Setup a Platform Identity Provider for SAP Cloud Platform
[Update 1-May-2019] : Added a section on using IAS as Proxy and Known Limitations.
If you have logged into a SAP Cloud Platform (SAP CP) account, you probably would have used a “S” user or “P” user. SAP CP would automatically authenticate you and provide access to the relevant services within the Cloud Platform account. This is true for all SAP CP trial accounts too. By default, the Application Identity Provider under Security > Trust settings is configured with SAP ID Service.
SAP ID service is SAP’s public Identity Provider and is a key service for SAP as it contains all the users who are in the SAP Community and even users accessing the Service Marketplace.
Its important to note that SAP CP does not have its own user store. When you spin up a trial SAP CP account, you get an account which is preconfigured with SAP ID service as the application Identity provider.
When you as a developer access services of SAP CP, it would use the SAP ID service to log you into these services. The behaviour is same even for end users who would be accessing apps deployed on SAP CP.
If you would like to more on this topic, I would recommend you to go through this openSAP course “Building Portal Sites on SAP Cloud Platform” Week 5 Unit 3 : Authentication, Authorization, and Security
Obviously, its not practical to have end users use their “S” or “P” user ID to login to view an App or Fiori Launchpad. Hence, majority of the SAP CP implementations, customers would change the “Application Identity Provider” to refer to their own Cloud or on-premise Identity Provider (IdP). In this blog “Setting up Authentication for Cloud Portal using Cloud Identity“ I have showed how customers can register Identity Authentication service (IAS) with a SAP CP account. SAP Identity Authentication service(IAS) is a SAML based IdP provided by SAP on a subscription basis. Ofcourse, you can configure SAP CP account with any SAML based IdP.
In this blog, I want to focus on something called as “Platform Identity Provider”. You will need to look for a tile “Platform Identity Provider” and enable this service to get access to a tab – Platform Identity Provider.
The Platform Identity Provider is the user base for access to SAP Cloud Platform account. By default its configured with SAP ID service. You can now switch to an Identity Authentication service (IAS) tenant. This means you can use a user within the IAS tenant to login into SAP CP cockpit.
What if the customer does not want to use IAS tenant as they have all their developers/employees stored in an external IdP – for example in MS Active Directory. For such scenarios, the customer would need to use IAS tenant as a proxy and configure Active Directory as a Corporate Identity Provider. Here is a youtube video which explains the steps.
The changes in the Platform Identity Provider does not have any relation with the Application Identity Provider.
Once you have configured the Platform Identity Provider with an IAS tenant, your Cloud Platform account can now be access using a user from the IAS tenant.
There are two URLs which you can use.
The below URL is the default URL which you would have been using to access SAP CP. This will still be available to access your SAP CP account using the default SAP ID service. To find the your SAP CP Cockpit URL, you can lookup the Help page.
To get your developers to access SAP CP cockpit with the configured IdP, get them to use the below URL
https://account-<subaccount-name>.<SAP Cloud Platform host>/
Before launching the new URL, you would need to provide access to your own user as it wouldn’t recognize your “S” or “P” user anymore.
Hence use the existing URL and navigate to the Global Account. You should be able to access the Members menu and click on “Add Members”.
In the popup screen, manually type in the IAS tenant details and provide the users which need to be added as Global members.
Once you save the changes, you should be able to see the user added as Global member
If you already have subaccounts created, repeat the same process for each subaccount. You would need to add yourself as a member to each of the subaccount.
When you click on the “Add Members” button, select the User base as your IAS tenant and provide all the users who would need access to the subaccount.
This completes the setup of Platform Identity Provider.You can now access SAP CP cockpit using the new URL – https://account-<subaccount>.hana.ondemand.com/cockpit#/home/overview
This will redirect the user to the IAS Tenant (which has been configured as the Platform Identity Provider). On successful authentication, the user will be given access to SAP CP Cockpit as shown below.
Auto assignment of developer roles
The next common question is – How do we avoid hard-coding developer userIDs to the required roles. If you would have used SAP WebIDE Full-stack or Portal service, you would recall that it requires the assignment of respective roles to the users. Since SAP WebIDE and Portal services are applications of SAP CP, the users are authenticated by the IdP configured in the “Application Identity Provider”. So we are now changing the focus to “Application Identity Provider”.
I would like to point you to the same blog “Setting up Authentication for Cloud Portal using Cloud Identity“. I am going to extend this scenario based on this blog. Hence, please go through this blog before proceeding.
In my Identity Authentication service, I have setup 3 users
I have also created two Groups – One for SAP WebIDE and another for Portal service.
Here is the group which I have created for Portal Admins
I have assigned the groups to the below users
- P000159 (No Group assignment)
- P000160 (CI_WEBIDE)
- P000161 (CI_PORTAL)
The next task is to navigate to the SAP CP subaccount and create SAP CP Groups for WebIDE and Portal service. I have assigned the relevant SAP WebIDE standard roles to the new group.
Similarly, I have also assigned the standard Portal roles to the newly created SAP CP Portal group.
The last step is to perform the group mappings under Trust > Application Identity Provider. I have mapped the IAS tenant groups with SAP CP groups.
This completes the required configurations.
You can now provide the direct link to your developers/portal admin to access the respective service.
SAP WebIDE – https://webidecp-<subaccount>.dispatcher.hana.ondemand.com/
Portal – https://flpnwc-<subaccount>.dispatcher.hana.ondemand.com/sites/adminspace?hc_login
When User P000159 tries to access both the services, this user would be authenticated successfully, but would get access errors as shown below.
