The intention of this blog post is to show how easy it is to set up trust between SAP Cloud Platform and a SAP Cloud Identity Authentication Service (SCIAS) tenant. While there are many blogs out there that cover how to configure options within the SCIAS tenant I thought I would cover the initial setup – especially for newbies entering the SAP Cloud Platform landscape. SCIAS has changed over time and is now easier than ever to setup.
When I first started out Murali Shanmugham’s blog posts on SAP Cloud Identity were invaluable. You can find a link to the first one here. This does cover the steps required however also covers a broader range of topics.
3 years ago this had to be configured manually – metadata files had to be swapped and then added to both the SAP Cloud Platform subaccount and the SAP Cloud Identity Authentication Service tenant. This was especially the case if customers had multiple tenants available to them. When you think of how many subaccounts may have been set up the work involved to complete this was not trivial. Fast forward to now and there are only 3 clicks involved to complete this task.
When companies purchase a SAP Cloud Platform subscription they automatically receive a SAP Cloud Identity Authentication Service tenant however in my experience it is not communicated well and the setting up of Administrators always seems to be hit and miss so make sure you allow some time for this provisioning process to take place. I would say that even some customers don’t even know they have an SCIAS tenant available to them. You will see with the below instructions how you can find out what the tenant name is.
So, before getting into this there are many possible architectures involved with SAP Cloud Platform security trust settings including:
- Authentication via an on-premise ADFS to provide the Federated Services. In most projects I find this to be the most common requirement as internal users are typically involved.
- Authentication via SAP Cloud Identity Authentication Service. I recommend this when there are external users involved, that are not currently set up in a company’s internal systems.
- Authentication via SAP Cloud Identity Authentication Service but via an on-premise ADFS for the user store.
Initial Trust Settings
Initially when you first start in your SAP Cloud Platform tenant there is no Trust defined within the Security settings. It is set to Default meaning that authentication takes place through the S userid and utilises SAP’s free SAP ID service.
Figure:1 Initial SAP Cloud Platform Security Trust settings
- Select the [Edit] option to modify the settings. The fields will then be open for maintenance.
Figure:2 Changing the Security Trust settings
- Change Configuration Type to Custom. You may then see the following screen. The Local provider name will be populated with the path of the subaccount.
Figure:3 Generating Key Pair for SAP Cloud Platform Security Trust settings
- Select the [Generate Key Pair] icon and this will generate the signing key and signing certificate that will be used to configure Trust in the SCIAS. When this is done you should see a screen similar to this show up.
Figure:4 Key Pair generated
- Change the Principal Propagation setting to Enabled and then Save.
Figure:5 Principal Propagation setting enabled
An alert message will display just letting you know to now configure the Trust provider settings within the next tab.
Figure:6 Trust Settings complete message
So the completed settings on the Local Service Provider tab should look like this.
Figure:7 Local Service Provider completed settings
3 Clicks to Activate Trust
Now that we have set up the initial Trust settings on the Local Service Provider tab we will now go through the 3 click method of activating authentication via the SCIAS.
As we have started a custom configuration you will see that the SAP ID service is no longer an application identity provider.
Figure:8 Application Identity Provider initial settings
Now – here is the good part. The SCIAS tenant is automatically delivered as part of the SAP Cloud Platform subscription and so it is basically already identified as a possible Identity provider for the subscription. The best part is that you can enable it with 3 clicks. Let’s see how this is done.
Click 1: Select the Add Identity Authentication Tenant option.
The following popup will be displayed. Usually there is only 1 tenant available to choose from (enterprise version) but as you can see here there may be a trial version at some point also. As I stated above you can find out what your tenant is by performing this process.
Click 2: Select the specific Identity Authentication tenant as show above.
Click 3: Click on the [Save] button to save the settings.
After a few dot dot dots you will see the Identity Authentication tenant assigned.
HOW SIMPLE IS THAT!! Awesome.
You should now see that the tenant is assigned to the subaccount and it is set as the default.
You can also jump straight to the Admin console by selecting the [Identity Authentication Admin Console] icon as highlighted. You should then be directed to the login page.
That pretty much completes this blog but I will leave one more note here. The 3 click approach can still be used even if the SAP Cloud Platform subaccount is authenticating via MS ADFS or any other identity provider.
While the seasoned SAP Cloud Platform users may already know this hopefully the newbies can use this guide to start their learnings.
Thanks for reading!