Identity and Authentication Management (IAM), MFA, for SAP Business One V10
Announcing SAP Business One Version 10.0 FP 2208
SAP Business One introduces the Identity and Authentication Management (IAM) service, allowing users to authenticate with their Identity Provider’s (IDP) user when Signing-in to SAP Business One.
Connecting SAP Business One with an Identity provider can help you manage user access in a secured manner without compromising on user experience during sign-in to SAP Business One.
What are the main benefits from using IAM solution in SAP Business One?
- Single sign-on (SSO) experience.
- Reduce Password fatigue – users do not need to remember an excessive amount of passwords.
- Enhance security during sign-in by utilizing IDP’s Multi Factor Authentication and reduce potential attack surface.
- A central user management solution, allowing Landscape administrators to setup IDP users (under one or more IDPs), bind them to SAP Business One company users and manage users from across all company databases in one place.
Identity Provider Management
What is an Identity Provider?
An identity provider (IdP) is a service that stores and verifies user identity. IdPs are typically cloud-hosted services, and they often work with single sign-on (SSO) providers to authenticate users.
An identity provider (IdP) stores and manages users' digital identities. Think of an IdP as being like a guest list, but for digital and cloud-hosted applications instead of an event. An IdP may check user identities via username-password combinations and other factors, or it may simply provide a list of user identities that another service provider (like an SSO) checks.
IdPs are not limited to verifying human users. Technically, an IdP can authenticate any entity connected to a network or a system, including computers and other devices. Any entity stored by an IdP is known as a "principal" (instead of a "user"). However, IdPs are most often used to manage user identities.
Why are IdPs necessary?
Digital identity must be tracked somewhere, especially for cloud computing, where user identity determines whether or not someone can access sensitive data. Cloud services need to know exactly where and how to retrieve and verify user identity.
Records of user identities also need to be stored in a secured fashion to ensure that attackers cannot use them to impersonate users. A cloud identity provider will typically take extra precautions to protect user data, whereas a service not dedicated solely to storing identity may store it in an unsecured location, such as a server open to the Internet.
How to activate and what pre-requisites to keep in mind?
IAM can be activated by configuring IDPs and Users under newly added ‘Identity Providers’ and ‘Users’ tabs in SAP Business One System Landscape Directory (SLD) control center.
After upgrading to 10.0 FP 2208, The following Identity Providers appear by default under ‘Identity Provider’ tab in SLD:
- SAP Business One Authentication Server – Built-in Authentication Service
- Active Directory Domain Services – Built-in Authentication Service
It is also possible to add OIDC (Open ID Connect) IDP by clicking on ‘Add’
- OIDC (Open ID Connect)Note: with 10.0 FP 2208, it is possible to register ‘AD FS‘ or ‘Azure Active Directory‘ as external identity providers in OIDC.
Identity Providers tab in SLD
By default, to preserve backward compatibility, IDPs are set to ‘inactive‘ after upgrade. There is no change to the Sign-in experience for SAP Business One users unless an IDP is activated.
Before an IDP is activated, there are a few important prerequisites that need to be fulfilled:
- There must be at least one corresponding Landscape Admin user configured under ’Users’ tab in SLD.
- IDP users created and bound to SAP Business One company users across all companies.
- IDP property for add-ons was adopted.
The newly added ‘Users’ Tab in SLD, acts as a ‘one stop shop’ for:
- Adding / removing IDP users.
- Binding IDP users to SAP Business One users across company databases.
- Central user management solution: change PwD and activate / deactivate unified users (users created under SAP Business One Authentication Server IDP), assign users with Landscape Admin role.
Note: The licenses assigned to SAP Business One company users remain unchanged after enabling the identity and authentication management.
Sign in to SAP Business One with an IDP
Once an IDP is activated in SLD, SAP Business One users will experience a new Sign-in window. Depending on landscape’s IDP configuration (IDP type, number of IDPs activated), users are redirected to their IDP within SAP Business One Sign-in window to authenticate.
Watch the quick demo below on how to setup Microsoft Azure as an identity provider in SAP Business One and Sign-in to SAP Business One Web client with an Azure account.
As IAM has a noticeable footprint on a user’s Sign-in journey in addition to behavioral changes in SAP Business One, it is highly recommended reviewing ‘Identity and authentication management in SAP Business One‘ How-to-guide to learn more about the following topics:
- IAM Setup and Configuration
- Recovery / Reset of IAM
- Behavior changes
- Supported SAP Business One Components in 10 FP 2208
- Extension adaptations
Roll out plan
The Identity and authentication management service is planned be rolled out in a phased manner.
With 10.0 FP 2208, IAM is supported by the following SAP Business One Products:
- SAP Business One
- SAP Business One, version for SAP HANA
Please note that with 10.0 FP release, The IAM service is not supported by existing SAP Business One Cloud versions provided in Europe of N. America. It is planned to be supported in SAP Business One Cloud in later versions.
We hope this blog was useful to you as an introduction to SAP Business One’s Identification and Authentication Management service. I’m looking forward to hear about your experience working with IAM in SAP Business One.