair, Principal Product Manager, Copilot Accelerator

We are pleased to announce the availability of expanded Single Sign-On authentication support for the SAP ERP Connector and SAP OData Connectors in public preview.  

SAP OData Connector: Single Sign-On through Microsoft Azure API Management 

In addition to Basic, Anonymous, and API Key Authentication, the SAP OData Connector, currently in public preview, now also supports Single Sign-On available through Microsoft Azure API Management. It enables SAP Principal propagation with SAP services such as SAP Gateway, S/4HANA Cloud, RISE, and many more using Microsoft Entra ID (formerly Azure AD) as the Identity Provider. At the core of the solution is the proven OAuth2SAMLBearer flow. Organizations can harness the benefits of low-code development while maintaining the protection and compliance of their SAP environments. This way, users of your low-code solutions spanning the Microsoft and SAP ecosystem are mapped from their Microsoft Entra ID identities to their named SAP backend users. SAP authorizations are fully retained.

In addition to that, solving this challenge on Azure API Management level enables scaling the approach to many different consumer solutions. No more re-inventing the wheel for every developer. 

Find the policy on the Azure API Management repository here

To learn more about OAuth2 through Azure API Management, please visit Enable SAP Principal Propagation and SSO for Microsoft Power Platform

diagram

During public preview, we encourage you to explore the ability to create Microsoft Power Automate cloud flows that access SAP data through the SAP OData connector using Entra ID and provide feedback.  

This capability is available in all regions of Microsoft Power Apps and Power Automate. 

SAP ERP connector: Microsoft Entra ID using certificates 

We are excited to announce the release of a new authorization type for the SAP ERP connector: certificate-based Single Sign-On (SSO). Building on existing support for Basic Authentication, Microsoft Entra ID via Kerberos, and Windows Authentication, this latest enhancement introduces Microsoft Entra ID using certificates, further strengthening security and aligning with industry standards and SAP recommendations. 

With this new authentication method, users can leverage their Microsoft Entra ID credentials to access sensitive data within their SAP systems, eliminating the need to remember multiple usernames and passwords. By employing X.509 certificates, we establish a trusted environment that securely verifies user identity, streamlining the login process while safeguarding sensitive information. 

A crucial feature of Microsoft Entra ID with certificate authentication is principal propagation, which ensures that business users engage with SAP systems using their unique SAP user credentials. This approach eliminates the need for a service principal to act on behalf of users, satisfying critical audit policy requirements. 

Certificate-based SSO enhances security and user convenience by utilizing digital certificates for authentication. Certificates offer a more robust form of verification compared to traditional username and password combinations, leveraging cryptographic techniques that are challenging to compromise. Each certificate is uniquely tied to the user and issued by a trusted authority, ensuring that only authorized individuals can access the system. Furthermore, certificates can be configured to expire automatically, adding an additional layer of security by guaranteeing that only current and valid credentials are utilized. 

Requirements for setup 

To implement certificate-based SSO, the following components are necessary: 

• On-premises data gateway: Microsoft Power Platform’s connection bridge software. 

• S-user account: Needed for SAP NCo and other supporting content/downloads. 

• SAP Connector for Microsoft .NET (NCo): Essential for establishing SAP connections. 

• SAP cryptography library: Install and verify in SAP and the Windows VM for the OPDG. 

• Public-key infrastructure solution: Required for managing certificates. 

• SAP GUI installed: Necessary for SAP configuration. 

• SAP administrator account: Required for administrative tasks. 

For more information and greater detail on the configuration of Microsoft Entra ID using Certificates please refer to the Microsoft Learn documentation

Microsoft Entra ID using Certificates—Data flow diagram

table

Starting August 14, 2024, this capability is available in all regions of Power Apps and Power Automate. 

Coming Soon (Q3/Q4 2024) 

SAP ERP Connector 

  • RFC v3 Action: RFC v2 action is being deprecated in favor of the newer v3 version, which is currently in preview. It includes localization fix to handle numerals.  
  • SAP Setup Assistant: The SAP Setup Assistant is designed to simplify the setup of connectivity between SAP and Microsoft Power Platform by guiding customers and partners through a step-by-step process. It provides instructions, automations, and testing for each necessary component along the way.  

RFC v3 and the SAP Setup Assistant will be generally available late third quarter of 2024

SAP OData Connector 

We have listened to your feedback during the public preview period and driven several enhancements to the connector. The SAP OData Connector will be generally available fourth quarter of 2024. At general availability, in addition to Single Sign-On support through Azure API Management, we will plan to support the following: 

  • Microsoft Azure Virtual Network: Enable support for interacting with private virtual networks, eliminating the need for usage of gateway machines and software on Microsoft Azure. 
  • Microsoft Power Fx: Native support for Power Fx queries providing the ability to generate OData queries using natural language. 
  • Single Sign-On with the API Management capability of SAP Integration Suite: Allows SSO authentication to SAP OData services via OAuth flow. With SAP API Management being in the mix, customers can configure their APIM policies to match what they need for integrations and OAuth flows using SAP Business Technology Platform and can utilize the SAP Cloud Connector to connect to their SAP system. 

The future of SAP and Microsoft Power Platform

SAP and Microsoft Power Platform are areas of continued investment for Microsoft. To learn more, see these other useful resources: 

Shailja Nair
Principal Product Manager, Copilot Accelerator
Product manager responsible for enabling Power Platform and Copilot integrations with SAP.