SAP Cloud Identity Services – Identity Authentication
SAP Partner Innovation Lab and SAP HANA Academy have published a series of video tutorials on the topic of SAP Business Technology Platform security.
In this blog post you will find the videos embedded with references and additional information.
For the related blog post, see
Questions? Please post as comment.
Useful? Give us a like and share on social media.
Hands-On Video Tutorials
About the Service
As advertised, Identity Authentication service provides a controlled cloud-based access to business processes, applications, and data. It simplifies the user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options.
Recently, Cloud Identity Services has been added as platform service for SAP Business Technology Platform (BTP) global accounts. This enables you to create a service instance of the service for subaccounts, registered as an application with your tenant of SAP Cloud Identity Services Identity Authentication.
SAP Cloud Identity Services Identity Authentication (IAS) enables single sign-on for SAP cloud business applications using delegated authentication from a corporate identity provider (IdP).
IAS provides a wide range of authentication capabilities using certificates, policies, branding, two-factor authentication (2FA), and more. For the full list, see
What You Learn
You can watch the video tutorial in about 7 minutes. What you learn is
- How to establish trust between your SAP BTP subaccount and your IAS tenant
- How to create a service instance of Cloud Identity Services in the BTP Cloud Foundry environment.
For this activity you need
- Administration privileges on your SAP BTP Customer/Partner account.
- Administration privileges on your SAP Cloud Identity Services Identity Authentication tenant
Note that the SAP BTP Trial environment is currently not supported.
Cloud Identity Services
In this video tutorial, we show how to establish the trust between a subaccount of SAP Business Technology Platform and a SAP Cloud Identity Services Identity Authentication service tenant, followed by the creation of a service instance of Cloud Identity Services.
This enables us to register a service instance as application.
0:00 – Introduction
1:15 – Documentation
3:15 – Establish trust
5:10 – Applications in SAP Cloud Identity Services Identity Authentication
6:00 – Create new service instance for Cloud Identity Service
7:15 – Applications in SAP Cloud Identity Services Identity Authentication
First step in the procedure is to establish an OpenDI Connect (OIDC) trust between the SAP BTP subaccount and your IAS tenant.
At the subaccount level, navigate to Security, Trust Configuration and select the Establish Trust button. You will be prompted to select the identity provider, which lists the IAS tenants that contain the same CRM ID reference as your BTP account.
Once the trust has been established, you can configure the entry to enable/disable the service, make the IdP available for user login, and allow shadow users to be created.
Commonly, you would disable the default identity provider, SAP ID service, for this subaccount. Otherwise users will be prompted to select the IdP before each new connection.
SAP Identity Authentication Service
The SAP BTP subaccount will be referenced as Bundled Application under Applications. The required parameters under the Trust tab have been set up. Conditional authentication, and other settings under the Authentication and Access, and Branding and Layout tabs can be configured.
These settings are documented in the Operation Guide (see References below).
Assignments and Entitlements
Cloud Identity Services is automatically assigned to your global account. To verify this navigate to your global account (root level), expand Entitlements in the menu and select Service Assignments.
As global administrator, to assign Cloud Identity Services to a subaccount, select Entity Assignments, Configure Entitlements, Add Service Plan, and select the application plan.
As subaccount administration, the same operation can be performed (when authorised) from the Entitlements menu.
When entitled and assigned, the Cloud Identity Service will be listed in the Service Marketplace. Using the ellipses (…) menu, you can create a service instance.
Alternatively, select the tile and create the service instance from the blade using the Create button or the Create link at plan level.
To create a service instance, the generic wizard is presented
- Step 1 Basic Info of the Create Service dialog prompts us to provide a name for service instance. The other parameters are pre-popluated from the context.
- Step 2- Parameters, enables us to provide additional information in JSON format but for this service none are documented.
- Step 3 – Review serves to confirm the selection and create the instance.
When created, we can create service keys, bind applications, and configure the service as any other BTP service instance.
The service instance is registered under charged applications using the same service instance name as reference.
Unable to Fetch
When your SAP ID Service user account does not have the same customer ID for SAP BTP and SAP IAS, the single-click trust will fail with message: Unable to fetch available IAS tenants.
Contact SAP Support to have both services registered correctly.
A Zone is Required
When attempting to create a service instance of Cloud Identity Service before the trust is established an error message is returned with message: Failed to create the service instance, and a zone is required to use this service. The documentation reference points to the SAP BTP Guide where the Establish Trust procedure is documented (which implicitly creates the required zone).
Error message for Cloud Foundry environment.
Error message for Other environment.
SAP HANA Academy YouTube Playlist and Code Repository
To bookmark the playlist on YouTube, go to
SAP Discovery Center
For information about SAP Cloud Identity Service, visit the entry in the service catalog of the SAP Discovery Center. Here you also find links to the documentation, tutorials, and the SAP Community topic area
How to establish trust and create service instances is documented in the SAP BTP Guide.
How to configure SAP Cloud Identity Services – Identity Authentication is documented separately on the SAP Help Portal
Share and Connect
Questions? Post as comment.
Useful? Give us a like and share on social media. Thanks!
If you would like to receive updates, connect with me on