Skip to Content

Setup a Platform Identity Provider for SAP Cloud Platform

If you have logged into a SAP Cloud Platform (SAP CP) account, you probably would have used a “S” user or “P” user.  SAP CP would automatically authenticate you and provide access to the relevant services within the Cloud Platform account. This is true for all SAP CP trial accounts too. By default, the Application Identity Provider under Security > Trust settings is configured with SAP ID Service.

SAP ID service is SAP’s public Identity Provider and is a key service for SAP as it contains all the users who are in the SAP Community and even users accessing the Service Marketplace.

Its important to note that SAP CP does not have its own user store. When you spin up a trial SAP CP account, you get an account which is preconfigured with SAP ID service as the application Identity provider.

When you as a developer access services of SAP CP, it would use the SAP ID service to log you into these services. The behaviour is same even for end users who would be accessing apps deployed on SAP CP.

If you would like to more on this topic, I would recommend you to go through this openSAP course “Building Portal Sites on SAP Cloud Platform” Week 5 Unit 3 : Authentication, Authorization, and Security

Obviously, its not practical to have end users use their “S” or “P” user ID to login to view an App or Fiori Launchpad. Hence, majority of the SAP CP implementations, customers would change the “Application Identity Provider” to refer to their own Cloud or on-premise Identity Provider (IdP). In this blog “Setting up Authentication for Cloud Portal using Cloud Identity“  I have showed how customers can register Identity Authentication service (IAS) with a SAP CP account. SAP Identity Authentication service(IAS) is a SAML based IdP provided by SAP on a subscription basis. Ofcourse, you can configure SAP CP account with any SAML based IdP.

In this blog, I want to focus on something called as “Platform Identity Provider”. As soon as you add an “Application Identity Provider”, you will get access to a tab – Platform Identity Provider.

The Platform Identity Provider is the user base for access to SAP Cloud Platform account. By default its configured with SAP ID service. You can now switch to an Identity Authentication service (IAS) tenant. This means you can use a user within the  IAS tenant to login into SAP CP cockpit.

What if the customer does not want to use IAS tenant as they have all their developers/employees stored in an external IdP – for example in MS Active Directory. For such scenarios, the customer would need to use IAS tenant as a proxy and configure Active Directory as a Corporate Identity Provider. Here is a youtube video which explains the steps.

The changes in the Platform Identity Provider does not have any relation with the Application Identity Provider.

Once you have configured the Platform Identity Provider with an IAS tenant, your Cloud Platform account can now be access using a user from the IAS tenant.

There are two URLs which you can use.

The below URL is the default URL which you would have been using to access SAP CP. This will still be available to access your SAP CP account using the default SAP ID service. To find the your SAP CP Cockpit URL, you can lookup the Help page.


To get your developers to access SAP CP cockpit with the configured IdP, get them to use the below URL

https://account-<subaccount-name>.<SAP Cloud Platform host>/

Before launching the new URL, you would need to provide access to your own user as it wouldn’t recognize your “S” or “P” user anymore.

Hence use the existing URL and navigate to the Global Account. You should be able to access the Members menu and click on “Add Members”.

In the popup screen, manually type in the IAS tenant details and provide the users which need to be added as Global members.

Once you save the changes, you should be able to see the user added as Global member

If you already have subaccounts created, repeat the same process for each subaccount. You would need to add yourself as a member to each of the subaccount.

When you click on the “Add Members” button, select the User base as your IAS tenant and provide all the users who would need access to the subaccount.

This completes the setup of Platform Identity Provider.You can now access SAP CP cockpit using the new URL – https://account-<subaccount>

This will redirect the user to the IAS Tenant (which has been configured as the Platform Identity Provider). On successful authentication, the user will be given access to SAP CP Cockpit as shown below.

Auto assignment of developer roles

The next common question is – How do we avoid hard-coding developer userIDs to the required roles. If you would have used SAP WebIDE Full-stack or Portal service, you would recall that it requires the assignment of respective roles to the users. Since SAP WebIDE and Portal services are applications of SAP CP, the users are authenticated by the IdP configured in the “Application Identity Provider”. So we are now changing the focus to “Application Identity Provider”.

I would like to point you to the same blog “Setting up Authentication for Cloud Portal using Cloud Identity“. I am going to extend this scenario based on this blog. Hence, please go through this blog before proceeding.

In my Identity Authentication service, I have setup 3 users

  • P000159
  • P000160
  • P000161

I have also created two Groups – One for SAP WebIDE and another for Portal service.

Here is the group which I have created for Portal Admins

I have assigned the groups to the below users

  • P000159 (No Group assignment)
  • P000160 (CI_WEBIDE)
  • P000161 (CI_PORTAL)

The next task is to navigate to the SAP CP subaccount and create SAP CP Groups for WebIDE and Portal service. I have assigned the relevant SAP WebIDE standard roles to the new group.

Similarly, I have also assigned the standard Portal roles to the newly created SAP CP Portal group.

The last step is to perform the group mappings under Trust > Application Identity Provider. I have mapped the IAS tenant groups with SAP CP groups.

This completes the required configurations.

You can now provide the direct link to your developers/portal admin to access the respective service.

SAP WebIDE – https://webidecp-<subaccount>

Portal – https://flpnwc-<subaccount>

When User P000159 tries to access both the services, this user would be authenticated successfully, but would get access errors as shown below.



I hope this blog gave you some ideas around how you could configure access for your developers/admins who would be using SAP CP accounts for development and administration tasks.

You must be Logged on to comment or reply to a post.
    • Hi Soni,

      For this you would need to setup your IdP in the Application Identity Provider. Once you configure your IdP settings, all the SAP CP services like Integration, Portal etc will be authenticated using the configured IdP.

  • Hi Murali, excellent blog.

    We are undergoing a external SCP portal project using IAS as IDP for external users. My question is related to the diference between Platform IDP & Application IDP (when to use each).

    What I intend to do is to use S-User store for platform  users of SCP (Admin & Developers), and IAS user store for end users authentication of the portals content. In this case, Should  IAS be defined as Platform IDP or should be defined as Application IDP?

    I used to think that Platform IDP was used to authenticate SCP services (portal, webide, etc), and Application IDP was used to authenticate Portal contents and Apps, but after going through your blog I believe that my understanding is wrong.


    Thank you very much in advance for coments!!

    Best Regards.

    Cristian R. Castañeda

    • Hi Again Murali, I kind of figured it out now. Defining an application IDP is for both SCP services as well to Custom portals and Apps. Now it seems to be working (the scenario I described above). I still have a couple of doubts, though:

      1. I defined a custom image and custom title in IAS in the login form, but these attributes does not only appear when the end users login in the custom portal site, but when a developer or admin of SCP try to access to services like WebIDE or Portal as well.  Is there a way to display the standar login form when SCP users login to SCP services?
      2. Related to authentication, this portal is aimed to external customers (no SAP users exist in the S4HANA or Gateway system), so I was thinking to have a “connection” user and assign this user in the destination configuration of SCP. Is this the right approach? If not, what woulb be the recommended approach?

      Thanks in advance for your comments!

      Best Regards


      Cristian R.


  • Hi Murali,

    We are currently authenticating access to our SCP hosted applications via the SAP Cloud IAS to our corporate IDP.  I’ve started testing the same authentication process for Platform Identity as you describe in this blog, but as we started testing we encountered issues with our connection to the SAP Cloud Connector (which was being done via SAP S-user ID).  Changing the SCC user to a corporate IDP user didn’t resolve the issue.  I believe we need to enable a Platform API in order to allow the SCC connection, but I’m not quite sure how to go about that, can you direct me to any instructions on how to do so?