Single Sign-On (SSO)

👍

Tip

To request setting up SSO for your organization, please submit a ticket to SAP LeanIX Support. If you're an SAP customer, submit a request from the SAP for Me portal.

Overview

Single sign-on (SSO) is a centralized authentication process that allows users to access multiple applications with a single set of login credentials.

SAP LeanIX supports SSO through the Security Assertion Markup Language (SAML) 2.0 protocol. SAML is a standard protocol used in SSO implementations to securely exchange authentication and authorization data between an identity provider (IdP) and a service provider (SP).

We offer the following options for the SSO setup:

• Authentication only: Authentication (system access) is managed through SSO, while authorization (role management) is handled within SAP LeanIX. This setup adheres to the standard authorization model.
• Authentication and authorization: Both authentication (system access) and authorization (role management) are handled through SSO. This setup allows you to use extended authorization features, such as Virtual Workspaces and custom roles.

SAP LeanIX supports just-in-time (JIT) provisioning, a process in which user accounts are dynamically created when users sign in to SAP LeanIX through SSO for the first time.

Authentication Flow

SAP LeanIX supports SP-initiated SSO. The following image illustrates the SAML 2.0 authentication flow.

When a user attempts to access the SAP LeanIX application through a browser, the SP first checks if the user is already authenticated. If not, the user is redirected to the identity provider system, which initiates the authentication process, typically through a username and password.

Once the user has been successfully authenticated within the IdP, the IdP sends a SAML response to the SP. The response includes relevant attributes, such as the user's email address, that serve to identify the user within SAP LeanIX. Once the SP has verified the response, the user is granted access to the SAP LeanIX application.

Before You Start

Before you submit a request to set up SSO, do the following:

• Choose an identity provider. For more information, see Requirements for Identity Providers.

• Obtain a metadata file in XML format from your IdP. You can download the file or save the link URL.

• Decide how you want to manage user roles with SSO: internally within SAP LeanIX or externally within your IdP. For more information, see Managing User Roles with SSO.

  📘

  Note

  We integrate SSO on a domain level, which means that any user provisioning implemented during the SSO authentication flow is applied to all workspaces on the domain. Each customer only receives one domain. To get advice on your use case, please contact SAP LeanIX Support.

• Decide if you’d like to:

  • Assign a default SAP LeanIX role to new users coming from your IdP.
  • Enable the "Invite only" flow for specific workspaces. This will block users from accessing a workspace unless they have been explicitly invited to it, even if they are granted access through the IdP. A common scenario is limiting access to Sandbox workspaces.
  • Enable Transient users to potentially grant them access to Self-service Portals. To learn more, see Transient Users with SSO.

SSO Configuration Process

The configuration process consists of the following steps:

1. The customer provides a metadata file in XML format exported from their IdP.
   To avoid possible problems with spam filters, please send either a link to the metadata file or an archive containing an XML file. Send the entire metadata, not only the certificate.
2. SAP LeanIX sets up a dedicated subdomain for the customer and configures it to work with the customer's IdP. You can choose any custom subdomain. For example, you can use your company name as the subdomain, so the base URL will appear as follows: https://your-company.leanix.net. Once the subdomain is set up, the SAP LeanIX metadata becomes available at https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Metadata.
3. The customer imports the SAP LeanIX metadata to their IdP and configures SAML attributes according to the SAP LeanIX SP requirements. For details, see Attribute Mapping. Ensure that the SAML 2.0 attribute names exactly match the requirements.
   • The user ID (uid) must be unique within SAP LeanIX and must be in the email format, for example, [email protected]. If your IdP doesn’t transmit the domain information (@customer.com), please inform us during the SSO setup. In this case, we can enable the appropriate transformation on the SAP LeanIX side.
4. The customer tests access to their workspace through the following link: https://{SUBDOMAIN}.leanix.net/{WORKSPACE}. Note the following:
   • Test access to your workspace only through the provided link. Do not use other links such as https://app.leanix.net/{WORKSPACE} or https://us.leanix.net/{WORKSPACE}.
   • During the implementation phase, we support sign-in both through SSO and through a username and password. We will deactivate sign-in with a username and password in step 5.
   • We provide you with a link to the page that contains information on the current SAML session: https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session. If the SSO setup doesn't work, please send us the details from this page.
5. Once the customer has successfully tested the sign-in flow through their IdP, we deactivate the sign-in flow through SAP LeanIX, which was previously the default IdP.

Inform your organization's users that the sign-in flow has changed and the old sign-in link no longer works. Share the new sign-in link with users.

Requirements for Identity Providers

When choosing an IdP for your SSO setup, ensure that:

• The IdP supports the SAML 2.0 protocol.
• The client browser has network access to the IdP.

