Setting Up SAP Cloud Identity Services

Objective

After completing this lesson, you will be able to configure SAP Cloud Identity Services.

Identity Authentication Setup

SAP BTP supports identity federation, a concept of linking and reusing digital identities of a user base across loosely coupled systems.

Diagram showing Trust Configuration

As part of the bundled solution, Identity Authentication (IAS) takes care of the user authentication and access to the SAP Cloud Identity Access Governance and the target solutions. Before you can start using SAP Cloud Identity Access Governance, you must establish a trust relationship between the subaccount for SAP Cloud Identity Access Governance and the IAS tenant. You can do it automatically in the SAP BTP cockpit.

Automatically Establish Trust

Screenshot displaying Establishing a Trust Connection

There is an easy way of establishing a trust connection automatically. This way uses the OpenID Connect (OIDC). This method does not require a manual download and upload of SAML metadata.

Note

You can only establish trust with a single tenant of Identity Authentication Service per subaccount using this method.
Screenshot displaying Automatic Trust

In your SAP Cloud Identity Access Governance subaccount, under SecurityTrust Configuration, you initially see only the default identity provider, which is the SAP ID service.

  1. Choose the Establish Trust button.
  2. In the following popup, select a identity provider from the dropdown list.

    Only identity providers that are associated with your customer ID are shown.

  3. Choose Establish Trust.

    Result: Trust of type OpenID Connect between your subaccount and the identity provider is generated.

    If you establish a trust connection automatically, you can connect your subaccount only with a single tenant of Identity Authentication.

Checking the Service Provider in Identity Authentication

Screenshot displaying IAS Admin Console
  1. Log on to the Identity Authentication service. Access the tenant's administration console for Identity Authentication by using the console's URL.

    The URL has the following pattern:

    https://<tenant ID>.accounts.ondemand.com/admin

  2. Under Applications and Resources, choose the Applications tile.
  3. Search for the application that has been created as part of the trust setup.

    The name of the application has the format XSUAA_<Subaccount Name>, but you can change it if needed.

Manually Establish Trust

The automatic trust configuration works only using OpenID Connect. If you want to use SAML instead, you can do so by exchanging certificates between subaccount and the identity provider. However, these are manual steps.

For more information, refer to the official documentation: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/084bc11f2eb3415d8cd0ffeb065bebc7.html

Hint

If you have created a trust configuration with the Identity Authentication in the SAP Cloud Identity Access Governance subaccount, you will have two identity providers - Default IdP and IAS - maintained in the subaccount. Hence, you will have two user stores. This can cause difficulties in maintaining users and providing authorizations. Additionally, every time when end users access the SAP Cloud Identity Access Governance Fiori Launchpad, they will have to select which IdP should be used for authentication. To avoid this confusion, it is recommended that you disable the Default Identity Provider for logon. To do so, perform the following steps:
  1. In SAP BTP Cockpit, choose the subaccount and navigate to SecurityTrust Configuration.
  2. Choose the Pencil button for the Default Identity Provider to edit it.
  3. Uncheck the box Available for User Logon.
  4. Save your entry.

    You should now see that the Default Identity Provider is greyed out.

Identity Provisioning Setup

Identity Provisioning is part of a bundle solution called "SAP Cloud Identity Services" (CIS) that on SAP BTP Cloud Foundry. It is a service that automates identity lifecycle processes. Identity Provisioning service (IPS) helps you provision identities and their authorizations to various cloud and on-premise business applications.

For the Identity Provisioning setup, there is some configuration needed in the IPS tenant and in the SAP Cloud Identity Access Governance subaccount (SAP BTP Cockpit).

Note

The IPS is not mandatory for the most integration scenarios.

As a prerequisite:

  • Ensure your user in Identity Authentication has the proper authorization (Manage Identity Provisioning) to access Identity Provisioning.
  • Ensure you have created an Identity Authentication administrator user (type: SYSTEM) with the option Access Proxy System API enabled.

    This user is used for IPS_PROXY destination in SAP Cloud Identity Access Governance subaccount.

    Regarding the authorizations of Identity Authentication administrator user (type: SYSTEM), refer to SAP Note: https://launchpad.support.sap.com/#/notes/3233319

    See the section Case b) A bundle IPS on the SAP Cloud Identity (SCI) platform was created or updated for use with IAG, Step 2.

Create IPS_PROXY Destination in the SAP Cloud Identity Access Governance Subaccount

Diagram displaying steps to create IPS_PROXY Destination in the SAP Cloud Identity Access Governance Subaccount
  1. Open SAP BTP cockpit.
  2. Open Subaccounts and choose your SAP Cloud Identity Access Governance subaccount.
  3. Navigate to ConnectivityDestinations.
  4. Create a New Destination using the button.
  5. Provide the following information:
    • Name: IPS_PROXY
    • Type: HTTP
    • Description: <Any description>
    • URL: <URL of the Identity Authentication tenant>Enter the Identity Authentication tenant URL without the trailing "/ips" at the end.
    • Proxy Type: Internet
    • Authentication: BasicAuthentication
    • User: <User ID of Identity Authentication administrator user (type: SYSTEM)> (see the prerequisites mentioned at the beginning)
    • Password: <Password of Identity Authentication administrator user>
    • Additional Properties: see the listing below

      Provide additional properties by selecting the New Property button:

      • Accept: application/scim+json
      • GROUPSURL: /Groups
      • serviceURL: /ipsproxy/service/api/v1/scim/
      • USERSURL: /Users
  6. Choose Save.

Create Proxy System in Identity Provisioning

Diagram displaying the steps to create proxy system in identity provisioning
  1. Open the Identity Authentication Admin console.
  2. Navigate to Identity ProvisioningProxy Systems service.

    Alternative option: You can call the Identity Provisioning directly by using https://<Identity Authentication-Host>/ips

  3. Create a new proxy system using the + Add button.
  4. Provide the relevant information for the target application:

    In the Details tab:

    • Type

      Note

      The selected target system will be reached through the IPS_PROXY destination that you have created before.
    • System Name
    • Destination Name
    • Description

    Read/Write Transformations:

    Keep the default transformations or exchange them by the application-specific transformations and adjust.

    On the Properties area, provide the relevant application properties.

  5. Choose Save.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn