Technical user Cloud Platform Integration with custom SCP Identity Authentication Service
This blog aims to summarise different options on how to create a technical user for the communication with SAP Cloud Platform Integration (CPI) using basic authentication.
It will point out following options:
- the default settings where CPI authenticates itself with SAP ID Service
- the customs settings where CPI authenticates itself against your custom SCP Identity Authentication Service (IAS)
My focus in this blog is the second option using a custom IAS.
Default – Authentication with SAP ID service
So when you get your SCP sub-account and CPI tenant, by default it is connected to the SAP ID Service. This is the user base where S-users, P-users and so on reside.
If you want to create a technical user, you can for example create a P-User via the official registration process. There is already much content on this, such as this blog.
All you need to do is provide this P-User with the relevant authorisation (role ESBMessaging.send of your CPI tenant) in your sub-account and you are good to go.
Keep in mind you will need a valid email address for the registration.
Custom – Authentication with custom IAS
However many cloud customers want to use their own IAS for managing identities and authentication. For example as a S/4HANA Cloud customer you will receive an IAS tenant, which you might want to connect to your SCP sub-account where your CPI tenant resides.
Also for this scenario there is much content available already on how to connect your custom IAS to your SCP sub-account such as this tutorial.
With this configuration you should be able to access the CPI management node via your custom IAS if you provide the user with the required authorisation for example through a group mapping from your IAS to your SCP sub-account.
But what about the technical user?
You can now create a P-user in your custom IAS without requiring a real email address where you set the password yourself.
However there are two limitations regarding the technical user that I came across:
- the technical user uses basic authentication against the SAP ID Service even though you have configured your custom IAS for SAML
- the role ESBMessaging.send of your CPI runtime does not get assigned through the group mapping
To fix the first issue:
- create a ticket on component BC-NEO-SEC-IAM stating the technical details of your sub-account and IAS tenant
- The colleague will then configure basic authentication from SAP ID Service to your IAS tenant.
- Read this documentation for further information.
To fix the second issue:
- create your technical user in IAS
- note down the P-User
- in your SCP sub-account explicitly assign the P-User the role ESBMessaging.send
- this should fix your issue
Hope this helps,