Enhancing SAP Cell and Gene Therapy Orchestration Authentication and Authorization Measures

Objectives

After completing this lesson, you will be able to:
  • Grasp the Core Principles of Identity Authentication Service
  • Setup SAP Identity Authentication Service
  • Illustrating User Management
  • Create Roles and Role collection

SAP Identity Authentication Service

Introduction

It is recommended that customers who subscribe to SAP Cell and Gene Therapy Orchestration leverage the SAP cloud identity services to manage the user authentication and role-based authorization of business users. However, customers can use the default IdP provided by SAP ID service in BTP platform, but there are certain limitations of using this default IdP - for example, you can't configure the e-signature function in SAP Cell and Gene Therapy Orchestration applications.

What are SAP Cloud Identity Services?

SAP Cloud Identity Services are a group of services of SAP Business Technology Platform, which enable you to integrate identity and access management (IAM) between systems. The goal is to provide a seamless single sign-on (SSO) experience across systems while ensuring that system and data access are secure.

SAP Cloud Identity Services include Identity Authentication, Identity Provisioning, Identity Directory and Authorization Management services.

In this lesson, main focus is to setup the SAP Cloud identity Services mainly.

For more information, refer to the following help documentation: SAP Cloud Identity Services.

SAP Identity Authentication Service

What is SAP Identity Authentication Service?

Identity Authentication is a product that provides services for authentication, SSO, user management, and on-premise integration. It also provides convenient user self-services such as registration and password reset for employees and partners. Security features include protecting access to applications, support to define risk-based authentication rules, two-factor authentication, and delegated authentication to on-premise user stores and other identity providers.

Identity Authentication provides one productive and one test tenant per customer, regardless of the number of contracts signed in which Identity Authentication is included or bundled. A tenant granted as part of a bundle isn't limited in scope, but it allows you to use the full functionality that Identity Authentication offers.

For more information, refer to the following help documentation: Identity Authentication.

For more information, refer to the following help documentation: SAP Cloud Identity Services.

Get a SAP Identity Authentication Service Tenant

To get the SAP Identity Authentication Service tenant, you need to add service plans under the entitlement section in your subaccount.

Steps

  1. In the SAP Business Technology Platform cockpit, choose your subaccount.

  2. Navigate to Entitlements → Configure Entitlements →  Add Service Plans.

  3. Locate and select Cloud Identity Services in the pop-up dialog.

  4. Select the checkbox for default plan and add it as service plan.

  5. Save the changes on the Entitlements page.

Result

The service plan is added into the subaccount.

The image shows a web application interface for managing cloud-based services. The main section displays a table with information about the configured services, including the Service, Technical Name, Plan, Assign Quota, Subaccount Assignment, and Remaining Global Quota. The interface also includes a search bar and a Configure Entitlements button at the top.

Create Instance/Subscription

In this step, you will create the subscription for the Cloud Identity service. Complete the following steps:

Steps

  1. On the subaccount level, navigate to the Instance and Subscription menu. Go to the Subscription tab and choose Create.

  2. In the Service field, enter Cloud Identity Service.

  3. In the Plan field, choose Default.

  4. Choose Next.

  5. In the parameter screen, choose Service Type as TEST.

    Note

    By default, Productive is set (for production subaccount - choose PRODUCTIVE).

  6. Choose Create.

    Note

    You can only create the new instances if there aren't already existing instances of the same type (productive or test) bound to your customer ID, regardless of the region. The default test and productive tenants will be created in the same region.

    The image shows a web application interface for creating a new cloud service instance or subscription. The main section is divided into three parts: Basic Info, Provisioning, and Review. The Basic Info section allows selecting the service and plan, while the Provisioning section displays a form with various configuration parameters. The Review section is not shown in the image. Below the main section, there is a message about activating the account for identity authentication service, with a link to do so.

Result

You will get an email for activation of the account and link to Administration Console.

Administrator Console

Upon activating the account, you can logon to the SAP Identity Authentication Service tenant and view the administrator Console.

The image shows a web application interface for managing users, authorizations, applications, and resources in a cloud-based identity services platform. The interface is divided into two main sections: Users & Authorizations and Applications & Resources. The Users & Authorizations section includes options for managing user accounts, user groups, administrators, importing and exporting users, and configuring real-time provisioning and schemas. The Applications & Resources section provides tools for managing various application-related settings, such as terms of use, privacy policies, email templates, password policies, and custom CSS and tenant texts.

Note

When the SAP Identity Authentication Service tenant is initially provisioned to your organization, only one user is added as a tenant administrator. After that, due to possible legal and security issues, SAP adds additional tenant administrators only in exceptional cases (for example, the existing administrator left the company, or for some reason there is no active administrator for this tenant).

