Setup a Platform Identity Provider for SAP Cloud Platform
[Update 1-May-2019] : Added a section on using IAS as Proxy and Known Limitations.
If you have logged into a SAP Cloud Platform (SAP CP) account, you probably would have used a “S” user or “P” user. SAP CP would automatically authenticate you and provide access to the relevant services within the Cloud Platform account. This is true for all SAP CP trial accounts too. By default, the Application Identity Provider under Security > Trust settings is configured with SAP ID Service.
SAP ID service is SAP’s public Identity Provider and is a key service for SAP as it contains all the users who are in the SAP Community and even users accessing the Service Marketplace.
Its important to note that SAP CP does not have its own user store. When you spin up a trial SAP CP account, you get an account which is preconfigured with SAP ID service as the application Identity provider.
When you as a developer access services of SAP CP, it would use the SAP ID service to log you into these services. The behaviour is same even for end users who would be accessing apps deployed on SAP CP.
If you would like to more on this topic, I would recommend you to go through this openSAP course “Building Portal Sites on SAP Cloud Platform” Week 5 Unit 3 : Authentication, Authorization, and Security
Obviously, its not practical to have end users use their “S” or “P” user ID to login to view an App or Fiori Launchpad. Hence, majority of the SAP CP implementations, customers would change the “Application Identity Provider” to refer to their own Cloud or on-premise Identity Provider (IdP). In this blog “Setting up Authentication for Cloud Portal using Cloud Identity“ I have showed how customers can register Identity Authentication service (IAS) with a SAP CP account. SAP Identity Authentication service(IAS) is a SAML based IdP provided by SAP on a subscription basis. Ofcourse, you can configure SAP CP account with any SAML based IdP.
In this blog, I want to focus on something called as “Platform Identity Provider”. You will need to look for a tile “Platform Identity Provider” and enable this service to get access to a tab – Platform Identity Provider.
The Platform Identity Provider is the user base for access to SAP Cloud Platform account. By default its configured with SAP ID service. You can now switch to an Identity Authentication service (IAS) tenant. This means you can use a user within the IAS tenant to login into SAP CP cockpit.
What if the customer does not want to use IAS tenant as they have all their developers/employees stored in an external IdP – for example in MS Active Directory. For such scenarios, the customer would need to use IAS tenant as a proxy and configure Active Directory as a Corporate Identity Provider. Here is a youtube video which explains the steps.
The changes in the Platform Identity Provider does not have any relation with the Application Identity Provider.
Once you have configured the Platform Identity Provider with an IAS tenant, your Cloud Platform account can now be access using a user from the IAS tenant.
There are two URLs which you can use.
The below URL is the default URL which you would have been using to access SAP CP. This will still be available to access your SAP CP account using the default SAP ID service. To find the your SAP CP Cockpit URL, you can lookup the Help page.
To get your developers to access SAP CP cockpit with the configured IdP, get them to use the below URL
https://account-<subaccount-name>.<SAP Cloud Platform host>/
Before launching the new URL, you would need to provide access to your own user as it wouldn’t recognize your “S” or “P” user anymore.
Hence use the existing URL and navigate to the Global Account. You should be able to access the Members menu and click on “Add Members”.
In the popup screen, manually type in the IAS tenant details and provide the users which need to be added as Global members.
Once you save the changes, you should be able to see the user added as Global member
If you already have subaccounts created, repeat the same process for each subaccount. You would need to add yourself as a member to each of the subaccount.
When you click on the “Add Members” button, select the User base as your IAS tenant and provide all the users who would need access to the subaccount.
This completes the setup of Platform Identity Provider.You can now access SAP CP cockpit using the new URL – https://account-<subaccount>.hana.ondemand.com/cockpit#/home/overview
This will redirect the user to the IAS Tenant (which has been configured as the Platform Identity Provider). On successful authentication, the user will be given access to SAP CP Cockpit as shown below.
Auto assignment of developer roles
The next common question is – How do we avoid hard-coding developer userIDs to the required roles. If you would have used SAP WebIDE Full-stack or Portal service, you would recall that it requires the assignment of respective roles to the users. Since SAP WebIDE and Portal services are applications of SAP CP, the users are authenticated by the IdP configured in the “Application Identity Provider”. So we are now changing the focus to “Application Identity Provider”.
I would like to point you to the same blog “Setting up Authentication for Cloud Portal using Cloud Identity“. I am going to extend this scenario based on this blog. Hence, please go through this blog before proceeding.
In my Identity Authentication service, I have setup 3 users
I have also created two Groups – One for SAP WebIDE and another for Portal service.
Here is the group which I have created for Portal Admins
I have assigned the groups to the below users
- P000159 (No Group assignment)
- P000160 (CI_WEBIDE)
- P000161 (CI_PORTAL)
The next task is to navigate to the SAP CP subaccount and create SAP CP Groups for WebIDE and Portal service. I have assigned the relevant SAP WebIDE standard roles to the new group.
Similarly, I have also assigned the standard Portal roles to the newly created SAP CP Portal group.
The last step is to perform the group mappings under Trust > Application Identity Provider. I have mapped the IAS tenant groups with SAP CP groups.
This completes the required configurations.
You can now provide the direct link to your developers/portal admin to access the respective service.
SAP WebIDE – https://webidecp-<subaccount>.dispatcher.hana.ondemand.com/
Portal – https://flpnwc-<subaccount>.dispatcher.hana.ondemand.com/sites/adminspace?hc_login
When User P000159 tries to access both the services, this user would be authenticated successfully, but would get access errors as shown below.
I hope this blog gave you some ideas around how you could configure access for your developers/admins who would be using SAP CP accounts for development and administration tasks.
Using a Corporate Identity Provider as Platform IdP
As mentioned earlier, you can configure your own corporate Identity Provider to serve as a Platform Identity Provider. However, for this scenario, you would still need to use IAS as a proxy and configure your corporate Identity Provider within IAS.
This has been explained in detail in another blog post “Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios”
Assuming you have configured IAS as mentioned in the above blog post, the next step is to configure your Platform Identity Provider with the IAS service. For demonstration, I am using another IAS service with the tenant name called hcpta.
I have configured this IAS service with Azure AD as “Corporate Identity Provider”. Before I begin to test this, I would need to add my Azure AD user Identity as a member in the global account (as shown below)
Now when I try to login to the SCP cockpit using the below URL, I will be taken to Microsoft login screen.
I can now login with my Azure AD credentials and gain access to SAP Cloud Platform Cockpit.
Please note there are limitations when using IAS tenant act as a proxy to a Corporate Identity Provider
Cloud Platform Integration
Only account.sap.com and SAP Cloud Platform Identity Authentication Service can be configured for basic authentication. You are not allowed to use any arbitrary custom IDP for this use case.
SAP Cloud Connector
There seems to be a problem getting Cloud Connector to connect to a subaccount which has been configured with IAS as a proxy (for Platform Identity Provider). I was able to successfully connect SCC with a subaccount when the Platform Identity Provider is just IAS.
Neo Console Client
If the IAS tenant act as a proxy to a Corporate Identity Provider, authentication will not work. Only basic authentication with P-users works for IAS.