Technical user Cloud Platform Integration with custom SCP Identity Authentication Service
This blog aims to summarise different options on how to create a technical user for the communication with SAP Cloud Platform Integration (CPI) using basic authentication.
It will point out following options:
- the default settings where CPI authenticates itself with SAP ID Service
- the customs settings where CPI authenticates itself against your custom SCP Identity Authentication Service (IAS)
My focus in this blog is the second option using a custom IAS.
Default – Authentication with SAP ID service
So when you get your SCP sub-account and CPI tenant, by default it is connected to the SAP ID Service. This is the user base where S-users, P-users and so on reside.
If you want to create a technical user, you can for example create a P-User via the official registration process. There is already much content on this, such as this blog.
All you need to do is provide this P-User with the relevant authorisation (role ESBMessaging.send of your CPI tenant) in your sub-account and you are good to go.
Keep in mind you will need a valid email address for the registration.
Custom – Authentication with custom IAS
However many cloud customers want to use their own IAS for managing identities and authentication. For example as a S/4HANA Cloud customer you will receive an IAS tenant, which you might want to connect to your SCP sub-account where your CPI tenant resides.
Also for this scenario there is much content available already on how to connect your custom IAS to your SCP sub-account such as this tutorial.
With this configuration you should be able to access the CPI management node via your custom IAS if you provide the user with the required authorisation for example through a group mapping from your IAS to your SCP sub-account.
But what about the technical user?
You can now create a P-user in your custom IAS without requiring a real email address where you set the password yourself.
However there are two limitations regarding the technical user that I came across:
- the technical user uses basic authentication against the SAP ID Service even though you have configured your custom IAS for SAML
- the role ESBMessaging.send of your CPI runtime does not get assigned through the group mapping
To fix the first issue:
- create a ticket on component BC-NEO-SEC-IAM stating the technical details of your sub-account and IAS tenant
- The colleague will then configure basic authentication from SAP ID Service to your IAS tenant.
- Read this documentation for further information.
To fix the second issue:
- create your technical user in IAS
- note down the P-User
- in your SCP sub-account explicitly assign the P-User the role ESBMessaging.send
- this should fix your issue
Hope this helps,
Thank your for this post. This is very useful information.
I have a follow up related to APIM.
What are my options for Basic Auth against SAP APIM, if APIM is using a custom IDP solution?
Can I follow a similar approach for APIM as well?
I have not tried it for APIM yet, but I assume it should be a similar approach because APIM is also an SCP service.
It is worth trying out in my opinion.
Great blog Hoang ! Thank you for sharing !
Good post! How many technical users would you normally have to create in a typical S/4HANA Cloud/IAS/SCP integration scenario?
You would create at least one technical user for each system you are communicating with. In some cases it makes sense to create a technical user for each integration scenario. It really depends on your setup.
Great blog post Hoang!
Do you know whether it is possible to configure that the IAS P-user's password will never expire via a policy?
Actually you should be aware of, that you cant create technical user on IAS side in case of custom IdP.
Does this mean the S-Users will not work anymore as technical users? Only P-Users from IAS will be used for authentication then?