To avoid access-related issues in such cases, it is always a good practice for you to assign more than one administrators. Adding additional ones is exclusively in the responsibility of the current tenant administrators.

Set up the Trust Between UAA and Identify Authentication

Use your SAP Identity Authentication Service tenant as an identity provider (or a proxy to your own identity provider) for your business users. You need to Exchange SAML metadata to establish trust with the Identity Authentication tenant and then register your subaccount with the tenant.

Complete the following steps to establish the Trust with an your IAS (SAML 2.0) Identity Provider in a Subaccount:

Steps

  1. Go to the Admin Console in your SAP Identity Authentication Service tenant and open the application Tenant Settings.

  2. Choose SAML 2.0 Configuration from the Single Sign-On tab.

  3. On details page, choose Download Metadata File.

    For more information, refer to the following help documentation: Manually Establish Trust and Federation Between SAP Authorization and Trust Management Service and Identity Authentication.

    The image shows a web application interface for configuring an identity provider settings. The main section displays the identity provider name akcf9trwz and provides options for configuring Single Sign-On, External Services, and Customization settings. The Identity Provider Settings section includes fields for the identity provider name, Single Sign-On Endpoint, and Binding URL. The interface also includes buttons to download a metadata file and to cancel or save the configuration.

  4. Go to your SAP Business Technology Platform subaccount and under security menu, choose Trust Configuration Settings.

  5. Create New Trust Configuration and upload the metadata file downloaded from SAP Identity Authentication Service tenant in previous step.

  6. Provide a Name, Description, and select Parse.

    This will fill the Subject and Issuer fields with the relevant data from the SAP Cloud Identity Services - Identity Authentication - your SAML 2.0 identity provider. The name of the new trust configuration now shows the value <Identity_Authentication_tenant>.accounts.ondemand.com. It represents the custom identity provider SAP Cloud Identity Services - Identity Authentication.

    This also fills the fields for the single sign-on URLs and the single logout URLs.

  7. Save your changes.

    The image shows a web application interface for configuring identity provider settings. The main section displays options for configuring the identity provider, including fields for the name, Single Sign-On Endpoint, and Binding URL. Below the configuration section, there is a table displaying a custom identity provider for applications, with details such as the Customer ID and SAML.

Result

Administrators must configure trust on both sides, in the service provider and in the SAML identity provider.

So, download the SAML Metadata from Subaccount (say it's Subacc_metadata.xml).

To establish trust between an identity provider and a subaccount, you must register your subaccount by providing the SAML details for web-based authentication in the identity provider itself. The identity provider we use here is the SAP Cloud Identity Services - Identity Authentication.

This description covers the side of the identity provider (SAP Cloud Identity Services - Identity Authentication). The trust configuration on the side of the SAP Cloud Identity Services - Identity Authentication must contain the following items:

  • Metadata for web-based authentication or the relevant configuration information.

    If available, the metadata contains the configuration information, including the signing certificate and the required URLs. You can create the metadata file of your subaccount using the SAML Metadata button in Security Trust Configuration of your subaccount.

  • Use e-mail as the unique name ID attribute, and map the user attribute Groups to the assertion attribute Groups (case-sensitive). This assertion attribute is required for the assignment of roles.

    This makes sure that there is a trust relationship between the SAP Cloud Identity Services - Identity Authentication and the subaccount.

We illustrate the process of configuring trust in the service provider by describing how administrators use the administration console of Identity Authentication to register the subaccount.

To establish trust from a tenant of SAP Cloud Identity Services - Identity Authentication to a subaccount, assign a metadata file and define attribute details. The SAML 2.0 assertion includes these attributes. With the UAA as SAML 2.0 service provider, they are used for automatic assignment of UAA authorizations based on information maintained in the identity provider.

  1. Go back to your IAS tenant, go to the Applications tile and create a new application.
  2. Choose a name for the application that clearly identifies it as your new service provider. Save your changes.

    Note

    Users see this application name in the logon screen when the authentication is requested by the UAA service. Seeing the name, they know which application they currently access after authentication.

    The image shows a web application interface for managing cloud-based identity services. The main section displays a list of configured applications, including an application named egto-testub-sub2. When selecting this application, the interface displays details about the application, including options for configuring SAML 2.0 settings. The SAML 2.0 Configuration section allows defining metadata and configuring the connection with a service provider for web-based authentication.
  3. Choose SAML 2.0 Configuration and import the relevant metadata XML file downloaded from your subaccount in previous step. Save your changes.

