SAP Learning Journey

Setting Up Identity Authentication with Subaccount

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Set up trust between Identity Authentication and SAP BTP subaccount

Identity Authentication Setup with SAP BTP Subaccount

SAP Cloud Identity Services – Identity Authentication is SAP’s recommended approach for SAP BTP as its single identity provider. In case you use corporate identity providers, it is possible to connect them to your Identity Authentication tenant, which will act as a hub/proxy. General information can be found in the following resources:

SAP S/4HANA Cloud comes with an Identity Authentication tenant that is provided by SAP Cloud Identity Services. It is used to authenticate end users who connect via SAP Fiori launchpad.

The Identity Authentication tenant should be connected to SAP BTP subaccount, so that any end users connecting via SAP Build Work Zone, standard edition or SAP Mobile Start can also be authenticated and access the exposed business content and data from SAP S/4HANA Cloud.

We will now cover the steps for manual trust configuration that will allow SAP BTP and Identity Authentication to trust each other.

Prerequisites

  • SAP Cloud Identity Services – Identity Authentication is available and connected to SAP S/4HANA Cloud
  • SAP BTP platform admin user with admin access to the SAP BTP subaccount
  • Identity Authentication admin user with authorizations to manage applications
Note

These could either be your personal or general users with admin roles assigned on the respective systems.

Set Up Trust from Identity Authentication to Subaccount

SAP BTP subaccount needs to be added as an application in the admin console of the Identity Authentication tenant and the relevant settings should be configured as follows:

  1. Log in to the SAP BTP subaccount with the platform admin user
  2. Export SAML metadata of the subaccount
  3. Log in to Identity Authentication with the Identity Authentication admin user
  4. Create a new application for the subaccount in the Identity Authentication admin console
  5. Define a SAML 2.0 configuration from the metadata
  6. Set the Subject Name Identifier and Default Name ID Format

In this practice exercise, you will perform the steps mentioned above:

ExerciseStart Exercise

Set Up Trust from Subaccount to Identity Authentication

With the completion of the previous setup, the SAP BTP subaccount is trusted by Identity Authentication. Now we need to do the reverse. To use the Identity Authentication as an Identity Provider on SAP BTP for services like SAP Build Work Zone, standard edition, we need to add it to the subaccounts trust configuration and enable it for user logon. The following steps are required:

  1. Log in to Identity Authentication with the Identity Authentication admin user
  2. Export the SAML metadata of Identity Authentication
  3. Log in to the BTP subaccount with the SAP BTP platform admin user
  4. Upload the SAML metadata to add Identity Authentication to the trust configuration of the subaccount
  5. Configure it for user logon
Note

These steps are also described in Manual trust setup of BTP with SAML Identity Provider. You also have the option to use OpenID Connect (which is not covered in this learning journey) instead of SAML2.0.

In this practice exercise, you will perform the tasks mentioned above:

ExerciseStart Exercise

Summary

The basic connection between SAP S/4HANA Cloud and the SAP BTP subaccount is established successfully. We can continue with enabling SAP Build Work Zone, standard edition for access with an Identity Authentication user.

Log in to track your progress & complete quizzes