Skip to Content
Technical Articles
Author's profile photo Denys van Kempen

SAP Business Technology Platform Security | Hands-on Video Tutorials

SAP Cloud Identity Services – Identity Authentication

SAP Partner Innovation Lab and SAP HANA Academy have published a series of video tutorials on the topic of SAP Business Technology Platform security.

In this blog post you will find the videos embedded with references and additional information.

For the related blog post, see

Questions? Please post as comment.

Useful? Give us a like and share on social media.

Thanks!

/wp-content/uploads/2016/02/sapnwabline_885687.png

Hands-On Video Tutorials

About the Service

As advertised, Identity Authentication service provides a controlled cloud-based access to business processes, applications, and data. It simplifies the user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options.

Recently, Cloud Identity Services has been added as platform service for SAP Business Technology Platform (BTP) global accounts. This enables you to create a service instance of the service for subaccounts, registered as an application with your tenant of SAP Cloud Identity Services Identity Authentication.

SAP Cloud Identity Services Identity Authentication (IAS) enables single sign-on for SAP cloud business applications using delegated authentication from a corporate identity provider (IdP).

IAS provides a wide range of authentication capabilities using certificates, policies, branding, two-factor authentication (2FA), and more. For the full list, see

 

What You Learn

You can watch the video tutorial in about 7 minutes. What you learn is

  • How to establish trust between your SAP BTP subaccount and your IAS tenant
  • How to create a service instance of Cloud Identity Services in the BTP Cloud Foundry environment.

Prerequisites

For this activity you need

  • Administration privileges on your SAP BTP Customer/Partner account.
  • Administration privileges on your SAP Cloud Identity Services Identity Authentication tenant

Note that the SAP BTP Trial environment is currently not supported.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Cloud Identity Services 

Tutorial Video

In this video tutorial, we show how to establish the trust between a subaccount of SAP Business Technology Platform and a SAP Cloud Identity Services Identity Authentication service tenant, followed by the creation of a service instance of Cloud Identity Services.

This enables us to register a service instance as application.

0:00​ – Introduction

1:15 – Documentation

3:15 – Establish trust 

5:10 – Applications in SAP Cloud Identity Services Identity Authentication

6:00 – Create new service instance for Cloud Identity Service 

7:15 – Applications in SAP Cloud Identity Services Identity Authentication

/wp-content/uploads/2016/02/sapnwabline_885687.png

Establish Trust

Trust Configuration

First step in the procedure is to establish an OpenDI Connect (OIDC) trust between the SAP BTP subaccount and your IAS tenant.

At the subaccount level, navigate to Security, Trust Configuration and select the Establish Trust button. You will be prompted to select the identity provider, which lists the IAS tenants that contain the same CRM ID reference as your BTP account.

Once the trust has been established, you can configure the entry to enable/disable the service, make the IdP available for user login, and allow shadow users to be created.

Commonly, you would disable the default identity provider, SAP ID service, for this subaccount. Otherwise users will be prompted to select the IdP before each new connection.

SAP Identity Authentication Service

The SAP BTP subaccount will be referenced as Bundled Application under Applications. The required parameters under the Trust tab have been set up. Conditional authentication, and other settings under the Authentication and Access, and Branding and Layout tabs can be configured.

These settings are documented in the Operation Guide (see References below).

/wp-content/uploads/2016/02/sapnwabline_885687.png

Assignments and Entitlements

Service Assignments

Cloud Identity Services is automatically assigned to your global account. To verify this navigate to your global account (root level), expand Entitlements in the menu and select Service Assignments.

Entity Assignments

As global administrator, to assign Cloud Identity Services to a subaccount, select Entity Assignments, Configure Entitlements, Add Service Plan, and select the application plan.

As subaccount administration, the same operation can be performed (when authorised) from the Entitlements menu.

Service Marketplace

When entitled and assigned, the Cloud Identity Service will be listed in the Service Marketplace. Using the ellipses (…) menu, you can create a service instance.

Alternatively, select the tile and create the service instance from the blade using the Create button or the Create link at plan level.

Create Service

To create a service instance, the generic wizard is presented

  • Step 1 Basic Info of the Create Service dialog prompts us to provide a name for service instance. The other parameters are pre-popluated from the context.
  • Step 2- Parameters, enables us to provide additional information in JSON format but for this service none are documented.
  • Step 3 – Review serves to confirm the selection and create the instance.

