As outlined in the introduction of this unit, SAP Build Work Zone is running as a service on SAP BTP and therefore, relies on the identity provider (IdP) trust configuration on the subaccount level. Furthermore, the Digital Workplace Service (DWS) layer leverages dedicated authentication related settings, which need to be considered. This lesson will explore the authentication related aspects across the SAP Build Work Zone product architecture, and how the different elements are connected to another.
For SAP Build Work Zone, IAS will at least need to be used in proxy mode when connecting to another SAP or third party. IdP is not supported. Directly connecting a corporate identity provider to the SAP BTP subaccount will not work for SAP Build Work Zone or SAP SuccessFactors Work Zone. While the manual trust configuration on the BTP subaccount with IAS (based on SAML2) is supported, the recommended trust setup with IAS is using the automated, establish trust feature (OpenID Connect).
Regardless of the selected configuration mode of IAS and a potentially connected corporate IdP, the information configured for this trust setup is important as it is directly impacting the user attributes available across the SAP Build Work Zone experience or setup, namely:Subaccount → Security → Users list (if the Create Shadow Users During Logon option is enabled).
- Subaccount → Connectivity → Destinations (for example, the userIdSource property).
- Attributes for Principal Propagation to on-premise backend systems (using destinations and SAP Cloud Connector).
- Attributes shown in the user avatar in SAP Build Work Zone shell header.
In addition to the SAP BTP subaccount level trust, an additional trust configuration is required for the Digital Workplace Service component running as an iframe in SAP Build Work Zone. This trust is also an Identity Authentication SAML2-based trust. This setup is configured purely as a fallback mechanism. More details can be found in the next section, Authentication Flow, of this guide.