Single sign on to Neptune by integrating Microsoft Entra ID setup in SAP


Integrate SAP NetWeaver with Microsoft Entra ID to achieve Single sign-on for Neptune Applications.


  • An Microsoft Entra ID subscription.

  • SAP NetWeaver 7.20 and above with single sign-on (SSO) enabled.

  • Neptune DXP - SAP Edition v.6.0.0 and above.

Note: Before starting to setup in Neptune DXP, please make sure Microsoft Entra ID SSO is working with your SAP system. If you can log in to Neptune cockpit using your Microsoft Entra ID user, you are ready to proceed.

Azure - Enterprise App

To enable Microsoft Entra ID with SAP, you need to define an Enterprise App in Azure.

1. Navigate to Azure Portal  and select the Microsoft Entra ID service.

2. Select the Enterprise Applications and then All Applications.

3. Create a new app and wait until it will added to your tenant.

4. Go to the Single Sign-On menu item into the Enterprise App

5. Select SAML and edit the settings of the Basic SAML configs.

6. Upload the metadata file from SAP.

 Your SAML setup should look as shown in the image.

sap edition scp sso

Azure – App Registration

1. Navigate to the App Registrations in Azure and set up the App Registration blade/pane for your Enterprise App.

sap edition scp sso 1

sap edition scp sso 2

App registration * Application (client) Id* & the Directory (tenant) ID will be used later in our configuration.

2. Now select the Authentication from the main menu and add the Web Redirect URI.

Make sure the redirect URL should be in this format:


sap edition scp sso 3

3. Create a new client secret, and remember to save this secret for later configuration.

sap edition scp sso 4

Neptune DXP Setup

Open the  Neptune DXP Cockpit . Navigate to Run → Mobile client →Authentication.

1. Add server Url and Client.

sap edition scp sso 5

The server URL is used to your redirect URL, if not specifically set.

Go to the Azure tab option and add Enable the Azure settings.

Add Tenant Id ( copy from Azure Portal →  App registrations → tenant Id), Client Id (copy from Azure Portal →  App registrations → client Id) and Client Secret saved above.

sap edition scp sso 6

Set scope and principal name, as shown in the screenshot.

Note: Principal Name can be different in your Azure set up.

You can test the set up in two different ways -

  1. With the browser in –disabled-web security mode running the live URL

  2. On the mobile client

Note: There is no other option for debugging/testing it.


If you have issues to setup SAML2 in SAP, please use the following screenshots as a reference.

sap edition scp sso 7

sap edition scp sso 8

sap edition scp sso 9

You can select for mapping the username to SAP by using Alias/eMail or User ID.

sap edition scp sso 10