SAP Cloud Platform Identity Authentication service is a cloud solution for identity life cycle management for SAP Cloud Platform applications. It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers.
In this blog post, the following steps to configure SAP Cloud Platform API Management ( API Portal and Developer portal) to authenticate against SAP Cloud Platform Identity Authentication is described:-
This metadata would have to be imported into SAP Cloud Platform Identity Authentication service.
The table contains the mapping between the user attribute and the assertion attribute fields.
The table below contains the mapping between the Assertion Attribute and the Principal Attribute
For accessing the API Portal application from SAP Cloud Platform API Management, user should have the APIPortal.Administrator role assigned.
All the configuration work has been done. To test the configuration, navigate to the services tab, search for the API Management tile and then click on the Access API Portal link. You should be navigated to SAP Cloud Platform Authentication Identity service. Logon using the user credentials who has been assigned APIPortal.Administrator role.
In this blog post, the following steps to configure SAP Cloud Platform API Management ( API Portal and Developer portal) to authenticate against SAP Cloud Platform Identity Authentication is described:-
- Configure trust between SAP Cloud Platform Identity Authentication and SAP Cloud Platform API Management account.
- Configure trust between SAP Cloud Platform API Management and SAP Cloud Platform Identity Authentication account.
- Role assignments in SAP Cloud Platform API Management for API Portal access
Prerequisites
- SAP Cloud Platform Identity Authentication tenant
- SAP Cloud Platform API Management tenant
Configure trust between SAP Cloud Platform Identity Authentication and SAP Cloud Platform API Management account
- Logon to the SAP Cloud Platform account, navigate to the Trust tab. In the Local Service Provider Tab from Configurations select Custom, click on the Generate Key Pair and click Save. After the configuration is saved, click on Generate Metadata to generate the metadata.
This metadata would have to be imported into SAP Cloud Platform Identity Authentication service.
- Logon to the SAP Cloud Platform Identity Authentication service account (https://<yourscitenant>.ondemand.com/admin/)
- Navigate to the Applications page and then click on the Add button as shown in the screen shot
- Provide an Application name (e.g SAP Cloud Platform, API Management) and click on the Save button
- In the newly created Application, under the Trust tab, click on the option SAML 2.0 Configuration
- Under the Define from Metadata tab click on the “Browse” button and upload the SAML metadata downloaded in step 1) and then click on the “Save” button
- Now navigate to the “Assertion Attributes” of the SAML 2.0 configurations, and then provide the mapping between the SAML Assertion values (ref screenshot below). The configurations are required for the Developer on boarding on the Developer Portal side.
The table contains the mapping between the user attribute and the assertion attribute fields.| User Attribute | Assertion Attribute |
| Last Name | last_name |
| Display Name | display_name |
| First Name | first_name |
Configure trust between SAP Cloud Platform API Management and SAP Cloud Platform Identity Authentication account
- Download the SAML metadata from the SAP Cloud Platform Identity Authentication account by Navigating to the Tenant Settings-> SAML 2.0 Configurations.
- Click on the “Download Metadata”. This metadata would have to imported into SAP Cloud Platform API Management account
- Logon to the SAP Cloud Platform cockpit and then Navigate to the Trusted Identity Provider tab, click on the “Add Trusted Identity Provider” and then Browse and upload the SAML metadata downloaded in above step.
- Navigate to the “Attributes” tab and then add in the attributes value as shown in the screen shot below and then click on Save button. This configuration is required for the Developer on boarding on the Developer Portal.
The table below contains the mapping between the Assertion Attribute and the Principal Attribute
| Assertion Attribute | Principal Attribute |
| first_name | firstname |
| last_name | lastname |
Role assignments in SAP Cloud Platform API Management for API Portal access
For accessing the API Portal application from SAP Cloud Platform API Management, user should have the APIPortal.Administrator role assigned.
- Navigate to the services tab, search for the API Management tile and click the tile to open the SAP Cloud Platform API Management service
- Click on the link API Portal (Roles & Destinations) under Service Configuration
- Click on the Roles tab and then assign the user maintained in SAP Cloud Platform Identity Authentication service the APIPortal.Administrator role
Finally testing the configurations
All the configuration work has been done. To test the configuration, navigate to the services tab, search for the API Management tile and then click on the Access API Portal link. You should be navigated to SAP Cloud Platform Authentication Identity service. Logon using the user credentials who has been assigned APIPortal.Administrator role.
- SAP Managed Tags:
4 Comments
