Chapter 85

SAP Business Planning and Consolidation BPC

Note These instructions are written with SAP Business Planning and Consolidation BPC 10.1. If you are not using NetWeaver version 7.4 your interface may differ from these instructions.

Note SAP Business Planning and Consolidation BPC has only a web-based interface. Because BPC is an ABAP component, its installation and upgrade can be performed in either of ABAP’s two interfaces, the SAP interface or the Web interface.

An overview of configuring SAP Business Planning and Consolidation BPC for SSO

The following is an overview of the steps required to configure the SAP Business Planning and Consolidation BPC Web application for single sign-on (SSO) via SAML. SAP Business Planning and Consolidation BPC offers both IdP-initiated SAML SSO (for SSO access through the Admin Portal) and SP-initiated SAML SSO (for SSO access directly through the SAP Business Planning and Consolidation BPC web application). You can configure SAP Business Planning and Consolidation BPC for either or both types of SSO. Enabling both methods ensures that users can log in to SAP Business Planning and Consolidation BPC in different situations such as clicking through a notification email.

1 Prepare SAP Business Planning and Consolidation BPC for single sign-on (see Preparing for Configuration).

2 Complete the prerequisites for AS ABAP to be a service provider.

For an overview, see the Prerequisites section in: http://help.sap.com/saphelp_nw74/helpdata/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm

For details, see:

Verifying and installing the SAP cryptographic library

Assigning roles to users to configure SAML

Activating SAML2 configuration UI services

3 Add and begin to configure the SAP Business Planning and Consolidation BPC application in Admin Portal.

For details, see Configuring SAP Business Planning and Consolidation BPC in Admin Portal (Part 1).

4 Enable SAML and create a local provider.

1

For more information, see Enabling SAML and creating a local provider in SAP NetWeaver Administrator

5 Create and Enable a Trusted Provider for Centrify.

For more information, see Creating and enabling a trusted provider for Centrify.

6 Finish configuring SAP Business Planning and Consolidation BPC application for single sign-on.

For details, Configuring SAP Business Planning and Consolidation BPC in Admin Portal (Part 2).

After you have finished configuring the application settings in the Admin Portal and the SAP Business Planning and Consolidation BPC application, users are ready to launch the application from the Centrify user portal.

7 (Optional) Configure SAP Business Planning and Consolidation BPC to issue SAP logon ticket.

For more information, see (Optional) Configuring SAP ABAP SAML to issue a SAP Logon Ticket.

Preparing for Configuration

SAP Business Planning and Consolidation BPC requirements for SSO

Before you configure the SAP Business Planning and Consolidation BPC web application for SSO, you need the following: SAP Business Planning and Consolidation BPC.

An active SAP Business Planning and Consolidation BPC account with administrator rights for your organization.

For more set-up information: Identity Federation in AS ABAP:

http://help.sap.com/saphelp_nw74/helpdata/en/f4/a4aa9a3f9e47e09f5cc2eeb017c1ec/content.htm?

Setting up the certificates for SSO

To establish a trusted connection between the web application and the Centrify Directory Service, you need to have the same signing certificate in both the application and the application settings in Admin Portal.

Chapter 85 • 2

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

What you need to know about SAP Business Planning and Consolidation BPC

Each SAML application is different. The following table lists features and functionality specific to SAP Business Planning and Consolidation BPC.

Completing prerequisites for AS ABAP service providersIn order for ABAP to be fully configured as a service provider, it must have a supported cryptographic library installed, users with administrative privileges, and activated SAML2 configuration UI services.

Basic SAP operations

Transactions are entered in the command field at the top of the SAP screen. Each function in SAP has an SAP transaction code associated with it. After you call a transaction and the function screen opens, calling another transaction will have no effect. You must either use

Capability Supported? Support details

Web browser client Yes

Mobile client No

SAML 2.0 Yes

SP-initiated SSO Yes

IdP-initiated SSO Yes

Force user login via SSO only Yes Only if Identity Provider Selection Mode in SAML configuration is set to Automatic.

Separate administrator login after SSO is enabled

No

User or Administrator lockout risk Yes Users can be locked out if they cannot access IdP. You can specify a back door URL by using the query parameter “saml2=disabled”

Automatic user provisioning No

Multiple User Types Yes Refer to SAP NetWeaver ABAP documentation for details.

