Skip to Content
Technical Articles

SAP Business Technology Platform Security | Hands-on Video Tutorials

SAP Cloud Identity Services – Identity Authentication

SAP Partner Innovation Lab and SAP HANA Academy have published a series of video tutorials on the topic of SAP Business Technology Platform security.

In this blog post you will find the videos embedded with references and additional information.

For the related blog post, see

Questions? Please post as comment.

Useful? Give us a like and share on social media.

Thanks!

/wp-content/uploads/2016/02/sapnwabline_885687.png

Hands-On Video Tutorials

About the Service

As advertised, Identity Authentication service provides a controlled cloud-based access to business processes, applications, and data. It simplifies the user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options.

Recently, Cloud Identity Services has been added as platform service for SAP Business Technology Platform (BTP) global accounts. This enables you to create a service instance of the service for subaccounts, registered as an application with your tenant of SAP Cloud Identity Services Identity Authentication.

SAP Cloud Identity Services Identity Authentication (IAS) enables single sign-on for SAP cloud business applications using delegated authentication from a corporate identity provider (IdP).

IAS provides a wide range of authentication capabilities using certificates, policies, branding, two-factor authentication (2FA), and more. For the full list, see

 

What You Learn

You can watch the video tutorial in about 7 minutes. What you learn is

  • How to establish trust between your SAP BTP subaccount and your IAS tenant
  • How to create a service instance of Cloud Identity Services in the BTP Cloud Foundry environment.

Prerequisites

For this activity you need

  • Administration privileges on your SAP BTP Customer/Partner account.
  • Administration privileges on your SAP Cloud Identity Services Identity Authentication tenant

Note that the SAP BTP Trial environment is currently not supported.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Cloud Identity Services 

Tutorial Video

In this video tutorial, we show how to establish the trust between a subaccount of SAP Business Technology Platform and a SAP Cloud Identity Services Identity Authentication service tenant, followed by the creation of a service instance of Cloud Identity Services.

This enables us to register a service instance as application.

0:00​ – Introduction

1:15 – Documentation

3:15 – Establish trust 

5:10 – Applications in SAP Cloud Identity Services Identity Authentication

6:00 – Create new service instance for Cloud Identity Service 

7:15 – Applications in SAP Cloud Identity Services Identity Authentication

/wp-content/uploads/2016/02/sapnwabline_885687.png

Establish Trust

Trust Configuration

First step in the procedure is to establish an OpenDI Connect (OIDC) trust between the SAP BTP subaccount and your IAS tenant.

At the subaccount level, navigate to Security, Trust Configuration and select the Establish Trust button. You will be prompted to select the identity provider, which lists the IAS tenants that contain the same CRM ID reference as your BTP account.

Once the trust has been established, you can configure the entry to enable/disable the service, make the IdP available for user login, and allow shadow users to be created.

Commonly, you would disable the default identity provider, SAP ID service, for this subaccount. Otherwise users will be prompted to select the IdP before each new connection.

SAP Identity Authentication Service

The SAP BTP subaccount will be referenced as Bundled Application under Applications. The required parameters under the Trust tab have been set up. Conditional authentication, and other settings under the Authentication and Access, and Branding and Layout tabs can be configured.

These settings are documented in the Operation Guide (see References below).

/wp-content/uploads/2016/02/sapnwabline_885687.png

Assignments and Entitlements

Service Assignments

Cloud Identity Services is automatically assigned to your global account. To verify this navigate to your global account (root level), expand Entitlements in the menu and select Service Assignments.

Entity Assignments

As global administrator, to assign Cloud Identity Services to a subaccount, select Entity Assignments, Configure Entitlements, Add Service Plan, and select the application plan.

As subaccount administration, the same operation can be performed (when authorised) from the Entitlements menu.

Service Marketplace

When entitled and assigned, the Cloud Identity Service will be listed in the Service Marketplace. Using the ellipses (…) menu, you can create a service instance.

Alternatively, select the tile and create the service instance from the blade using the Create button or the Create link at plan level.

Create Service

To create a service instance, the generic wizard is presented

  • Step 1 Basic Info of the Create Service dialog prompts us to provide a name for service instance. The other parameters are pre-popluated from the context.
  • Step 2- Parameters, enables us to provide additional information in JSON format but for this service none are documented.
  • Step 3 – Review serves to confirm the selection and create the instance.

When created, we can create service keys, bind applications, and configure the service as any other BTP service instance.

The service instance is registered under charged applications using the same service instance name as reference.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Tricky Bits

Unable to Fetch

When your SAP ID Service user account does not have the same customer ID for SAP BTP and SAP IAS, the single-click trust will fail with message: Unable to fetch available IAS tenants.

Contact SAP Support to have both services registered correctly.

A Zone is Required

When attempting to create a service instance of Cloud Identity Service before the trust is established an error message is returned with message: Failed to create the service instance, and a zone is required to use this service. The documentation reference points to the SAP BTP Guide where the Establish Trust procedure is documented (which implicitly creates the required zone).

Error message for Cloud Foundry environment.

Error message for Other environment.

/wp-content/uploads/2016/02/sapnwabline_885687.png

References

SAP HANA Academy YouTube Playlist and Code Repository

To bookmark the playlist on YouTube, go to

SAP Discovery Center

For information about SAP Cloud Identity Service, visit the entry in the service catalog of the SAP Discovery Center. Here you also find links to the documentation, tutorials, and the SAP Community topic area

Documentation

How to establish trust and create service instances is documented in the SAP BTP Guide.

How to configure SAP Cloud Identity Services – Identity Authentication is documented separately on  the SAP Help Portal

/wp-content/uploads/2016/02/sapnwabline_885687.png

Share and Connect 

Questions? Post as comment.

Useful? Give us a like and share on social media. Thanks!

If you would like to receive updates, connect with me on

Be the first to leave a comment
You must be Logged on to comment or reply to a post.