Furthermore, the backend must have a trust relationship established to the issuer of the client certificate, the SAP Cloud Root CA. For SSO to work, the administrator of the SAP system must maintain the mapping from Jack’s user account in SAP to Jack’s CN (UPN). SLC provides the X.509 certificate for SSO and Secure Network Communications (SNC) between SAP GUI and the SAP Application Server (AS) ABAP. It is signed by the SAP Cloud Root Certificate Authority (CA), and has a default lifetime of 12 hours. The client certificate has the Common Name (CN) set to Jack’s user principal name (UPN) in Entra ID (e.g. Likewise, IAS generates a SAML response to the SAML request from SLS in step 3, which finally results in a short-lived X.509 client certificate for Jack generated by SLS in response to step 2. Entra ID returns a SAML response to the (SAML) request from IAS in step 4.On subsequent sign-ins, the authenticator app generates a new TOTP every 30 seconds that Jack can type in to complete the MFA process. For the initial setup of Jack's account in Entra ID for MFA, Jack scans a QR code generated by Entra ID with the authenticator app. To enter the code, Jack must install an authenticator app that supports TOTP verification, such as the Microsoft Authenticator app, on a device he owns.ECA continues the login process by asking Jack to enter a secure, time-based one-time passcode (TOTP). The policy is applied to the Enterprise Application registration for IAS in the Entra ID tenant and kicks-in for every new login request received for the app after first-factor authentication is completed. An Entra Conditional Access (ECA) policy enforces the second authentication factor.Instead, Entra ID verifies the Kerberos ticket issued to Jack on his domain-joined workstation to sign him in silently. With the seamless SSO feature enabled, Jack can sign-in to his Entra ID tenant from a domain-joined device connected to the corporate network without typing in his username and password. To offer a seamless single-sign-on (SSO) experience, Jack’s user account in Active Directory is securely synchronized with the Entra ID tenant by the Microsoft Entra Provisioning Agent running on the domain controller. The SAML request sent by IAS to Entra ID requires Jack to authenticate with his credentials.In the Entra ID tenant, an Enterprise Application registration represents the IAS tenant with its SAML 2.0 metadata, and the corresponding Corporate Identity Provider in IAS gets created by importing the Entra ID tenant’s metadata. This requires setting up a mutual trust relationship between the IAS and Entra ID tenants by exchanging each other’s SAML 2.0 metadata, which includes public cryptographic information in the format of X.509 certificates to verify the authenticity and integrity of the SAML messages sent in this step.
![sap gui 7.40 patch 13 download sap gui 7.40 patch 13 download](http://1.bp.blogspot.com/-BDux5BXTDZA/UwUlfVoWoJI/AAAAAAAAAjY/-SIdtU5lYz4/s1600/sap+gui+version+screen.png)
![sap gui 7.40 patch 13 download sap gui 7.40 patch 13 download](https://3.bp.blogspot.com/-YyL-eXYzETk/TmdgPhwIh7I/AAAAAAAAAUI/Xvb4VnUPH6k/w1200-h630-p-k-no-nu/capture1.png)
Kudos to supporting the setup of the test environment and thoroughly reviewing this blog post. The integration with Microsoft Entra ID is accomplished by SAP Cloud Identity Service and the SAP Secure Login Service for SAP GUI.
![sap gui 7.40 patch 13 download sap gui 7.40 patch 13 download](https://lh6.ggpht.com/_kjSn7oWph-M/TCnb85LRKQI/AAAAAAAABAo/e5ISJlYuqAM/clip_image041_thumb[1].jpg)
This blog post guides you through the setup of an end-to-end scenario for implementing multi-factor authentication (MFA) for SAP GUI with Microsoft Entra ID (formerly known as Microsoft Azure Active Directory, AAD).