SAP Cloud Identity Services – Identity Authentication is SAP’s recommended approach for SAP BTP as its single identity provider. In case you use corporate identity providers, it is possible to connect them to your Identity Authentication tenant, which will act as a hub/proxy. General information can be found in the following resources:
- SAP Cloud Identity Services – Identity Authentication
- SAP BTP – Security Administration: Managing Authentication and Authorization
- Use Identity Authentication as a proxy for a corporate identity provider
SAP S/4HANA Cloud comes with an Identity Authentication tenant that is provided by SAP Cloud Identity Services. It is used to authenticate end users who connect via SAP Fiori launchpad.
The Identity Authentication tenant should be connected to SAP BTP subaccount, so that any end users connecting via SAP Build Work Zone, standard edition or SAP Mobile Start can also be authenticated and access the exposed business content and data from SAP S/4HANA Cloud.
For most customers the SAP BTP Global Account and SAP Cloud Identity Services tenants come bundled and therefore have the option to perform a simple connect via the "Establish Trust" button in the SAP BTP Subaccounts Trust Configuration. This will setup the trust configuration of type OpenID Connect automatically. (Refer to this help page)
In case your SAP Cloud Identity Services – Identity Authentication tenant is not available via "Establish Trust" or you want to go ahead with a SAML 2.0 setup, we will cover the steps for the manual trust configuration below.
Prerequisites
- SAP Cloud Identity Services – Identity Authentication is available and connected to SAP S/4HANA Cloud
- SAP BTP platform admin user with admin access to the SAP BTP subaccount
- Identity Authentication admin user with authorizations to manage applications
Note
These could either be your personal or general users with admin roles assigned on the respective systems.