Explaining SAP Cloud Identity Services

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Describe Identity Providers
  • Describe SAP Cloud Identity Services

Explain Identity Providers

Applications and services in SAP BTP and even the SAP BTP Cockpit do not store user information. Instead, a redirect for authentication to an Identity Provider (IdP) is required. This concept makes it possible to decouple and centralize authentication functionality from application capabilities and authorization management. The SAP BTP offers the possibility to use the SAP ID Service or custom Identity Providers from your IT landscape.

SAP ID Service is the default identity provider in SAP BTP. It is a pre-configured, standard SAP public IdP (account.sap.com) that is shared by all customers. It has a pre-configured trust connection to all SAP BTP subaccounts. The SAP ID Service is fully managed and provided by SAP and you are only able to create a free user inside of this SAP ID Service. The SAP ID Service is also used for official SAP sites, including the SAP developer and partner community. It is the place where the S-Users, P-Users and D-Users are managed.

For many customers, users might be stored in corporate identity provider. SAP recommends using SAP Cloud Identity Services – Identity Authentication Service (IAS) as a hub.

You can connect IAS as a single custom identity provider to SAP BTP. Further, use IAS to integrate with corporate identity providers existing in your companies IT landscapes.

SAP Cloud Identity Services

The Identity Authentication service is mainly responsible for the Authentication & Single Sign-On, while Identity Provisioning service takes care of the Identity Lifecycle Management, which includes both users and groups.

Solution Overview

The Identity Provisioning service allows you to:
  • Manage user accounts and authorizations across Cloud and on-premise systems.
  • Provision identities from user stores in the Cloud and on-premise.
  • Enable business applications to quickly support single sign-on with identity authentication.
As Key Value Proposition: the Identity Provisioning service provides:
  • Fast and efficient administration of user on-boarding.
  • Centralized end-to-end lifecycle management of corporate identities in the Cloud.
  • Automated provisioning of existing on-premise identities to Cloud applications.

Open Security Standards - Interoperable

Identity Authentication provides simple and secure access to Web based applications with a variety of authentication methods at anytime and from anywhere. The service was previously know as SAP Cloud ID service.

Identity Authentication provides secure and simple access based on the following factors:
  • Identity federation based on SAML 2.0.
  • Web Single Sign-On SSO and desktop SSO.
  • Secure on-premise integration to reuse existing authentication systems.
  • Social login and two-factor authentication.
  • Risk-based authentication.
Identity Authentication provides user and access management based on the following factors:
  • User administration and integration with on-premise user stores.
  • User groups and application access management.
  • User self-service, for example, password reset, registration, and user profile maintenance.
  • System for Cross-domain Identity Management (SCIM) API.
Identity Authentication provides the following enterprise features:
  • Branding of end user UIs.
  • Password and privacy policies.
  • Identity Authentication is interoperable with all application supporting SAML* 2.0 standard or OpenID Connect (OIDC).
Identity Authentication has the following IdP proxy features:
  • Authentication is delegated to corporate IdP login.
  • Reuse of existing SSO infrastructure.
  • Easy and secure authentication for employee scenarios.
  • Federation based on the SAML 2.0 standard.

Identity Authentication can connect to an on-premise user store.

Users credentials are taken from:

  • Active Directory (through LDAP).
  • AS Java (which can be either local UME, ABAP store or AD).
  • There is no user replication required to the Cloud.
  • Internal network ports do not need to be exposed to the Internet.
  • Other IAS product features can be used including UI configuration policies and two-factor authentication.

Save progress to your learning plan by logging in or creating an account