Adding Identity Provider (IAS) in the Subaccount

Objective

After completing this lesson, you will be able to add Identity Provider in the Subaccount

Add an Identity Provider (IAS) in the Subaccount

Now that you have the necessary admin rights, you can return to the SAP BTP Cockpit to link the Identity Provider (in our case IAS) in the subaccount.

Steps

  1. In the left side of the screen, select Trust Configuration.

    Screenshot of the SAP BTP Cockpit showing the Subaccount: Intelligent Agri - Overview page. The subaccount is linked to Amazon Web Services (AWS) in the Europe (Frankfurt) region. It displays 30 entitlements and 0 instances. An option to Enable Cloud Foundry is available, indicating no current Cloud Foundry capabilities. Below, a list of entitlements is shown with service names and plans. The sidebar shows navigation options, with Trust Configuration highlighted. Tenant and Subaccount IDs are visible.

  2. In the next screen, choose Establish Trust.

    Screenshot of the SAP BTP Cockpit on the Subaccount: Intelligent Agri - Trust Configuration page. The top section explains adding identity providers for applications. An Establish Trust button is highlighted. Below, a table lists identity providers with columns for Status, Name, Description, and Protocol. The default identity provider is shown with status Active and protocol OpenID Connect. Options for New Trust Configuration and SAML Metadata are available. The sidebar includes navigation options, with Trust Configuration highlighted.

  3. Select the available IAS account and then choose Establish Trust.

    Screenshot of the SAP BTP Cockpit on the Trust Configuration page for the Intelligent Agri subaccount. A pop-up is open with the title Establish Trust to Custom Identity Provider. It shows a dropdown for selecting an identity authentication tenant hostname, with accounts.ondemand.com selected. The options to Establish Trust and Cancel are visible. The background displays a list of identity providers and an Establish Trust button. The sidebar presents navigation options, with Trust Configuration highlighted.

  4. The new Identity Provider has been added, as shown in the following figure.

    Screenshot of the SAP BTP Cockpit on the Trust Configuration page for the Intelligent Agri subaccount. The table lists identity providers, showing a default identity provider with status Active and protocol OpenID Connect. Below it, a Custom IAS tenant is also active, indicating the IAS tenant anyxybgt.accounts.ondemand.com with protocol OpenID Connect. Options to Establish Trust, New Trust Configuration, and SAML Metadata are at the top. The sidebar shows navigation options, with Trust Configuration highlighted.

  5. After this step, go back to the IAS application. Select Applications in the upper left corner of the screen.

    Note

    To access the IAS Application, you can use the URL (typically, it is the IAS account.accountsondemand.com/admin). The URL will be shared by the IAS administrator.
    Screenshot of the SAP Identity Authentication Service (Germany) interface on the Applications page. The main section is divided into Users & Authorizations and Applications & Resources. Under Users & Authorizations, options include User Management, User Groups, Administrators, Import Users, Export Users, Real-Time Provisioning, Schemas, and Exclude Lists, with various counts shown. Under Applications & Resources, options include Applications, Tenant Settings, Terms of Use Documents, Privacy Policy Documents, E-Mail Template Sets, and Password Policies. The sidebar menu includes navigation options, with Applications highlighted.

  6. Now, you will see a new application as a result of the previous step that is available for configuration.

    On the next figures, we will review some of the settings of this Application.

    Screenshot of the SAP Identity Authentication Service (Germany) interface on the XSUAA_Intelligent Agri application page. The sidebar lists Bundled Applications and System Applications, with XSUAA_Intelligent Agri selected. The main screen displays details under Single Sign-On that include: Protocol selection (SAML 2.0 or OpenID Connect), OpenID Connect Configuration, Subject Name Identifier, Apply Function to Subject Name Identifier, and Assertion Attributes, with several options highlighted. Top right offers Edit and Delete buttons.

  7. Some settings need to be checked:

    1. Protocol - OpenID Connect should be selected.
    2. Set the User UUID as basic attribute in the Subject Name Identifier (do not forget to save).
    3. Apply Function to the Subject Name Identifier should be set as "none".
    Screenshot showing configuration settings. The Protocol section displays OpenID Connect selected. The Subject Name Identifier section highlights user uniqueness options with a basic configuration where User UUID is set as the basic attribute and None as the fallback. The Apply Function to Subject Name Identifier section provides options: None, Uppercase, and Lowercase, with None selected. The page includes links to related documentation for more information.

  8. In the Assertion Attributes, make sure that the Groups has G as a capital letter.

    Screenshot of the Assertion Attributes configuration page. It displays a table listing user attributes and corresponding assertion attributes: Groups (Groups), User UUID (user_uuid), First Name (given_name), Last Name (family_name), E-Mail Verified (email_verified), and E-Mail (email). An Add button is available for additional attributes. Options to save or cancel are at the top right. A link to Identity Authentication Documentation provides more information.

    Video Summary

    This video tutorial guides viewers through the process of integrating a new Identity Provider (IDP) into a Sub-account. Initiating from the Sub-account settings, the presenter navigates to the Trust Configuration and proceeds to establish trust with a specific AS. Following the Open ID Connect protocol, they successfully add a new IDP to the system.

    To affirm the successful setup, the tutorial transitions to an AIS application, where a newly established application becomes visible, signalling the end of the setup process. To further customize the IDP, the demonstrator adjusts specific fields, covering details on the protocol used and setting the 'subject name identifier' to 'user UID'.

    Of particular note is the attention to case sensitivity in the 'groups' field within the assertion attribute section, with emphasis on capitalizing the 'G'. The tutorial concludes with the successful setup of the new IDP, and foreshadows a future tutorial on adding user groups. This comprehensive guide provides viewers with key insights into setting up and configuring a new IDP.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn