Managing User Authentication Using IAS

Objective

After completing this lesson, you will be able to configure authentication between IAS and APM.

Identity Authentication Services and SAP Agent Performance Management Integration

So far, we have seen how to manage security in a standalone environment; in other words, when APM is not integrated with any SAP cloud systems. If APM will be integrated with other systems, authentication and user management is handled by the SAP Identity Authentication Service, or IAS. IAS can be accessed through Cloud Identity Services.

IAS acts as a federated identity provider (IdP) for SAP cloud solutions. It can integrate with existing corporate single sign-on (SSO) infrastructures using open standards, allowing it to be used by both SAP and non-SAP applications. Additionally, it provides user self-service features such as registration and user profile management, thereby streamlining access for consumers, partners, and employees to multiple cloud applications. For example, an organization may want to use SAP Analytics Cloud to create data analytic stories based on APM data. This would require an integrated authentication for both systems using IAS.

To use Identity Authentication to manage user authentication, access, and authorization for APM, at least one user in the organization should be an administrator for identity authentication. That administrator can then ensure that other users and groups have the correct permissions to access the application.

Once users and groups are configured, the Identity Provisioning Service (IPS) automates identity lifecycle processes, enabling the provisioning of identities and their authorizations across various cloud and on-premise business applications.

The diagram below shows how IAS and IDP work together to integrate user authentication between APM and other systems; in this case, SAP Analytics Cloud.

A diagram showing the relationship between APM and SAP Identity Provisioning Service (IDP).

Identity Authentication Mapping between IAS and APM

Once identity authentication is synchronized between IAS and APM, any time a new user is created in IAS, they are automatically added to APM and assigned to an appropriate security group. The steps below outline the process of configuring the integration with IAS. The user making this configuration must have administrative access to both SAP Agent Performance Management and the associated Cloud Identity Services system.

When a new user is added, it is important that they have the correct permissions. A new administrator should be able to see a different set of menus than a broker, for example. To do this, a user group in IAS should be created for each equivalent security group in APM. The format of the user group should be as follows: ICM-{Portal ID}-{Security Group ID}. For example, consider a scenario in which new brokers should belong to a security group called MgrDefault, which grants access to the broker's own producer, credentials, customers, and policies, but not those of other brokers. The Portal ID for the security group is Manager and the Security Group ID is MgrDefault; therefore, the name of the group should be ICM-Manager-MgrDefault. When a new broker is added to IAS and assigned to the ICM-Manager-MgrDefault user group, a new user is automatically added to APM and assigned to the MgrDefault security group.

A diagram illustrating the relationship between IAS user groups and APM Security Groups. The IAS User Group called ICM-3-Administrator is mapped the APM Security Group called Administrator, and the IAS User Group called ICM-2-MgrDefault is mapped to the APM Security Group called MgrDefault.

Once the integration is configured, when a new user is added to IAS and added to a group, a user with the same Login ID is created in APM and assigned to the appropriate Security Group. The Authentication Type for the user will be set to LDAP.

The overall steps to configure integration between IAS and APM are:

  1. In Cloud Identity Services, create an application using the default settings. This is a record that identifies the integration with Agent Performance Management.
  2. Download the IAS Service Provider metadata to a file.
  3. In Agent Performance Management, create the Identity Provider Configuration. Populate the metadata by uploading the metadata file created in the previous step.
  4. Map the Login Name from IAS to the User ID in Agent Performance Management.A screenshot of the field mapping page in APM. The login_name field has been mapped to the User ID by dragging it from the right pane to the Mapping column.
  5. Download the APM metadata and upload it to IAS. This configures the SAML 2.0 configuration on the IAS side and completes the bidirectional trust between the systems.A screenshot of the Service Provider Metadata section of the Identity Provider Configuration in SAP Agent Performance Management. The Download Service Provider Metadata link is highlighted.
  6. In IAS, create a user group for each security group in APM.
  7. When adding a new user in IAS, assign the user to the appropriate user group.

Summary

  • Identity Authentication Service (IAS) manages authentication and user access when APM integrates with other SAP cloud systems.
  • IAS acts as a federated identity provider (IdP), supporting single sign-on across SAP and non-SAP applications using open standards.
  • Users must have administrative access to both APM and IAS, with matching login names across systems.
  • Configuration involves creating an IAS application, exchanging metadata files, and mapping user attributes between systems.
  • Completing the setup requires uploading metadata in both directions to establish secure authentication between APM and IAS.

Configure Authentication with IAS

Business Example

In this exercises, you will configure SAML authentication between IAS and APM. A user named SAML TEST has already been created in both systems.

ExerciseStart Exercise

ExerciseStart Exercise

ExerciseStart Exercise

Steps

  1. Set the APM user’s authentication type to SAML.

    1. From the Administrator menu, select Security – Users.

    2. Search for the user SAML TEST.

    3. Select Inactivate.

    4. Scroll to the Authorization section.

    5. Set the value in the authentication field to SAML.

    6. Select Activate.

  2. Create an application in IAS using the default settings.

    1. Open the IAS client.

    2. Go to Applications & Resources – Applications.

    3. Select Create.

    4. In the Display Name field, enter APM Training.

    5. Make sure the protocol type is SAML 2.0.

    6. Select Create.

  3. Download the IAS Service Provider metadata

    1. Navigate to Applications and Resources → Tenant Settings.

    2. Select the Single Sign-On tab.

    3. Select SAML 2.0 Configuration.

    4. Select Download Metadata File.

    5. Select Default Certificate.

    6. Select Download.

  4. Configure the Identity Provider Configuration in SAP Agent Performance Management

    1. Log in to SAP Agent Performance Management.

    2. Use the search bar to open Identity Provider Search.

    3. Select Add (+).

    4. In the first section, make sure Synchronize is set to No.

    5. In the IDP Entity ID field, enter https://spmtrainingus1.accounts.ondemand.com.

    6. Use the Upload Idp Metadata link to upload the metadata file downloaded in Step 2.

    7. Select Save.

  5. Map the Login Name from IAS to the User ID in SAP Agent Performance Management.

    1. Go to the User Attributes and Mappings section

    2. Under Idp User Attributes, select Add.

    3. Select User from the dropdown.

    4. Select Save.

    5. Under Mappings, select Add (+).

    6. Drag the login_name mapping to the Mapping column on the User Set row.

    7. Select Save, then Close.

    8. Save and Close the Idp Mapped Entity Detail window.

  6. Download APM metadata and upload it to IAS. This configures the SAML 2.0 configuration on the IAS side and completes the bidirectional trust between the systems.

    1. Scroll to the Service Provider Metadata section.

    2. Select Download Service Provider Metadata.

    3. Return to the IAS screen.

    4. Go to Applications & Resources – Applications.

    5. In the left panel, select APM Training. This is the application we created earlier.

    6. Open SAML 2.0 Configuration.

    7. Select Load from File.

    8. Browse to the metadata file you just download and select Upload.

    9. Set the Home URL to match the Assertion Service URL. This will be https://training2.callidusinsurance.net/ICM/AssertionConsumer.

    10. Close the SAML 2.0 Configuration window.

  7. The attribute being sent over from IAS is currently set to Login Name. Change the attribute to login_name so it matches the attribute we set up in APM in step 6.

    1. Open the Attributes section.

    2. Select Add.

    3. Under the Name, enter login_name.

    4. Set the source to Identity Directory.

    5. In the Value field, enter Login Name.

    6. Select Save.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn