The Identity Authentication service is mainly responsible for the Authentication & Single Sign-On, while Identity Provisioning service takes care of the Identity Lifecycle Management, which includes both users and groups.
- The Identity Provisioning service allows you to:
- Manage user accounts and authorizations across Cloud and on-premise systems.
- Provision identities from user stores in the Cloud and on-premise.
- Enable business applications to quickly support single sign-on with identity authentication.
- As Key Value Proposition: the Identity Provisioning service provides:
- Fast and efficient administration of user on-boarding.
- Centralized end-to-end lifecycle management of corporate identities in the Cloud.
- Automated provisioning of existing on-premise identities to Cloud applications.
Open Security Standards - Interoperable
Identity Authentication provides simple and secure access to Web based applications with a variety of authentication methods at anytime and from anywhere. The service was previously know as SAP Cloud ID service.
- Identity Authentication provides secure and simple access based on the following factors:
- Identity federation based on SAML 2.0.
- Web Single Sign-On SSO and desktop SSO.
- Secure on-premise integration to reuse existing authentication systems.
- Social login and two-factor authentication.
- Risk-based authentication.
- Identity Authentication provides user and access management based on the following factors:
- User administration and integration with on-premise user stores.
- User groups and application access management.
- User self-service, for example, password reset, registration, and user profile maintenance.
- System for Cross-domain Identity Management (SCIM) API.
- Identity Authentication provides the following enterprise features:
- Branding of end user UIs.
- Password and privacy policies.
- Identity Authentication is interoperable with all application supporting SAML* 2.0 standard or OpenID Connect (OIDC).
- Identity Authentication has the following IdP proxy features:
- Authentication is delegated to corporate IdP login.
- Reuse of existing SSO infrastructure.
- Easy and secure authentication for employee scenarios.
- Federation based on the SAML 2.0 standard.
Identity Authentication can connect to an on-premise user store.
Users credentials are taken from:
- Active Directory (through LDAP).
- AS Java (which can be either local UME, ABAP store or AD).
- There is no user replication required to the Cloud.
- Internal network ports do not need to be exposed to the Internet.
- Other IAS product features can be used including UI configuration policies and two-factor authentication.
Key takeaways of this unit
The SAP BTP has built-in functionalities for managing roles and role collections and assigning them to platform or application users. When you want to use another identity provisioning or identity authentication service than the default SAP ID, you can use other identity providers like the Identity Provisioning service. These identity services can also be used for other use cases, for example, you can have one central identity provisioning and authentication service for your platform and your application (PaaS and SaaS). Platform users inside of SAP BTP need to be managed and assigned on the architecture level with global accounts, directories, subaccounts and spaces.