Single Sign-On (SSO)
Learn how to configure single sign-on (SSO) with SAP LeanIX.
Tip
To request setting up SSO for your organization, please submit a ticket to SAP LeanIX Support. If you're an SAP customer, submit a request from the SAP for Me portal.
Overview
Single sign-on (SSO) is a centralized authentication process that allows users to access multiple applications with a single set of login credentials.
SAP LeanIX supports SSO through the Security Assertion Markup Language (SAML) 2.0 protocol. SAML is a standard protocol used in SSO implementations to securely exchange authentication and authorization data between an identity provider (IdP) and a service provider (SP).
We offer the following options for the SSO setup:
- Authentication only: Authentication (system access) is managed through SSO, while authorization (role management) is handled within SAP LeanIX. This setup adheres to the standard authorization model.
- Authentication and authorization: Both authentication (system access) and authorization (role management) are handled through SSO. This setup allows you to use extended authorization features, such as Virtual Workspaces and custom roles.
SAP LeanIX supports just-in-time (JIT) provisioning, a process in which user accounts are dynamically created when users sign in to SAP LeanIX through SSO for the first time.
Authentication Flow
SAP LeanIX supports SP-initiated SSO. The following image illustrates the SAML 2.0 authentication flow.
When a user attempts to access the SAP LeanIX application through a browser, the SP first checks if the user is already authenticated. If not, the user is redirected to the identity provider system, which initiates the authentication process, typically through a username and password.
Once the user has been successfully authenticated within the IdP, the IdP sends a SAML response to the SP. The response includes relevant attributes, such as the user's email address, that serve to identify the user within SAP LeanIX. Once the SP has verified the response, the user is granted access to the SAP LeanIX application.
Before You Start
Before you submit a request to set up SSO, do the following:
-
Choose an identity provider. For more information, see Requirements for Identity Providers.
-
Obtain a metadata file in XML format from your IdP. You can download the file or save the link URL.
-
Decide how you want to manage user roles with SSO: internally within SAP LeanIX or externally within your IdP. For more information, see Managing User Roles with SSO.
Note
We integrate SSO on a domain level, which means that any user provisioning implemented during the SSO authentication flow is applied to all workspaces on the domain. Each customer only receives one domain. To get advice on your use case, please contact SAP LeanIX Support.
-
Decide if you’d like to:
- Assign a default SAP LeanIX role to new users coming from your IdP.
- Enable the "Invite only" flow for specific workspaces. This will block users from accessing a workspace unless they have been explicitly invited to it, even if they are granted access through the IdP. A common scenario is limiting access to Sandbox workspaces.
- Enable Transient users to potentially grant them access to Self-service Portals. To learn more, see Transient Users with SSO.
SSO Configuration Process
The configuration process consists of the following steps:
- You provide a metadata file in XML format exported from your IdP. To avoid possible problems with spam filters, please send either a link to the metadata file or an archive containing an XML file. Send the entire metadata, not only the certificate.
- We set up a dedicated subdomain for your organization and configure it to work with your IdP. You can choose any custom subdomain, such as your company's name (
https://your-company.leanix.net
). Once the subdomain is set up, the SAP LeanIX metadata becomes available athttps://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Metadata
. - You import the SAP LeanIX metadata to your IdP and configure SAML attributes according to the SAP LeanIX SP requirements. For details, see Attribute Mapping. Ensure that the SAML 2.0 attribute names exactly match the requirements.
- The user ID (
uid
) must be unique within SAP LeanIX and must be in the email format, for example,[email protected]
. If your IdP doesn’t transmit the domain information (@customer.com
), please inform us during the SSO setup. In this case, we can enable the appropriate transformation on the SAP LeanIX side.
- The user ID (
- You test access to your workspace through the following link:
https://{SUBDOMAIN}.leanix.net/{WORKSPACE}
. Note the following:- Test access to your workspace only through the provided link. Do not use other links such as
https://app.leanix.net/{WORKSPACE}
orhttps://us.leanix.net/{WORKSPACE}
. - During the implementation phase, we support sign-in both through SSO and through a username and password. We will deactivate sign-in with a username and password in step 5.
- We provide you with a link to the page that contains information on the current SAML session:
https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session
. If the SSO setup doesn't work, please send us the details from this page.
- Test access to your workspace only through the provided link. Do not use other links such as
- Once you've successfully tested the sign-in flow through your IdP, we deactivate the sign-in flow through SAP LeanIX, which was previously the default IdP.
Inform your organization's users that the sign-in flow has changed and the old sign-in link no longer works. Share the new sign-in link with users.
Requirements for Identity Providers
When choosing an IdP for your SSO setup, ensure that:
- The IdP supports the SAML 2.0 protocol.
- The client browser has network access to the IdP.
Example Identity Providers
The following table lists example IdPs for which we've successfully tested SSO implementation.
Identity Provider | Instructions |
---|---|
Okta | Configuring SSO with Okta |
Microsoft Entra ID | Configuring SSO with Entra ID |
PingOne | Configuring SSO with PingOne |
OneLogin | Configuring SSO with OneLogin |
Microsoft Active Directory Federation Services (AD FS) | Configuring SSO with Active Directory Federation Services |
Shibboleth IdP | Refer to the Shibboleth IdP documentation |
CA Single Sign-On | Refer to the Broadcom documentation |
Google IdP | Refer to the Google documentation |
LemonLDAP::NG | Refer to the LemonLDAP::NG documentation |
Managing User Roles with SSO
With SSO, you can manage user roles internally within SAP LeanIX or externally within your IdP. Choose your preferred option when requesting to set up SSO.