Example Identity Providers

The following table lists example IdPs for which we've successfully tested SSO implementation.

Managing User Roles with SSO

With SSO, you can manage user roles internally within SAP LeanIX or externally within your IdP. Choose your preferred option when requesting to set up SSO.

Additionally, you can create custom roles with more granular permissions or set up Transient users to grant them access to Self-service Portals. For more information, see:

• Custom User Roles
• Transient Users with SSO

Managing User Roles Within SAP LeanIX

If you choose to manage user roles within SAP LeanIX, the IdP manages authentication, while SAP LeanIX handles authorization.

You can assign roles to users when inviting them to SAP LeanIX. If needed, you can change user roles later.

You should decide whether you want to assign a default role in SAP LeanIX to all new users:

• If you set a default role, this role will be automatically assigned to all new users when they first sign in to a workspace. In this case, you don't need to invite users to your workspace by clicking the Invite button.
• If you don’t set a default role, you need to invite users to your workspace by clicking the Invite button.

Managing User Roles Within the Identity Provider

If you choose to manage user roles externally within your IdP, then both authentication and authorization will be handled by the IdP.

The IdP determines the user role and maps it to the SAP LeanIX role during the sign-in process. To learn more about mapping user roles between your IdP and SAP LeanIX, see Attribute Mapping.

If you don't provide any role information, a default role is assigned to the user. If the default role is not set, the user loses access to SAP LeanIX.

Depending on the user roles provided in the IdP and SAP LeanIX, the following typical scenarios are possible:

• Scenario 1: You provide a user role in your IdP. If the user already has a role assigned in SAP LeanIX, it is overwritten by the role from the IdP.
• Scenario 2: You don't provide a user role in your IdP, and a default role exists in SAP LeanIX. In this case, the default role is assigned to the user. Their current role (if already assigned) is overwritten by the default role.
• Scenario 3: You don't provide a user role in your IdP, and a default role is not set in SAP LeanIX. In this case, the user loses access to a workspace. Their existing role is not overwritten but is not used.

Attribute Mapping

Use the following attributes to configure SAML 2.0 attribute mapping in your IdP. If you're using Active Directory Federation Services (AD FS) as an IdP, see SSO with Active Directory Federation Services.

To verify that mapping attributes are successfully configured, access your workspace at https://{SUBDOMAIN}.leanix.net/, then navigate to the SAML session page at https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session. The following screenshot shows a session page with a list of required user attributes that appear under Attributes.

Example SAML Message with User Attributes

The following example SAML message contains required user attributes.

<saml2:AttributeStatement>
   <saml2:Attribute FriendlyName="firstname" Name="firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      Peter
      </saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="lastname" Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      Schmidt
      </saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="uid" Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      [email protected]
      </saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="mail" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      [email protected]
      </saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="role" Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      MEMBER
      </saml2:AttributeValue>
   </saml2:Attribute>
</saml2:AttributeStatement>

Custom User Roles

📘

Note

You can create custom user roles only if you manage user roles externally within your IdP.

If you're managing user roles externally within your IdP, you can create custom user roles, which lets you assign permissions that are more granular than those provided by the standard roles. For more information, see Custom User Roles.

Transient Users with SSO

SSO with an external IdP allows you to create Transient user roles. A Transient user is authenticated by SAP LeanIX based on their existence in your IdP, but is not assigned any role and therefore has no access to the workspace itself.

Transient users can access a simplified version of SAP LeanIX through Self-service Portals. You can embed these portals in your existing intranet, wiki, or any other system integrated with SSO. This setup allows you to directly share SAP LeanIX data without having to invite users to SAP LeanIX. For more information, see Portal.

To create Transient users, follow these steps:

1. Notify your support agent during the SSO setup or raise a dedicated ticket.

2. To grant access to the Self-service Portal for Transient users, in the Portal configuration, enter TRANSIENT in the Accessible for field.

   

3. In your IdP, create a group of users who have access to the SAP LeanIX application (if it doesn't already exist), but do not assign any permission role to it.

Upon signing in to SAP LeanIX, users are assigned the temporary Transient role and are granted access to view the Self-service Portal data.

Troubleshooting

If the "A valid session was not found" message appears on the SAML session page, which is available at https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session, try to do the following:

• Sign in to the workspace and open the SAML session page in a new tab or try to use the incognito mode in your browser.
• Check the attribute mapping in your IdP configuration. Ensure that you provided the required attributes as specified in the Attribute Mapping section.
  • When using Entra ID as an IdP, ensure that the Namespace field is blank. For more information, see SSO with Microsoft Entra ID.