Skip to Content
Product Information
Author's profile photo Kumar Amar

Cloud Integration: Enable SAP IAS (Identity Authentication Service) as Custom IdP for Basic Inbound Authentication in Cloud Foundry Environment

Introduction

In this blog, I describe how to set up SAP’s custom identity provider (IdP) to configure basic inbound authentication for sender systems to call an integration flow endpoints or for API clients to access the OData API.

When setting up trust relationships in SAP BTP cockpit, in most cases SAP ID service is used as default identity provider. However, you’ve the option to define a custom IdP as your default IdP.

This procedure only works for SAP Identity Authentication Service.

Note: Basic auth for integration flow endpoints or cloud integration API only works if your IDP supports Open ID Connect and is registered as Open ID Connect in the Trust configuration.

Caution: This authentication option can’t be used when operating Cloud Integration on Alibaba Cloud.

Prerequisite 

  • You already have a Cloud Integration tenant provisioned in a cloud foundry subaccount, or you have enabled Cloud Integration capability for SAP Integration Suite.
  • You have subaccount administrator permissions, or you are a security administrator.
  • You have access to a SAP Cloud Identity Services – Identity Authentication tenant that is used as an identity provider hosting your business users.
  • You have established trust between Cloud Integration tenant and SAP Cloud Identity Services – Identity Authentication tenant following https://blogs.sap.com/2021/06/24/how-to-set-up-a-custom-identity-provider/ .

Description

Create a service instance for XS user authentication and authorization service (XSUAA) under the apiaccess plan:

  1. From your subaccount, choose Instances & Subscription from the left pane and click Create. Specify the parameters as per below screenshot.
  2. Specify your existing space and enter a meaningful name for your instance. Click Next.
  3. Enter below json file (Copy-paste might show error due to character encoding hence         recommended to write the json file manually) and click Next to review.                                      {
    “roles”: [“xs_idp.read”,”xs_idp.write”]
    }
  4. Click Create to create a service instance for XS user authentication and authorization service (XSUAA) under the apiaccess plan.
  5. Select the service instance and choose Create Service Key.
  6. Enter a name for the service key.

  7. Choose Create.

  8. Choose the newly created service key to display the details of the service key. Values from service key will be used in subsequent calls.

  9. Use a REST client (for example, Postman) and request an access token by providing details from the service key:

    URL https://<url from service key>/oauth/token?grant_type=client_credentials
    Authorization Basic Auth
    User clientid
    Password clientsecret
  10. Use the access token value from the response body of previous call for all subsequent calls in the following sections.

Create a custom OpenID connect (OIDC) IDP for your XSUAA tenant:

  1. To establish a trust relationship between XSUAA and an IAS tenant, first list all IAS tenants available for your XSUAA tenant by calling the below URL using a REST client:
  2. Operation GET
    URL

    Value from apiurl of service key suffixed with /sap/rest/identity-providers/ias

    Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/identity-providers/ias

    Authorization Bearer Token
    Token Value from previous step
  3. As a result, you get your IAS in json format:
    {
    “displayName”:”<name of your IAS>”,
    “host”:”<IAS host>”
    }
  4. Choose IAS tenant hosts from returned list and use it as body of a POST request to configure IAS as Open ID Connect:
  5. Operation POST
    URL

    Value from apiurl of service key suffixed with /sap/rest/identity-providers/

    Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/identity-providers/

    Authorization

    Bearer Token

    Token

    Value from previous step

    Header

    Content-Type with value as application/json

    Body
    {
    “type”:”oidc1.0″,
    “config”:{
    “iasTenant”:{
    “host”:”<IAS host value from GET request>”
    }
    }
    }
  6. The response of the previous POST request shall be 201 created. With this trust is established between XSUAA of the subaccount and IAS IdP as Open ID connect (OIDC).
  7. Above request can additionally be verified via account cockpit. From your subaccount, choose Trust Configuration from the left pane. Your IAS tenant is now configured as list of trusted IdPs:

Configure SAP Custom IAS as default IdP:

  1. To configure custom IAS as one of IdP for your subaccount, perform a PATCH request using a REST client:
    Operation PATCH
    URL

    Value from apiurl of service key suffixed with /sap/rest/authorization/v2/securitySettings

    Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/authorization/v2/securitySettings

    Authorization

    Bearer Token

    Token Value from previous step
    Header

    Content-Type with value as application/json

    Body
    {
    “defaultIdp”: “sap.custom”
    }
  2. The response of previous PATCH request you get 200 OK HTTP code and a response body with the following content:
    “defaultIdp”: “sap.custom”.
  3. Now SAP’s custom IDP (IAS) is active.