I hope this blog gave you some ideas around how you could configure access for your developers/admins who would be using SAP CP accounts for development and administration tasks.
Using a Corporate Identity Provider as Platform IdP
As mentioned earlier, you can configure your own corporate Identity Provider to serve as a Platform Identity Provider. However, for this scenario, you would still need to use IAS as a proxy and configure your corporate Identity Provider within IAS.
This has been explained in detail in another blog post “Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios”
Assuming you have configured IAS as mentioned in the above blog post, the next step is to configure your Platform Identity Provider with the IAS service. For demonstration, I am using another IAS service with the tenant name called hcpta.
I have configured this IAS service with Azure AD as “Corporate Identity Provider”. Before I begin to test this, I would need to add my Azure AD user Identity as a member in the global account (as shown below)
Now when I try to login to the SCP cockpit using the below URL, I will be taken to Microsoft login screen.
I can now login with my Azure AD credentials and gain access to SAP Cloud Platform Cockpit.
Please note there are limitations when using IAS tenant act as a proxy to a Corporate Identity Provider
Cloud Platform Integration
Only account.sap.com and SAP Cloud Platform Identity Authentication Service can be configured for basic authentication. You are not allowed to use any arbitrary custom IDP for this use case.
SAP Cloud Connector
There seems to be a problem getting Cloud Connector to connect to a subaccount which has been configured with IAS as a proxy (for Platform Identity Provider). I was able to successfully connect SCC with a subaccount when the Platform Identity Provider is just IAS.
Neo Console Client
2501986 – Authentication errors when using the Neo console client
If the IAS tenant act as a proxy to a Corporate Identity Provider, authentication will not work. Only basic authentication with P-users works for IAS.
Setting up Platform Roles to secure your SAP Cloud Platform cockpit
Nice blog Murali Shanmugham - while I have not got to this stage yet it was on my list to check out so appreciate the blog on this. Thanks!
We would like touse IDP for integration-admin like tmn/itspaces urls as well, do you have something to add?
For this you would need to setup your IdP in the Application Identity Provider. Once you configure your IdP settings, all the SAP CP services like Integration, Portal etc will be authenticated using the configured IdP.
Hi Murali, excellent blog.
We are undergoing a external SCP portal project using IAS as IDP for external users. My question is related to the diference between Platform IDP & Application IDP (when to use each).
What I intend to do is to use S-User store for platform users of SCP (Admin & Developers), and IAS user store for end users authentication of the portals content. In this case, Should IAS be defined as Platform IDP or should be defined as Application IDP?
I used to think that Platform IDP was used to authenticate SCP services (portal, webide, etc), and Application IDP was used to authenticate Portal contents and Apps, but after going through your blog I believe that my understanding is wrong.
Thank you very much in advance for coments!!
Cristian R. Castañeda
Hi Again Murali, I kind of figured it out now. Defining an application IDP is for both SCP services as well to Custom portals and Apps. Now it seems to be working (the scenario I described above). I still have a couple of doubts, though:
Thanks in advance for your comments!
Sorry for the delay in response.
We are currently authenticating access to our SCP hosted applications via the SAP Cloud IAS to our corporate IDP. I've started testing the same authentication process for Platform Identity as you describe in this blog, but as we started testing we encountered issues with our connection to the SAP Cloud Connector (which was being done via SAP S-user ID). Changing the SCC user to a corporate IDP user didn't resolve the issue. I believe we need to enable a Platform API in order to allow the SCC connection, but I'm not quite sure how to go about that, can you direct me to any instructions on how to do so?
I also heard of few other limitations when turning on the platform IdP with IAS as a proxy. We found a similar issue when trying to use corporate IDP user to invoke a Cloud Platform Integration iFlow. Turns out that in a Platform IdP scenario, only IAS users are accepted with basic authentication.
I couldnt get the Cloud Connector connect with the corporate IdP user credentials.
We manually change the user name in S4H but some how its restting to old one . We matched the user name with Identity system .
Can you help with reason why ?
Not sure this is related to this blog post. Best to raise a question in the appropriate forum.
for adding a user from Custom IAS userbase to global account you have to only use the DNS of IAS Tenant as userbase linke in subaccount --> remove "https://"
Please update the picture/text in your article.
Thank you for sharing this.
A question though ...
When investigating IAS and Azure AD authentication we could activate that scenario for subaccount members and for application end-users.
How about global account members? The blog describes to specify an alternate user base for global account member (for instance: the IAS tenant name) but this seems to have no effect.
When entering the URL for the global account we always end up on the SAP ID service login screen. So we see no possibility to enter credentials that belong to the alternative user base.
Do you know if we need to give an alternative "global account URL", similar to what is done to redirect subaccount authentication to IAS/AAD? I tried some guesswork but without success.
Is it even supported for global account members? The IAS documentation is not very clear on this either.
I have SAML setup with SAP IDP with XSUAA in Cloud Foundry applications.
While this is great with IDP verifying the authenticity and Approuter giving us the JWT token keeping the application secure.
Our applications are Angular Single Page Applications (SPAs). Our application is also a part of a another project / team. It is not a really good UX/UI to have a saml flow in a SPA especially when you are part of another SPA. So we currently let the SAML flow happen in an iframe and listen to an event when the flow has completed. This not VERY RELIABLE and cross browser platform compatible always. OSX safari has lots of issues regarding iframes.
Do you know how we can have a REST based authentication with the IDP? Any article, documentation or blog would be really helpful.
Do you know hwo to setup the "Application identify provider" in SCP cloud foundry?
I can't find the trust tab and local service proivder accordingly. It only apear in the Neo subaccount.
You can do it under the Trust Configuration. Hope this helps.