Explaining Platform Security


After completing this lesson, you will be able to:

  • Differentiate between authentication and authorization and explain how both are used in SAP BTP

Platform Security

In this lesson we will cover the following topics:

  • Identity Authentication: IDP.
  • Identity Authentication: Service.
  • User and Role Management on SAP BTP.
  • Identity Provisioning Service.
  • Bringing all together.

Identity Authentication: IDP

SAP BTP uses out of the box, the Identity Providers (IDP) for user authentication. They have the role of a user store:

(1) External Authentication providers (SAML).

(2) Authenticated identity is used inside SAP BTP.

Freedom of Choice of IDP

SAML2 standard provides choice of authentication provider.

SAP BTP Identity Authentication can use on-premise IDPs (AD, LDAP, SAP) for user authentication:

  • Re-use existing IDP, easy to implement.
  • Maintain central user repository (no user sync needed).

SAML2 capable IDPs can be integrated, for example:

  • Microsoft ADFS
  • Microsoft AZURE

Change the IDP on Subaccount Level

You can change the SAML 2.0 IDP Provider on subaccount level.

SAML 2.0 Response after successful Login to IDP

Here is the SAML 2.0 Response from IDP to SAP BTP after successful login.

Identity Authentication: Service

By default, SAP always uses the IDP as the identity provider. However, it only offers basic functions like User Authentication as a user store.

To take advantage of all possibilities, the Identity Authentication Service can be licensed. It offers almost all conceivable options based on SAML 2.0 or OpenID Connect Standard. Additionally, you still need an Identity Provider, for example the IDP from SAP or from third-party companies.

The example above uses two IDPs.

The features are:

  • Basic authentication
  • Re-use of Windows Domain logon
  • Two-factor authentication
  • Delegated logon

User and Role Management on SAP BTP

Platform Users vs. Business Users

First of all it is important to understand that there are two different types of users when working with and on the SAP BTP: platform users and business users.

Platform users are usually developers, administrators, or operators who deploy, administer, and troubleshoot applications and services on SAP BTP.

For platform users, the default identity provider is SAP ID service.

Business users use the applications that are deployed to SAP BTP. For example, the users of your deployed application or users of subscribed apps or services, such as SAP Business Application Studio are business users.

User and Role Management on SAP BTP

TypeDescriptionAuthentication Configuration

Platform Users

Member on Global - and subaccount, members on space level

Platform IDP, on Global Account Level

Application Developer/  Users

User that use Subscriptions and/or Market Place Services. Developers or Business developer.

IDP on subaccount Level

Business User

User that use business apps.

IDP on subaccount Level

No user identities are held on the SAP BTP. However, domain-dependent system and service role and groups are used.

These roles and groups are either created directly on the SAP BTP, for example, or existing ones are imported and mapped to the Platform Roles or Groups. This is done with the SAP Cloud Identity Provisioning Service.

You can identify the following user types. A developer can also be a business user.

Roles and Groups on the SAP BTP: Platform Users

On global level the Administrator role is assigned.

On subaccount level, the Organization Roles are assigned.

On subaccount level also the Security Administrators are assigned.

On space level the Spaces Roles are assigned.

However, the service roles still have to be assigned to the corresponding user. You can see how this can be done in the case of your own service in the next Lesson with a Business User.

SAP Provisioning Service

In order to use existing roles and groups, for example in the SAP BTP, these can be mapped manually via the SAP Identity Provisioning Service.

Bringing all together

The combination of authentication and authorization looks as follows:

Log in to track your progress & complete quizzes