When created, we can create service keys, bind applications, and configure the service as any other BTP service instance.

The service instance is registered under charged applications using the same service instance name as reference.

/wp-content/uploads/2016/02/sapnwabline_885687.png

Tricky Bits

Unable to Fetch

When your SAP ID Service user account does not have the same customer ID for SAP BTP and SAP IAS, the single-click trust will fail with message: Unable to fetch available IAS tenants.

Contact SAP Support to have both services registered correctly.

A Zone is Required

When attempting to create a service instance of Cloud Identity Service before the trust is established an error message is returned with message: Failed to create the service instance, and a zone is required to use this service. The documentation reference points to the SAP BTP Guide where the Establish Trust procedure is documented (which implicitly creates the required zone).

Error message for Cloud Foundry environment.

Error message for Other environment.

/wp-content/uploads/2016/02/sapnwabline_885687.png

References

SAP HANA Academy YouTube Playlist and Code Repository

To bookmark the playlist on YouTube, go to

SAP Discovery Center

For information about SAP Cloud Identity Service, visit the entry in the service catalog of the SAP Discovery Center. Here you also find links to the documentation, tutorials, and the SAP Community topic area

Documentation

How to establish trust and create service instances is documented in the SAP BTP Guide.

How to configure SAP Cloud Identity Services – Identity Authentication is documented separately on  the SAP Help Portal

/wp-content/uploads/2016/02/sapnwabline_885687.png

Share and Connect 

Questions? Post as comment.

Useful? Give us a like and share on social media. Thanks!

If you would like to receive updates, connect with me on

Assigned tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Jedd Go
      Jedd Go

      Hi Denys

      Thanks for the tutorial. Your blogs have been so informative, been my go-to learning sessions for BTP 🙂

      Just had a question for the Cloud Identity service, I understand on IAS and its purpose. How and where does the Identity Provisioning Service (IPS) come into play. If the customer has their own IdP.

      What does our IPS do at this point? Also, do we have to use both service in order to use IAS?

      Maybe another blog :-). Thanks Denys

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Good question and indeed a great topic for another blog! Thanks

      In brief, when using an identity provider (e.g. Azure AD) as user store, the service provider (SaaS application) still needs to keep a shadow user store (e.g. to assign roles and privileges).

      There are scenarios where we need to batch load the users to the service provider. This is something we can do with Identity Provisioning Service. See the docs for the details. 😉

      Author's profile photo Andreas Oesterle
      Andreas Oesterle

      Thanks Denys for the post!

      Do you know if it is possible to send IAS group assignments to to the application instead of azure AD group assignments? Is it possible for the IAS to use azure AD for user authentication and SAP IAS for permission assignment in the BTP? In this case the SAP IAS has to map the azure AD user to the local IAS user and send the group assignment to the application.

      Thanks in advance!

      Andreas

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Andreas,

      Good question; would you mind and post this as a question on the forum (answers.sap.com)? This makes it easier to link in the experts, and also allow for knowledge sharing.

      Thx

      Author's profile photo Andreas Oesterle
      Andreas Oesterle

      Thanks for the quick answer. I did it: Using SAP IAS groups to authorize users in a corporate IdP scenario | SAP Community

      Author's profile photo Liga Ozolina
      Liga Ozolina

      Hi Denys,

      I've been trying to establish trust in a Kyma enabled subaccount with IAS tenant that's already been used in CF enabled subaccount in the same Global account, but I don't see the IAS tenant in the identity provider drop down list which is shown after clicking on the establish trust button. In the linked documentation I found this requirement:

      The Identity Authentication tenant must be associated with the same customer ID as the relevant global account of SAP BTP.

      How do I check the customer ID? I expected that I can reuse this IAS tenant in my Kyma subaccount as it seem to have worked in CF subaccount or is there a limitation? 1 IAS tenant can be used in 1 subaccount?

       

      Thanks,

      Liga

      Author's profile photo Denys van Kempen
      Denys van Kempen
      Blog Post Author

      Hi Liga,

      For this to work your BTP and IAS tenant need to have the same CRM identifier. As SAP employee, this might have been setup differently. As this concerns an internal issue with no relevance to the community, would you mind sending me message (e-mail)?