Set up SSO with SAP BTP and Neptune DXP - Open Edition

In this guide, you will learn how to set up Single Sign-On (SSO) between SAP BTP and Neptune DXP – Open Edition using SAP Cloud Identity Services and OpenID Connect.

The OpenID Connect authentication is a free to use authentication method implemented into Neptune DXP - Open Edition. It is the factory standard for handling authentication which covers everything from web applications to native applications.

In this guide, an SAP BTP trial account is used, but the same setup is also possible with a Productive or Free tier SAP BTP account.

Prerequisites

  • You have installed Neptune DXP - Open Edition on SAP BTP.

  • You have an SAP BTP free trial account.

Procedure

Subscribe to SAP Cloud Identity Services

  1. SAP Cloud Identity Services – Identity Authentication is the standard product from SAP to control and manage authentication to SAP Cloud applications and is available as subscription in SAP BTP.

  2. In the SAP BTP subaccount create a new subscription to the service Cloud Identity Services with plan default and select Create.

    sap btp sso new subscription
  3. You will receive an email to activate your account for Identity Authentication Service. Select the link to Activate and set a password for the Administration user to access the Administration console.

Configure Trust

  1. In the subaccount under Security - Trust Configuration, select the Establish Trust button.

    sap btp sso configure trust
  2. The tenant which has been created, will be shown in the list. Select it and select Next.

    sap btp sso select tenant
  3. In the next screen, select the domain which ends with ondemand.com and select Next.

    sap btp sso select domain
  4. You can configure the name, description and link text or leave it as suggested. Select Next and Finish.

    sap btp sso configure parameters

Cloud Identity Services configuration

  1. In the Cloud Identity Services administration console, a new application is automatically configured with the trust that has been established.

    sap btp sso CIS admin console
  2. In this application, you need to add a new client ID and client secret which will be used later in the Neptune DXP – Open Edition. Go to Client Authentication under Application APIs.

    sap btp sso application api
  3. Select the Add button under Secrets.

    sap btp sso client id
  4. Add a description for this secret and select Save.

    sap btp sso add secret
  5. Copy the client ID and client secret and save them, you will need them in the upcoming steps.

Redirect URIs

  1. Under Trust, select OpenID Connect Configuration.

    sap btp sso openID connect configuration
  2. Here you add a new Redirect URI that matches the hostname of the neptune-dxp application on SAP BTP.

    sap btp sso redirect uris

Neptune DXP – Open Edition configuration

  1. Within Neptune DXP – Open Edition Cockpit, in the System Settings select the Authentication tab. Select Edit and Add a new OpenID Connect authentication.

    sap btp sso system settings
  2. Enter the following values in the mandatory fields:

    • Name: SAP BTP

    • Active: Enabled

    • Show on login page: Enabled

    • Description: SAP BTP

    • Path: myopenID

    • Client ID: <client id>

    • Client Secret: <client secret>

    • Discovery URI: https:// <cloud identity tenant-id>.trial-accounts.ondemand.com/.well-known/openid-configuration

    • Redirect Url: https:// <neptune dxp host>

    • Login Scopes: openid

      sap btp sso openID configuration

      Claims Assignment:

    • Email: Email

    • Email: Username

    • Given_name: Name

      sap btp sso openID claims assignment
  3. Save and restart the Neptune DXP - Open Edition by selecting Restart.

  4. After the restart, launch the Neptune DXP - Open Edition in a new private window or another browser, and ensure the SAP BTP login option is available.

    sap btp sso login option
  5. Select Sign in, and you should be directed to the Cloud Identity Service login page.

    sap btp sso CIS login page
    After login, you will get a "403 forbidden" error. This is correct because the user does not have any roles assigned in Neptune DXP - Open Edition.

Login to Neptune DXP - Open Edition with local provider as admin.

  1. From the Neptune DXP - Open Edition Cockpit, open Role and select Add, to add a new role.

    sap btp sso role
  2. On the ACL tab, select All Edit and Save.

    sap btp sso acl
  3. From the cockpit, open Security Group and create a new security group with the name "Administrator".

    sap btp sso security group
  4. Assign the role you have created above and select Save.

  5. Login to SAP Cloud Identity Services Administration Console, go to Users & Authorizations and select Groups.

  6. Create a new group with the same name as in the Security Group in Neptune DXP - Open Edition. In this case: "Administrator".

    sap btp sso CIS create group
  7. Add the user to this group for which you want to login to Neptune DXP - Open Edition.

    sap btp sso add user
  8. Login to Neptune DXP - Open Edition using SAP BTP option, and now, you will be able to access the Cockpit.

    sap btp sso cockpit
  9. From the Cockpit, open the User tool and select your user. The user is correctly mapped to the Administrator Group, therefore there is no need to assign users are roles within this tool. The user and roles assignment can be managed in SAP Cloud Identity Services.

    sap btp sso user overview

Result

  • You have set up the SSO with SAP BTP and Neptune DXP - Open Edition.