Skip to Content
Technical Articles
Author's profile photo Hoang Vu

Technical user Cloud Platform Integration with custom SCP Identity Authentication Service

Introduction

This blog aims to summarise different options on how to create a technical user for the communication with SAP Cloud Platform Integration (CPI) using basic authentication.

It will point out following options:

  • the default settings where CPI authenticates itself with SAP ID Service
  • the customs settings where CPI authenticates itself against your custom SCP Identity Authentication Service (IAS)

My focus in this blog is the second option using a custom IAS.

Default – Authentication with SAP ID service

So when you get your SCP sub-account and CPI tenant, by default it is connected to the SAP ID Service. This is the user base where S-users, P-users and so on reside.

If you want to create a technical user, you can for example create a P-User via the official registration process. There is already much content on this, such as this blog.

All you need to do is provide this P-User with the relevant authorisation (role ESBMessaging.send of your CPI tenant) in your sub-account and you are good to go.

Keep in mind you will need a valid email address for the registration.

Custom – Authentication with custom IAS

However many cloud customers want to use their own IAS for managing identities and authentication. For example as a S/4HANA Cloud customer you will receive an IAS tenant, which you might want to connect to your SCP sub-account where your CPI tenant resides.

Also for this scenario there is much content available already on how to connect your custom IAS to your SCP sub-account such as this tutorial.

With this configuration you should be able to access the CPI management node via your custom IAS if you provide the user with the required authorisation for example through a group mapping from your IAS to your SCP sub-account.

But what about the technical user?

You can now create a P-user in your custom IAS without requiring a real email address where you set the password yourself.

However there are two limitations regarding the technical user that I came across:

  1. the technical user uses basic authentication against the SAP ID Service even though you have configured your custom IAS for SAML
  2. the role ESBMessaging.send of your CPI runtime does not get assigned through the group mapping

To fix the first issue:

  • create a ticket on component BC-NEO-SEC-IAM stating the technical details of your sub-account and IAS tenant
  • The colleague will then configure basic authentication from SAP ID Service to your IAS tenant.
  • Read this documentation for further information.

To fix the second issue:

  • create your technical user in IAS
  • note down the P-User
  • in your SCP sub-account explicitly assign the P-User the role ESBMessaging.send
  • this should fix your issue

Hope this helps,

Hoang

 

 

Assigned tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Harsh Chawla
      Harsh Chawla

      @Hoang

       

      Thank your for this post. This is very useful information.

      I have a follow up related to APIM.

      What are my options for Basic Auth against SAP APIM, if APIM is using a custom IDP solution?

      Can I follow a similar approach for APIM as well?

       

      Regards,

      Harsh

      Author's profile photo Hoang Vu
      Hoang Vu
      Blog Post Author

      Hi,

      I have not tried it for APIM yet, but I assume it should be a similar approach because APIM is also an SCP service.

      It is worth trying out in my opinion.

      Regards,

      Hoang

      Author's profile photo Wouter van Heddeghem
      Wouter van Heddeghem

      Great blog Hoang ! Thank you for sharing !

      Author's profile photo Nicolas Berthier
      Nicolas Berthier

      Good post! How many technical users would you normally have to create in a typical S/4HANA Cloud/IAS/SCP integration scenario?

      Author's profile photo Hoang Vu
      Hoang Vu
      Blog Post Author

      You would create at least one technical user for each system you are communicating with. In some cases it makes sense to create a technical user for each integration scenario. It really depends on your setup.

      Author's profile photo Manuel Tächl
      Manuel Tächl

      Great blog post Hoang!

      Do you know whether it is possible to configure that the IAS P-user's password will never expire via a policy?

       

      Thanks

      Manuel

      Author's profile photo Nazar Kulyk
      Nazar Kulyk

      Actually you should be aware of, that you cant create technical user on IAS side in case of custom IdP.

      Author's profile photo Arne Feys
      Arne Feys

      Hi,

      Does this mean the S-Users will not work anymore as technical users? Only P-Users from IAS will be used for authentication then?

      Thanks,

      Arne