Describing the Identity Authentication Service

Objective

After completing this lesson, you will be able to describe the main features and usage options for the SAP Cloud Platform Identity Authentication Service (IAS).

SAP Cloud Platform Identity Authentication Service (IAS)

SAP Cloud Platform Identity Authentication Service (IAS) is a cloud service that provides authentication, Single Sign-On (SSO), user management, and On-Premise integration. IAS can also be used with SAP Identity Management or deployed along with other service offerings from SAP, such as Identity and Access Management as a service.

Diagram illustrating the SAP Cloud Identity Services architecture involving end user, application clients, identity authentication, SAP Secure Login Service, SAP BTP application, cloud and On-Premise solutions.

SAP IAS provides convenient user self-services such as registration and password reset for employees and partners. The Identity Authentication service offers security features for protecting access to applications, support for defining risk-based authentication rules, two-factor authentication, and delegated authentication to On-Premise user stores. Support for other identity providers helps ensure secure authentication and user management for cloud-based and On-Premise systems.

Key features of SAP Cloud Platform Identity Authentication are:

  • Secure authentication for cloud and On-Premise service provider applications
  • Single Sign-On functionality from anywhere on any device (Web and desktop SSO)
  • Social login through Twitter, LinkedIn, Facebook, and Google
  • Strong authentication with configurable multifactor authentication enforcement, such as using time-based one-time passwords or Web two-factor authentication and fast identity online (FIDO) capabilities. Two-factor authentication based on one-time passwords
  • Risk-based authentication is applied to service provider applications, user group assignment, and Internet Protocol ranges
  • Easy Application onboarding
  • Support of SAP and third-party software
  • Password policies on the level of service provider applications
  • Customizable look-and-feel features, including support to set up company branding
  • User self-services, including self-registration and password reset
  • Configurable user registration form
  • REST APIs for user management
  • Setup of custom privacy policies and terms of use on the application level
  • Usage reporting capabilities
  • Delegated authentication through integration with On-Premise user stores and corporate identity providers
  • Identity federation based on SAML 2.0

SAP Identity Authentication is offered as a standalone service. However, it is a tightly integrated core service within SAP Cloud Identity Services, bundled with many SAP Cloud solutions. It is also tightly integrated with SAP BTP, making it part of many other cloud solutions from SAP and establishing it as the de facto central authentication hub for customers using SAP and third-party software.

There are two Usage Options for Identity Authentication:

  1. Identity Authentication as an IdP proxy for seamless, flexible integration with customers’ existing IAM infrastructure
  2. Identity Authentication as the landscape-wide identity provider offering secure authentication and user management capabilities

Usage Case of Identity Provider as IdP Proxy

SAP’s Identity Authentication service is a proxy Identity Provider (IdP) in this scenario. This means it doesn’t directly authenticate the user's credentials but delegates that responsibility to an underlying identity provider (a corporate user store or another identity provider). In other words, while the SAP system still directs authentication requests to the Identity Authentication Service, another system linked to the Identity Authentication Service verifies user credentials.

  • Authentication is delegated to the corporate identity provider login
  • Reuse of existing Single Sign-On infrastructure
  • Easy and secure authentication for employee scenarios
  • Federation based on the SAML 2.0 or the OpenID Connect standard
  • Enrichment of assertion with more attributes in Identity Authentication (optional)
  • System applications supported as well

Usage Case of Identity Authentication as Landscape-Wide IdP

SAP’s Identity Authentication service is the primary Identity Provider for the entire landscape, handling the authentication for all the applications and services within that landscape. This could include various applications or services across multiple systems or platforms within a network or digital landscape. This approach provides a single, unified authentication method across all systems in the landscape, simplifying the sign-on process and reducing the need to maintain multiple sets of user credentials.

Diagram depicting SAP Cloud Identity Services for Identity Authentication, connecting corporate identity providers and user stores to SAP business apps through SAML/OpenID Connect and Cloud Connector.

The main difference lies in where and how user credentials are verified - directly by the Identity Authentication Service (Landscape-Wide) or a different, underlying system (Persona as IDP Proxy).

Learn more about SAP Cloud Identity Services - Identity Authentication.

Lesson Summary

You can now describe the main features of the Identity Authentication Service, including the two main use cases.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn