In this blog, I describe how to set up SAP's custom identity provider (IdP) to configure basic inbound authentication for sender systems to call an integration flow endpoints or for API clients to access the OData API.
When setting up trust relationships in SAP BTP cockpit, in most cases SAP ID service is used as default identity provider. However, you've the option to define a custom IdP as your default IdP.
This procedure only works for SAP Identity Authentication Service.
Create a service instance for XS user authentication and authorization service (XSUAA) under the apiaccess plan:
Enter a name for the service key.
Choose Create.
Choose the newly created service key to display the details of the service key. Values from service key will be used in subsequent calls.
Use a REST client (for example, Postman) and request an access token by providing details from the service key:
URL | https://<url from service key>/oauth/token?grant_type=client_credentials |
Authorization | Basic Auth |
User | clientid |
Password | clientsecret |
Use the access token value from the response body of previous call for all subsequent calls in the following sections.
Create a custom OpenID connect (OIDC) IDP for your XSUAA tenant:
Operation | GET |
URL | Value from apiurl of service key suffixed with /sap/rest/identity-providers/ias Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/identity-providers/ias |
Authorization | Bearer Token |
Token | Value from previous step |
Operation | POST |
URL | Value from apiurl of service key suffixed with /sap/rest/identity-providers/ Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/identity-providers/ |
Authorization | Bearer Token |
Token | Value from previous step |
Header | Content-Type with value as application/json |
Body | { "type":"oidc1.0", "config":{ "iasTenant":{ "host":"<IAS host value from GET request>" } } } |
Configure SAP Custom IAS as default IdP:
Operation | PATCH |
URL | Value from apiurl of service key suffixed with /sap/rest/authorization/v2/securitySettings Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/authorization/v2/securitySettings |
Authorization | Bearer Token |
Token | Value from previous step |
Header | Content-Type with value as application/json |
Body | { "defaultIdp": "sap.custom" } |
Once you have successfully accomplished the above steps, you can now use your new IDP users and assign Cloud Integration roles or role collections to users registered on the IAS tenant. While assigning Cloud Integration roles, choose Custom IAS Tenant from the drop down list for the Identity Provider. Also, the concept of role mappings assignment can be used as normal.
Operation | PATCH |
URL | Value from apiurl of service key suffixed with /sap/rest/authorization/v2/securitySettings Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/authorization/v2/securitySettings |
Authorization | Bearer Token |
Token | Value from previous step |
Header | Content-Type with value as application/json |
Body | { "defaultIdp": "sap.default" } |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
12 | |
10 | |
9 | |
7 | |
7 | |
7 | |
6 | |
6 | |
5 | |
4 |