Self-service password Yes Users can reset their own passwords. Note that administrators cannot reset a user’s password.

Access restriction using a corporate IP range

Yes You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

Admin Portal user’s guide 3

the Back button to go all the way back to the home screen and then call a new transaction, or put /N in front of the transaction call. For example, the SICF transaction can be entered either as SICF on the home screen, or as /NSICF on the function screen.

Verifying and installing the SAP cryptographic library

SAP ABAP comes with the SAP cryptographic library, but the version of cryptographic library that you have may vary. The SAP Business Planning and Consolidation BPC app has been tested with v5.5.5C and v8.4.25(+MT). If the version you have is different, the illustrations may not match what you see on your screen.

To check the version of your SAP cryptographic library:

1 Log in to the SAP GUI.

Note Checking the SAP cryptographic library can only be done in the SAP GUI. The Web GUI does not have this capability.

2 Call the STRUST transaction.

3 Go to Environment > Display SSF Version.

If the SAP cryptographic library is already installed, it displays its version number.

4 If you do not have the SAP cryptographic library installed, you must install it as described in http://help.sap.com/saphelp_nw73/helpdata/en/49/236897bf5a1902e10000000a42189c/content.htm.

Assigning roles to users to configure SAML

If you have users without administrative privileges who you want to give the ability to configure SAML, assign them the role SAP_SAML2_CFG_ADM. There is also a read-only role, SAP_SAML2_CFG_DISPLAY.

Activating SAML2 configuration UI services

To access SAP ABAP's SAML 2.0 Configuration page, you must first activate SAML2 Configuration UI Services and other related services. A series of services must be activated. Follow the steps below in To activate a service: for each of the service paths in this list: /sap/bc/saml2/CDC_EXT_SERVICE

/sap/bc/webdynpro/sap/SAML2

/sap/public/bc/icf/logoff

/sap/public/bc/icons/

/sap/public/bc/icons_rtl/

/sap/public/bc/pictograms/

Chapter 85 • 4

/sap/public/bc/sec/SAML2

/sap/public/bc/webdynpro/adobeChallenge/

/sap/public/bc/webdynpro/mimes/

/sap/public/bc/webdynpro/ssr/

/sap/public/bc/webdynpro/ViewDesigner/

/sap/public/bc/webicons/

/sap/public/myssocntl/

To activate a service:

1 Call transaction SICF.

2 On the Maintain Services page, enter one of the service paths from the list above in the Service Path field.

3 Click Execute.

4 Repeat Step 2 and Step 3 for each of the services listed above.

5 Right-click the service in the tree view and if the option is offered, select Activate Service.

If the Activate Service option is not available, that means the service is already activated.

6 When prompted to activate the service, click Yes with tree:

7 Call transaction SAML2.

Note The Enable SAML 2.0 Support button should be visible. However, if the SAML 2.0 configuration UI shows an error, you will not be able to move ahead until you find the source of the error. The most common error is due to not activating all of the services listed above. Double-check to make sure that all the services listed above are activated.

Configuring SAP Business Planning and Consolidation BPC in Admin Portal (Part 1)

To add and configure the SAP Business Planning and Consolidation BPC application in Admin Portal:

1 In Admin Portal, click Apps, then click Add Web Apps.

Admin Portal user’s guide 5

The Add Web Apps screen appears.

2 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

3 Next to the application, click Add.

4 In the Add Web App screen, click Yes to confirm.

Admin Portal adds the application.

5 Click Close to exit the Application Catalog.

The application that you just added opens to the Settings page.

6 Click the Trust page to begin configuring the application.

The UI is evolving in order to simplify application configuration. For example, many of the settings previously found on the Application Settings page are now on the Trust page.

Chapter 85 • 6

You might have to select Manual Configuration to expose those settings, as shown in the following example.

Any previously configured applications retain their configuration and do not require reconfiguration. If you are configuring an application for the first time, refer to the Trust page for any settings previously found on the Application Settings page.

In addition, the description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a certificate file for the latest information.

7 Click Download Identity Provider Metadata Document.

This downloads an XML file onto your computer that you will need in the next section, Creating and enabling a trusted provider for Centrify.