Once you have successfully accomplished the above steps, you can now use your new IDP users and assign Cloud Integration roles or role collections to users registered on the IAS tenant. While assigning Cloud Integration roles, choose Custom IAS Tenant from the drop down list for the Identity Provider. Also, the concept of role mappings assignment can be used as normal.

Switching back to SAP ID Service:

  1. If you like to switch back to SAP default identity provider (SAP ID service), re-perform PATCH request using a REST client using below information:
    Operation PATCH
    URL

    Value from apiurl of service key suffixed with /sap/rest/authorization/v2/securitySettings

    Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/authorization/v2/securitySettings

    Authorization

    Bearer Token

    Token Value from previous step
    Header

    Content-Type with value as application/json

    Body
    {
    “defaultIdp”: “sap.default”
    }
  2. The response of PATCH request you get 200 OK HTTP code and a response body with the following content:
    “defaultIdp”: “sap.default”.
  3. Now SAP ID service is active again.

 

Assigned Tags

      9 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Iddo Rijsdijk
      Iddo Rijsdijk

      I followed all steps to the letter, and every step was executed successfully. As a result, I can only still use the default SAP IDP for logon during runtime. Meaning that I still have to rely on S-users in my connected application for authentication.

      Is it even possible to change this?

      Author's profile photo Kumar Amar
      Kumar Amar
      Blog Post Author

      Hi Iddo

      Good to hear you could execute the needed steps successfully but somehow still you are not able to use Users from your SAP IAS, correct ?

      Can you let know what is the error you are getting. Plus can you also try de-activating SAP default ID and then retest using user from IAS.

       

      Regards

      Amar

      Author's profile photo Iddo Rijsdijk
      Iddo Rijsdijk

      Hello Kumar,

       

      Here's my config, which is working fine for the development portal:

       

      The error message I get when testing the runtime with Postman is a typical 401: unauthorised. This now happens with both the custom IDP as the SAP IDP. If the role was set incorrectly, I would have gotten a 403 error.

      Author's profile photo Bojun Zhao
      Bojun Zhao

      Kumar Amar

      Thank you for your blog!

      this is very helpful.

      Do you know if we can configure SSO for BTP cockpit itself?

      It seems like IAS can integrate with BTP cockpit in Neo based on this document

      But I can not find any information about cloud foundry(CF).

       

      It will be very helpful for us if you could provide any information about this.

      Thank you in advance

      bojun

       

       

       

       

      Author's profile photo Brendan Farthing
      Brendan Farthing

      I am also keen to know this.

      I understand it should work on Feature Set A of BTP and soon work for Feature Set B

      Author's profile photo Bojun Zhao
      Bojun Zhao

      Brendan Farthing

      Thank you very much, this is very helpful!!

      unfortunately, we are on Feature Set B.....

      WIsh the enhancement come as soon as possible

       

      Author's profile photo Bojun Zhao
      Bojun Zhao

      Brendan Farthing

      Do you known if we can configure SSO for SAP HANA Cockpit(CF)?

      thank you in advance

      Author's profile photo Dinu PAVITHRAN
      Dinu PAVITHRAN

      Perhaps you are looking for this item on the roadmap.

      Customer ability to control users and their account access

      Author's profile photo Dinu PAVITHRAN
      Dinu PAVITHRAN

      Dear Kumar Amit,

      Thanks for the detailed steps. This is a good progress in automating account/tenant provisioning.

      I was not able to execute the last step "To deactivate SAP default ID service". The UI simply did not have the drop down for making SAP ID service Inactive.

      But, I was able to disable link on user logon and auto creation of shadow users. This should be sufficient, is it not? If so these, I could do by PUT request on the IDP. So no need for using cockpit at all.

      ###
      # Disable SAP ID
      PUT {{apiurl}}/sap/rest/identity-providers/{{ID of SAP ID Service IDP}}
      Authorization: oauth2 client_credentials xsuuaapi
      Content-Type: application/json
      {
        "type": "oidc1.0",
        "config": {
          "addShadowUserOnLogin": false,
          "linkText": "SAP ID Service",
          "showLinkText": false
        }
      }

      Regards,

      Dinu