Additionally, you can set up Transient users to grant them access to Self-service Portals. For more information, see Transient Users with SSO.
Managing User Roles Within SAP LeanIX
If you choose to manage user roles within SAP LeanIX, the IdP manages authentication, while SAP LeanIX handles authorization.
You can assign roles to users when inviting them to SAP LeanIX. If needed, you can change user roles later in the Users section of the administration area.
You should decide whether you want to assign a default role in SAP LeanIX to all new users:
- If you set a default role, this role will be automatically assigned to all new users when they first sign in to a workspace. In this case, you don't need to invite users to your workspace by clicking the Invite button.
- If you don’t set a default role, you need to invite users to your workspace by clicking the Invite button.
Managing User Roles Within the Identity Provider
If you choose to manage user roles externally within your IdP, then both authentication and authorization will be handled by the IdP.
When managing user roles within your IdP, you can define custom user roles in addition to standard roles. For more information, see Custom User Roles.
The IdP determines the user role and maps it to the SAP LeanIX role during the sign-in process. To learn more about mapping user roles between your IdP and SAP LeanIX, see Attribute Mapping. If you don't provide any role information, a default role is assigned to the user. If the default role is not set, the user loses access to SAP LeanIX.
Depending on the user roles provided in the IdP and SAP LeanIX, the following typical scenarios are possible:
- Scenario 1: You provide a user role in your IdP. If the user already has a role assigned in SAP LeanIX, it is overwritten by the role from the IdP.
- Scenario 2: You don't provide a user role in your IdP, and a default role exists in SAP LeanIX. In this case, the default role is assigned to the user. Their current role (if already assigned) is overwritten by the default role.
- Scenario 3: You don't provide a user role in your IdP, and a default role is not set in SAP LeanIX. In this case, the user loses access to a workspace. Their existing role is not overwritten but is not used.
Attribute Mapping
Use the following attributes to configure SAML 2.0 attribute mapping in your IdP. If you're using Active Directory Federation Services (AD FS) as an IdP, see Configuring SSO with Active Directory Federation Services.
Attribute Name | Required | Format and Example | Description |
---|---|---|---|
firstname | Required | Format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri Example: Peter | The first name of the user. |
lastname | Required | Format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri Example: Schmidt | The last name of the user. |
uid | Required | Format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri Example: [email protected] | The unique ID of the user in the email format. We recommend using an ID that is different from the user's email address. |
mail | Required | Format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri Example: [email protected] | The email address of the user. |
role | Required if you manage user roles within your IdP | Format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri Example: MEMBER | The role to be assigned to the user. Possible values: ADMIN , MEMBER , or VIEWER .If you submit multiple values separated with commas, the role with the highest level of privileges is assigned. If you're managing roles within SAP LeanIX, you can omit this attribute. To learn more, see Managing User Roles with SSO. |
customerRoles | Optional | Format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri Example: MANAGER | The custom role to be assigned to the user. Use this attribute only for custom roles, otherwise omit it. To learn more, see Custom User Roles. |
entryACI | Optional | Format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri Example: member-orgunit1 | The ID of the Access Control Entity (ACE) of a Virtual Workspace. Use this attribute only when configuring access to a Virtual Workspace, otherwise omit it. To learn more, see SSO Configuration. |
To verify that mapping attributes are successfully configured, access your workspace at https://{SUBDOMAIN}.leanix.net/
, then navigate to the SAML session page at https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session
. The following screenshot shows a session page with a list of required user attributes that appear under Attributes.
Example SAML Message with User Attributes
The following example SAML message contains required user attributes.
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="firstname" Name="firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
Peter
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="lastname" Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
Schmidt
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="uid" Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
[email protected]
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
[email protected]
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="role" Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
MEMBER
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Custom User Roles
Note
You can create custom user roles only if you manage user roles externally within your IdP.
If you're managing user roles externally within your IdP, you can create custom user roles, which lets you assign permissions that are more granular than those provided by the standard roles. For more information, see Custom User Roles.
Transient Users with SSO
SSO with an external IdP allows you to create Transient user roles. A Transient user is authenticated by SAP LeanIX based on their existence in your IdP, but is not assigned any role and therefore has no access to the workspace itself.
Transient users can access a simplified version of SAP LeanIX through Self-service Portals. You can embed these portals in your existing intranet, wiki, or any other system integrated with SSO. This setup allows you to directly share SAP LeanIX data without having to invite users to SAP LeanIX. For more information, see Portal.
To create Transient users, follow these steps:
-
Notify your support agent during the SSO setup or raise a dedicated ticket.
-
To grant access to the Self-service Portal for Transient users, in the Portal configuration, enter TRANSIENT in the Accessible for field.
-
In your IdP, create a group of users who have access to the SAP LeanIX application (if it doesn't already exist), but do not assign any permission role to it.
Upon signing in to SAP LeanIX, users are assigned the temporary Transient role and are granted access to view the Self-service Portal data.
Troubleshooting
If the "A valid session was not found" message appears on the SAML session page, which is available at https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session
, try to do the following:
- Sign in to the workspace and open the SAML session page in a new tab or try to use the incognito mode in your browser.
- Check the attribute mapping in your IdP configuration. Ensure that you provided the required attributes as specified in the Attribute Mapping section.
- When using Entra ID as an IdP, ensure that the Namespace field is blank. For more information, see Configuring SSO with Microsoft Entra ID.
Updated 1 day ago