SSO with Microsoft Entra ID

Prerequisites

Before you start, do the following:

• Submit a ticket to SAP LeanIX Support to request setting up SSO for your organization. If you're an SAP customer, submit a request from the SAP for Me portal.
• Learn about the SSO configuration process in SSO Configuration Process.

For additional information, refer to the Microsoft Entra ID documentation.

📘

Note

The single sign-out protocol is not supported for Microsoft Entra ID.

Configuring SSO

Step 1: Create an SSO Application and Configure SAML Settings

Follow these steps:

1. In Microsoft Entra ID, create a non-gallery application for SSO. For instructions, please refer to the Microsoft Entra ID documentation.
2. On the SSO application page, navigate to the Single sign-on section and select SAML as the single sign-on method.
3. Under Basic SAML Configuration, enter the following details:
   • Identifier (Entity ID): https://{SUBDOMAIN}.leanix.net/Shibboleth.sso
   • Reply URL (Assertion Consumer Service URL): https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/SAML2/POST

     📘

     Note

     Replace {SUBDOMAIN} in the URLs with your value. When implementing SSO for your organization with the SAP LeanIX team, you can choose a custom subdomain, for example, your company name.

Step 2: Configure SAML Token Attributes

Configure SAML 2.0 attribute mapping in Microsoft Entra ID. For more information, see Attribute Mapping. Mapping attributes are defined as SAML Token Attributes in the Relying Party Trust.

Follow these steps:

1. Under Attributes & Claims, configure additional claims using the following values:

   Claim Name	Type	Value
   firstname	SAML	user.givenname
   lastname	SAML	user.surname
   mail	SAML	user.mail
   role	SAML	user.assignedroles
   uid	SAML	user.userprincipalname

   The following image shows the target values that you should configure. When you open the configuration page, it may show different values. For example, the first claim in the Additional claims table is initially set to givenname, but you should change it to firstname.

   

2. For each claim, delete the Namespace value in the configuration.

   

Basic SSO configuration is set up.

Configuring Role Attributes

If your organization manages user roles within Microsoft Entra ID and not within SAP LeanIX, create the corresponding roles in Entra ID. To learn more about managing roles, see Managing User Roles with SSO.

To configure role attributes, follow these steps:

1. In Microsoft Entra ID, create app roles for your app registrations.

   

2. In the configuration of the enterprise application, assign app roles to users or groups.

   

3. Optional: If needed, configure claim conditions. Claim conditions is an option for assigning roles to Active Directory groups. Conditions will be processed in order of appearance.

   An example of configured claim conditions is shown in the following image. If a user belongs to the scoped groups VIEWER and MEMBER, they will be assigned the MEMBER permission according to the specified order because the latest matching condition is always applied.

   To learn how to configure the user.assignedroles values, please refer to the Microsoft Entra ID documentation.