8 (Optional) On the Settings page, click Enable Derived Credentials for this app on enrolled devices (opens in built-in browser) to use derived credentials on enrolled mobile devices to authenticate with this application.

For more information, see Derived Credentials.

Admin Portal user’s guide 7

9 On the Settings page, specify the following settings:

Option Description

Category Specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

Application ID Configure the Application ID field if you are deploying a mobile application that uses the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The Centrify Directory Service uses the Application ID to provide single sign-on to mobile applications. Note the following:

• The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

• There can only be one SAML application deployed with the name used by the mobile application.

The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.

Show in User app list Specifies whether this web application displays in the user portal. By default, this option is selected.

Chapter 85 • 8

10 (Optional) On the Settings page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

11 On the User Access page, select the role(s) that represent the users and groups that have access to the application.

When assigning an application to a role, select either Automatic Install or Optional Install:

Select Automatic Install for applications that you want to appear automatically for users.

If you select Optional Install, the application doesn’t automatically appear in the user portal and users have the option to add the application.

Admin Portal user’s guide 9

12 (Optional) On the Policy page, specify additional authentication controls for this application.

a Click Add Rule.The Authentication Rule window displays.

Chapter 85 • 10

b Click Add Filter on the Authentication Rule window.

c Define the filter and condition using the drop-down boxes.For example, you can create a rule that requires a specific authentication method when users access the Centrify Directory Service from an IP address that is outside of your corporate IP range. Supported filters are:

Filter Description

IP Address The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Corporate IP Range.

Identity Cookie The authentication factor is the cookie that is embedded in the current browser by the directory service after the user has successfully logged in.

Day of Week The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.

Date The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.

Date Range The authentication factor is a specific date range.

Time Range The authentication factor is a specific time range in hours and minutes.

Device OS The authentication factor is the device operating system.

Browser The authentication factor is the browser used for opening the Centrify Identity Services user portal.

Admin Portal user’s guide 11

d Click the Add button associated with the filter and condition.

e Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Creating authentication profiles.

f Click OK.

g (Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions.If you have no authentication rules configured and you select Not Allowed in the Default Profile dropdown, users will not be able to log in to the service.

h Click Save.If you have more than one authentication rule, you can prioritize them on the Policy page. You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require

Country The authentication factor is the country based on the IP address of the user computer.

Risk Level The authentication factor is the risk level of the user logging on to user portal. For example, a user attempting to log in to Centrify Identity Services from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter, requires additional licenses. If you do not see this filter, contact Centrify Identity Services support. The supported risk levels are:

• Non Detected -- No abnormal activities are detected.

• Low -- Some aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup.

• Medium -- Many aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup.

• High -- Strong indicators that the requested identity activity is anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced.

• Unknown -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.

Managed Devices The authentication factor is the designation of the device as “managed” or not. A device is considered “managed” if it is managed by Centrify Identity Services, or if it has a trusted certificate authority (CA has been uploaded to tenant).

For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.

Filter Description

Chapter 85 • 12

additional authentication methods. For details, see Application access policies with JavaScript.

Note If you left the Apps section of Admin Portal to specify additional authentication control, you will need to return to the Apps section before continuing by clicking Apps at the top of the page in Admin Portal.

13 On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.

The options are as follows:

Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Centrify Directory.

Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.

Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script:LoginUser.Username = LoginUser.Get('mail')+'.ad';

Admin Portal user’s guide 13

The above script instructs the Centrify Directory Service to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is Adele.Darwin@acme.com then the Centrify Directory Service uses Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting.

14 (Optional) On the SAML Response page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don’t need to edit this script. For more information, see the SAML application scripting.

15 (Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.

16 (Optional) Click Workflow to set up a request and approval work flow for this application.

The Workflow feature is a premium feature and is available only in the Centrify Identity Services App+ Edition. See Configuring Workflow for more information.

17 Click Save.

18 Leave the browser tab open to the Admin Portal. You will use it again in Configuring SAP Business Planning and Consolidation BPC in Admin Portal (Part 2).

Enabling SAML and creating a local provider in SAP NetWeaver Administrator

To enable and configure SAML 2.0:

1 Open a new browser tab and log in to SAP NetWeaver as ABAP (either WebGUI or SAPGUI) as a SAML2 administrator.

Note If you choose the Web interface, the URL resembles: http(s)://<sap-abap-hostname-and-port-number>/sap/bc/gui/sap/its/webgui

Note If you have pop-ups blocked in your browser, you need to unblock them before the next step, or add an exception for this URL.

