If you have logged into a SAP Cloud Platform (SAP CP) account, you probably would have used a “S” user or “P” user. SAP CP would automatically authenticate you and provide access to the relevant services within the Cloud Platform account. This is true for all SAP CP trial accounts too. By default, the Application Identity Provider under Security > Trust settings is configured with SAP ID Service.
SAP ID service is SAP’s public Identity Provider and is a key service for SAP as it contains all the users who are in the SAP Community and even users accessing the Service Marketplace.
Its important to note that SAP CP does not have its own user store. When you spin up a trial SAP CP account, you get an account which is preconfigured with SAP ID service as the application Identity provider.
When you as a developer access services of SAP CP, it would use the SAP ID service to log you into these services. The behaviour is same even for end users who would be accessing apps deployed on SAP CP.
If you would like to more on this topic, I would recommend you to go through this openSAP course “Building Portal Sites on SAP Cloud Platform” Week 5 Unit 3 : Authentication, Authorization, and Security
Obviously, its not practical to have end users use their “S” or “P” user ID to login to view an App or Fiori Launchpad. Hence, majority of the SAP CP implementations, customers would change the “Application Identity Provider” to refer to their own Cloud or on-premise Identity Provider (IdP). In this blog “Setting up Authentication for Cloud Portal using Cloud Identity“ I have showed how customers can register Identity Authentication service (IAS) with a SAP CP account. SAP Identity Authentication service(IAS) is a SAML based IdP provided by SAP on a subscription basis. Ofcourse, you can configure SAP CP account with any SAML based IdP.
In this blog, I want to focus on something called as “Platform Identity Provider”. As soon as you add an “Application Identity Provider”, you will get access to a tab – Platform Identity Provider.
The Platform Identity Provider is the user base for access to SAP Cloud Platform account. By default its configured with SAP ID service. You can now switch to an Identity Authentication service (IAS) tenant. This means you can use a user within the IAS tenant to login into SAP CP cockpit.
What if the customer does not want to use IAS tenant as they have all their developers/employees stored in an external IdP – for example in MS Active Directory. For such scenarios, the customer would need to use IAS tenant as a proxy and configure Active Directory as a Corporate Identity Provider. Here is a youtube video which explains the steps.
The changes in the Platform Identity Provider does not have any relation with the Application Identity Provider.
Once you have configured the Platform Identity Provider with an IAS tenant, your Cloud Platform account can now be access using a user from the IAS tenant.
There are two URLs which you can use.
The below URL is the default URL which you would have been using to access SAP CP. This will still be available to access your SAP CP account using the default SAP ID service. To find the your SAP CP Cockpit URL, you can lookup the Help page.
To get your developers to access SAP CP cockpit with the configured IdP, get them to use the below URL
https://account-<subaccount-name>.<SAP Cloud Platform host>/
Before launching the new URL, you would need to provide access to your own user as it wouldn’t recognize your “S” or “P” user anymore.
Hence use the existing URL and navigate to the Global Account. You should be able to access the Members menu and click on “Add Members”.
In the popup screen, manually type in the IAS tenant details and provide the users which need to be added as Global members.
Once you save the changes, you should be able to see the user added as Global member
If you already have subaccounts created, repeat the same process for each subaccount. You would need to add yourself as a member to each of the subaccount.
When you click on the “Add Members” button, select the User base as your IAS tenant and provide all the users who would need access to the subaccount.
This completes the setup of Platform Identity Provider.You can now access SAP CP cockpit using the new URL – https://account-<subaccount>.hana.ondemand.com/cockpit#/home/overview
This will redirect the user to the IAS Tenant (which has been configured as the Platform Identity Provider). On successful authentication, the user will be given access to SAP CP Cockpit as shown below.
Auto assignment of developer roles
The next common question is – How do we avoid hard-coding developer userIDs to the required roles. If you would have used SAP WebIDE Full-stack or Portal service, you would recall that it requires the assignment of respective roles to the users. Since SAP WebIDE and Portal services are applications of SAP CP, the users are authenticated by the IdP configured in the “Application Identity Provider”. So we are now changing the focus to “Application Identity Provider”.
I would like to point you to the same blog “Setting up Authentication for Cloud Portal using Cloud Identity“. I am going to extend this scenario based on this blog. Hence, please go through this blog before proceeding.
In my Identity Authentication service, I have setup 3 users
I have also created two Groups – One for SAP WebIDE and another for Portal service.
Here is the group which I have created for Portal Admins
I have assigned the groups to the below users
- P000159 (No Group assignment)
- P000160 (CI_WEBIDE)
- P000161 (CI_PORTAL)
The next task is to navigate to the SAP CP subaccount and create SAP CP Groups for WebIDE and Portal service. I have assigned the relevant SAP WebIDE standard roles to the new group.
Similarly, I have also assigned the standard Portal roles to the newly created SAP CP Portal group.
The last step is to perform the group mappings under Trust > Application Identity Provider. I have mapped the IAS tenant groups with SAP CP groups.
This completes the required configurations.
You can now provide the direct link to your developers/portal admin to access the respective service.
SAP WebIDE – https://webidecp-<subaccount>.dispatcher.hana.ondemand.com/
Portal – https://flpnwc-<subaccount>.dispatcher.hana.ondemand.com/sites/adminspace?hc_login
When User P000159 tries to access both the services, this user would be authenticated successfully, but would get access errors as shown below.
I hope this blog gave you some ideas around how you could configure access for your developers/admins who would be using SAP CP accounts for development and administration tasks.