    If the contents of the metadata XML file are valid, the parsing process extracts the information required to populate the remaining fields of the SAML configuration. It provides the name, the URLs of the assertion consumer service and single logout endpoints, and the signing certificate.

  4. Choose the Default Name ID Format and select E-Mail as a unique attribute. Save your changes.
  5. Choose Assertion Attributes, use + Add to add a multi-value user attribute, and enter Groups (case-sensitive) as assertion attribute name for the Groups user attribute. Save your changes.The image shows a web application interface for configuring SAML 2.0 settings for a cloud-based identity service. The main section allows defining metadata files and configuring the connection with a service provider for web-based authentication. Below this, the interface displays options for configuring the default name ID format and SAML assertion attributes for the selected application egto-testub-sub2.

User Management

The SAP Cell and Gene Therapy Orchestration provides role templates for various business roles. These roles control how users having varied business roles to perform can interact with and use SAP Cell and Gene Therapy Orchestration.

The image shows a web application interface for managing services and access privileges in a cloud-based platform. The main section displays a list of various services and related actions, such as consent viewer, exception viewer, test viewer, and administrator roles. The left-hand side menu provides access to different areas of the platform, including cloud security, HVAC applications, community, security, and user collections.

Note

If the role template doesn't have any attributes, then the corresponding roles are identical to the role templates and are created automatically. If the role template has one or more attributes, you must create roles based on the role templates and provide the attribute values. As you can see the reference image, for some of the roles Create Role option is active, it means these role templates have role attributes.

A list of role templates are provided here: Assigning Role Collections to Users.

Role and Role Collection

As an administrator of the subaccount, you need to create the role from the role templates provided. When all the roles are created, you need to create the role collection as per your business needs/personas and assign the appropriate roles to each role collection.

The image shows a web application interface for managing role collections in a cloud-based platform. The main section displays a table with role collections, including SAP_BC_CST_ADMINISTRATOR, SAP_BC_CST_CONTENT_EXPERT, and SAP_BC_CST_METADATA_SPECIALIST. For each role collection, the interface provides details such as the description and assigned user groups.

For more information about how to create roles, create role from existing role templates and how to bundle them in role collections using the SAP Business Technology Platform cockpit, see Building Roles and Role Collections for Applications.

The SAP Cell and Gene Therapy Orchestration has provided the standard role collection also for reference purpose - the reference image is provided above.

Result

After assigning the roles collection to users provided by SAP ID service (default IdP), the user can login into the SAP Cell and Gene Therapy Orchestration platform and access the application according to their business role and responsibilities.

Note

In case the users are stored in Custom IdP like the SAP Identity Authentication Service service then as a prerequisite for assigning roles, you also need to configure role collections.

User Management in SAP Identity Authentication Service

In case you are using the SAP Identity Authentication Service services to provide access to SAP Cell and Gene Therapy Orchestration, you need to create the user and/or user groups in the SAP Identity Authentication Service tenant.

The image shows a web application interface for managing user groups in a cloud-based identity service. The main section displays a table with various user groups, including details such as the group name, type, and associated users. The left-hand side menu provides access to different areas of user management, such as user lists, real-time provisioning, and exclusions.

Complete the following steps to create users:

  1. Go to the SAP Identity Authentication Service administrator console.
  2. Under the Users and Authorizations menu, go to user management.
  3. You can create the user individually using the ADD option, or you can use the import function to create the users in mass.

Note

Optionally: You can create the user groups and add the similar job responsibility users to these user groups. SAP recommends that you create the user groups so that you can reduce the effort of assigning the role collections to each individual user.

Assign Role Collection

SAP Identity Authentication Service Users

Now, you have the role collection created and users (or user groups) are defined in SAP Identity Authentication Service. In order to assign the required access to business users, you need to assign the user (or user groups) to role collection.

The image shows a web application interface for managing role collections in a cloud-based identity service. The main section displays a table with various role collections, including SAP_BC_CST_ADMINISTRATOR, SAP_BC_CST_CONFIG_EXPERT, and SAP_BC_CST_MASTERDATA_SPECIALIST. The interface also shows a section for adding a user from a custom identity provider to the selected role collection.

Refer to the following help documentation for detailed steps: Assign Users to Role Collections.

SAP Identity Authentication Service Groups

The image shows a web application interface for managing a role collection called SAP_BC_CGT_MASTERDATA_SPECIALIST in a cloud-based identity service. The main section displays the details of this role collection, including the associated users and user groups. The interface also shows that a user group is being added to the role collection from a custom identity provider.

Refer to the following help documentation for detailed steps: Assign User Groups to Role Collections.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn