Skip to Content

SAP Cloud Platform Identity Authentication service is a cloud solution for identity life cycle management for SAP Cloud Platform applications. It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers.

In this blog post, the following steps to configure SAP Cloud Platform API Management ( API Portal and Developer portal) to authenticate against SAP Cloud Platform Identity Authentication is described:-

  1. Configure trust between SAP Cloud Platform Identity Authentication and SAP Cloud Platform API Management account.
  2. Configure trust between SAP Cloud Platform API Management and SAP Cloud Platform Identity Authentication account.
  3. Role assignments in SAP Cloud Platform API Management for API Portal access

Prerequisites

  • SAP Cloud Platform Identity Authentication tenant
  • SAP Cloud Platform API Management tenant

Configure trust between SAP Cloud Platform Identity Authentication and SAP Cloud Platform API Management account

  • Logon to the SAP Cloud Platform account, navigate to the Trust tab. In the Local Service Provider Tab from Configurations select Custom, click on the Generate Key Pair and click Save. After the configuration is saved, click on Generate Metadata to generate the metadata.

This metadata would have to be imported into SAP Cloud Platform Identity Authentication service.

 

 

  • Logon to the SAP Cloud Platform Identity Authentication service account (https://<yourscitenant>.ondemand.com/admin/)
  • Navigate to the Applications page and then click on the Add button as shown in the screen shot

 

 

  • Provide an Application name (e.g SAP Cloud Platform, API Management) and click on the Save button
  • In the newly created Application, under the Trust tab, click on the option SAML 2.0 Configuration

 

 

  • Under the Define from Metadata tab click on the “Browse” button and upload the SAML metadata downloaded in step 1) and then click on the “Save” button

 

  • Now navigate to the “Assertion Attributes” of the SAML 2.0 configurations, and then provide the mapping between the SAML Assertion values (ref screenshot below). The configurations are required for the Developer on boarding on the Developer Portal side.

The table contains the mapping between the user attribute and the assertion attribute fields.

User Attribute Assertion Attribute
Last Name last_name
Display Name display_name
E-Mail mail
First Name first_name

Configure trust between SAP Cloud Platform API Management and SAP Cloud Platform Identity Authentication account

 

  • Download the SAML metadata from the SAP Cloud Platform Identity Authentication account by Navigating to the Tenant Settings-> SAML 2.0 Configurations.

 

  • Click on the “Download Metadata”. This metadata would have to imported into SAP Cloud Platform API Management account

  • Logon to the SAP Cloud Platform cockpit and then Navigate to the Trusted Identity Provider tab, click on the “Add Trusted Identity Provider” and then Browse and upload the SAML metadata downloaded in above step.

 

 

  • Navigate to the “Attributes” tab and then add in the attributes value as shown in the screen shot below and then click on Save button. This configuration is required for the Developer on boarding on the Developer Portal.

The table below contains the mapping between the Assertion Attribute and the Principal Attribute

Assertion Attribute Principal Attribute
first_name firstname
last_name lastname
mail email

 

Role assignments in SAP Cloud Platform API Management for API Portal access

For accessing the API Portal application from SAP Cloud Platform API Management, user should have the APIPortal.Administrator role assigned.

  • Navigate to the services tab, search for the API Management tile and click the tile to open the SAP Cloud Platform API Management service

 

  • Click on the link API Portal (Roles & Destinations) under Service Configuration

 

  • Click on the Roles tab and then assign the user maintained in SAP Cloud Platform Identity Authentication service the APIPortal.Administrator role

Finally testing the configurations

All the configuration work has been done. To test the configuration, navigate to the services tab, search for the API Management tile and then click on the Access API Portal link. You should be navigated to SAP Cloud Platform Authentication Identity service. Logon using the user credentials who has been assigned APIPortal.Administrator role.

 

 

 

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Pandey Anuj

    Hi Divya,

    Thanks for informative blog!

    I have a question  – HTTP destination is used to establish connection between dev portal and API portal .Is the user used in this destination need to be changed to one from identity provider instated of SAP identity based s/p user?

    Thanks

    Anuj

    (0) 

Leave a Reply