2 Call transaction SAML2.

A browser window opens to load the SAML 2.0 Configuration UI. If you have not enabled SAML 2.0 before, you will see the message, “Client is not configured to support SAML 2.0” and the button Enable SAML 2.0 Support. If you do not see this message and button, SAML 2.0 is already enabled and you can skip to Step 4.

3 If visible, click Enable SAML 2.0 Support.

Chapter 85 • 14

Two options appear. Select Create SAML 2.0 Local Provider.

4 At Step 1, in Provider Name, enter CentrifySAML and click Next.

Note If you enter a different provider name here, you must also enter it in the Local Provider Name field in Application Settings of your SAML application. See Configuring SAP Business Planning and Consolidation BPC in Admin Portal (Part 2) for details.

5 At Step 2, click Next.

6 At Step 3, click Finish to create a Local Provider.

The SAML 2.0 Configuration of ABAP System page appears showing the Local Provider you just created.

7 In Default Application Path, enter the relative path to the page where you want SSO users to land. For example, /sap/bc/gui/sap/its/webgui/ will land SAML users on the home page of WebGUI.

Note The application configured here is the landing application. If the SAML engine is unable to determine the application to show to the user during IdP-initiated SAML, it will land on this path.

8 Click Service Provider Settings > Default Application Path > RelayState Mapping > Add > RelayState.

9 A relay state must be provided to display the desired application that users will access from Centrify User Portal. To set a relay state:

a Click RelayState Mapping > Add

b For Relay State, enter the relative path to the page where you want SSO users to land, for example:

c For Path, enter: /sap/epm/bpc/web/

Note You will finish configuring the relay state later when you modify the script as described in Configuring SAP Business Planning and Consolidation BPC in Admin Portal (Part 2).

10 Click Save at the top of the page.

11 Under Assertion Consumer Service, copy your EndPoint Path and save it to use in Configuring SAP Business Planning and Consolidation BPC in Admin Portal (Part 2).

12 Continue to Creating and enabling a trusted provider for Centrify.

Creating and enabling a trusted provider for CentrifyNote This procedure continues from Enabling SAML and creating a local provider in SAP NetWeaver Administrator.

Admin Portal user’s guide 15

1 Click Trusted Providers.

2 Select Add > Uploading Metadata File.

3 In the SAML 2.0 Configuration pop-up window, click Browse and select the metadata file you downloaded in Configuring SAP Business Planning and Consolidation BPC in Admin Portal (Part 1).

4 Click Next.

5 (Optional) Enter Centrify as the Alias.

If entered, SAP NetWeaver AS ABAP will show the name of the alias on the IdP selection screen; if not entered the selection screen will show the IdP’s Entity ID that was provided in the IdP Metadata.

6 Click Next.

7 On the screen that appears, leave all the default values unchanged and click Next again.

8 Select HTTP Post and click Next.

9 On the screen that appears, leave all the default values unchanged and click Next again.

10 Continue to click Next until you see the Finish button.

11 Click Finish.

12 Select the trusted provider you just created under the List of Trusted Providers.

13 Click Edit.

14 Click Identity Federation under Details of trusted provider.

15 Click Add.

16 Select Unspecified as the Supported NameID Format and click OK.

Note With this option, SAP ABAP will map SAML Response NameID to SAP Logon ID. For more NameID options, see http://help.sap.com/saphelp_nw74/helpdata/en/f4/a4aa9a3f9e47e09f5cc2eeb017c1ec/content.htm?

17 Select Assertion Subject NameID as the User ID Source.

18 If the user profile used to login to Centrify Identity Services Identity Service has a username in email address format, select Email as the User ID Mapping Mode.

19 Click Save.

20 Click Enable.

21 Click OK to confirm.

The Active icon changes from a gray diamond to a green square.

Chapter 85 • 16

Configuring SAP Business Planning and Consolidation BPC in Admin Portal (Part 2)

To finish configuring the SAP Business Planning and Consolidation BPC application in Admin Portal:

1 Return to the browser tab you were using to work in the Admin Portal in Configuring SAP Business Planning and Consolidation BPC in Admin Portal (Part 1) and navigate to the Application Settings screen of your SAP Business Planning and Consolidation BPC app.

2 Configure the following:

3 Click Save.

Field Set it to What you do

ACS Endpoint URL Your custom endpoint URL Replace YOUR-SAP-ABAP-FQDN-AND-PORT with your actual SAP ABAP FQDN and port number. For example, if your WebGUI is hosted at: http://acme:8000/sap/bc/gui/sap/its/

webgui, use acme:8000.

Replace ENDPOINT-PATH with the SAML Endpoint path that you saved from the Enabling SAML and creating a local provider in SAP NetWeaver Administrator.

The result should look something like this: http://acme:8000/saml2/sp/acs/001

Local Provider Name The name of your local provider; either CentrifySAML or the name saved from Enabling SAML and creating a local provider in SAP NetWeaver Administrator

Enter the local provider name you provided in Step 4 of Enabling SAML and creating a local provider in SAP NetWeaver Administrator

Admin Portal user’s guide 17

4 On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.

The options are as follows:

Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Centrify Directory.

Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.

Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script:LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the Centrify Directory Service to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is Adele.Darwin@acme.com then the Centrify Directory Service uses Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting.

Click Save.

5 On the Advanced page, scroll to the bottom of the script window and change YOUR_BPC-RelayState with the same relay state string that you used in Step 9 of Enabling SAML and creating a local provider in SAP NetWeaver Administrator.

Chapter 85 • 18

6 Click Save.

7 (Optional) To configure the SAP Business Planning and Consolidation BPC application for automatic provisioning, see SAP Business Planning and Consolidation BPC provisioning.

SAP Business Planning and Consolidation BPC provisioning

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see www.simplecloud.info.

If your application supports SCIM, you can set it up to enable provisioning by entering the Access Token and SCIM URL.

For more information about provisioning your app, see Setting up generic SCIM provisioning.

(Optional) Configuring SAP ABAP SAML to issue a SAP Logon TicketIf configured, SAP Logon Ticket enables a logged-in SAP user to access other SAP systems through SSO.

To configure SAP to create a Logon Ticket after SAML SSO:

1 Follow the procedure in SAP’s documentation: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4e/0a0e6dbce42287e10000000a15822b/content.htm

2 Call transaction SAML2.

3 Go to Local Provider > Service Provider Settings.

4 Click Edit.

5 In Legacy Systems Support (Issue Logon Ticket), select On.

6 Click Save.

Note If you did not successfully configure SAP ABAP to create a Logon Ticket in Step 1, setting this option will have no effect.

7 Configure your other SAP systems to accept Logon Ticket from ABAP. Refer to the documentation for each other app for instructions. For example, see http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/

Admin Portal user’s guide 19

411563343f2ab1e10000000a42189c/content.htm for details about configuring SAP Java to accept Logon Tickets.

Other Identity Federation Options in SAP ABAPSAP ABAP supports other Identity Federation options. Only the following options have been tested with SAP Business Planning and Consolidation BPC. For all other options, see http://help.sap.com/saphelp_nw73ehp1/helpdata/en/f4/a4aa9a3f9e47e09f5cc2eeb017c1ec/content.htm Unspecified and SAP Logon Alias

Note SAP Logon Alias cannot be sued together with Logon ID because they are both under the same NameID source (Unspecified) and SAP ABAP only allows one NameID source per NameID format. For details of how to manage this, see To configure Unspecified and SAP Logon Alias:

Unspecified and E-mail

To configure Unspecified and SAP Logon Alias:

1 Call transaction SAML2.

2 Under Trusted Provider, select the Identity Provider you are configuring.

3 Click Edit.

4 If you do not already have Unspecified added to the supported NameID formats:

a Under Identity Federation, click Add.

b Select Unspecified and click OK.

c In Source, select Logon Alias.

d Click Save.

5 If you already have Unspecified configured:

a Under Identity Federation, select the existing Unspecified entry.

b In Source, select Logon Alias.

c Click Save.

For more information about SAP Business Planning and Consolidation BPC

Contact SAP Business Planning and Consolidation BPC for more information about configuring SAP Business Planning and Consolidation BPC for SSO.

Chapter 85 • 20