Analyzing SAP Cloud Identity Services

Objectives

After completing this lesson, you will be able to:

  • Describe Identity Providers
  • Analyze SAP Cloud Identity Services

Identity Providers

Applications and services in SAP BTP and even the SAP BTP cockpit do not store user information. Instead, a redirect for authentication to an Identity Provider (IdP) is required. This concept makes it possible to decouple and centralize authentication functionality from application capabilities and authorization management. The SAP BTP offers the possibility to use the SAP ID Service or custom Identity Providers from your IT landscape.

SAP ID Service is the default identity provider in SAP BTP. It is a pre-configured, standard SAP public IdP (account.sap.com) that is shared by all customers. It has a pre-configured trust connection to all SAP BTP subaccounts. The SAP ID Service is fully managed and provided by SAP and you are only able to create a free user inside of this SAP ID Service. The SAP ID Service is also used for official SAP sites, including the SAP developer and partner community. It is the place where the S-Users, P-Users and D-Users are managed.

For many customers, users might be stored in corporate identity provider. SAP recommends using SAP Cloud Identity Services – Identity Authentication Service (IAS) as a hub.

You can connect IAS as a single custom identity provider to SAP BTP. Further, you can use IAS to integrate with corporate identity providers existing in your companies IT landscapes.

SAP Cloud Identity Services

The SAP Cloud Identity Services consists of two services: Identity Authentication and Identity Provisioning. The Identity Authentication service is mainly responsible for the authentication & single sign-on, while Identity Provisioning service takes care of the identity lifecycle management, which includes both users and groups (things like create, change, delete, etc.).

You can get more information about SAP Cloud Identity Services here: https://help.sap.com/docs/SAP_CLOUD_IDENTITY?locale=en-US or here: https://community.sap.com/topics/cloud-identity-services

SAP Cloud Identity Services - Identity Provisioning

Identity Provisioning service helps you provision identities and their authorizations to various cloud and on-premise business applications. Identity Provisioning service offers you:

  • manage user accounts and authorizations
  • user stores in the cloud and on-premise
  • centralized end-to-end lifecycle management of corporate identities
  • fast and efficient administration of user on-boarding
  • and more.

Learn more about SAP Cloud Identity Services - Identity Provisioning here: https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/2d2685d469a54a56b886105a06ccdae6.html?locale=en-US

SAP Cloud Identity Services - Identity Authentication

Identity Authentication provides simple and secure access to web based applications with a variety of authentication methods at anytime and from anywhere. The service was previously know as SAP Cloud ID service. The service has the task of validating the authentication between IdPs and the applications itself that is based on supporting open standards like SAML, SSO, and more.

Note

SAML

Security Assertion Markup Language (SAML) is an XML-based open security standard to exchange authentication and authorization data between parties like identity provider and service providers.

SSO

Single sign-on (SSO) is a mechanism allowing the user to log on with a single user ID and password for several software systems. A full SSO enables the users to enter several systems, entering the credentials just once, for example, at the start-up of the computer.

Identity Authentication offers you:

Secure and simple access through:
  • Identity federation based on SAML 2.0.
  • Web Single Sign-On SSO and desktop SSO.
  • Social login and two-factor authentication.
  • and more.
User and access management:
  • User administration and integration with on-premise user stores.
  • User self-service, for example, password reset, registration, and user profile maintenance.
  • Password and privacy policies.
  • and more.
IdP proxy features:
  • Reuse of existing SSO infrastructure.
  • Federation based on the SAML 2.0 standard.
  • and more.

Learn more about SAP Cloud Identity Services - Identity Authentication here: https://help.sap.com/docs/IDENTITY_AUTHENTICATION?locale=en-US

Key Takeaways Of This Lesson

Applications and services in SAP BTP and even the SAP BTP cockpit do not store user information. Instead, a redirect for authentication to an Identity Provider (IdP) is required. SAP ID service is the default identity provider in SAP BTP. For many customers, users might be stored in corporate identity provider. SAP recommends using SAP Cloud Identity Services to integrate that. The SAP Cloud Identity Services consist of two services: Identity Authentication for the authentication & single sign-On and Identity Provisioning service for the identity lifecycle management.

Log in to track your progress & complete quizzes