Skip to Content
Product Information
Author's profile photo Zhen Xu

How to Set Up a Custom Identity Provider

This blog post describes how to set up a custom identity provider service as an alternative to the SAP ID service, which is the default identity provider (that is, the Identity Authentication tenant) of SAP BTP. A custom identity provider service can make the logon process as easy as possible for users who want to use SAP Self-Billing Cockpit.

Prerequisites

  • You have registered your own Identity Authentication tenant with a subdomain in the format of <Your Identity Authentication tenant>.accounts.ondemand.com.
  • The Identity Authentication tenant must belong to the same cost center as your global account on SAP BTP.

Context

The SAP ID service serves as the default identity provider of SAP BTP. Trust of the SAP ID service in your subaccount is preconfigured by default, so you can start using it without further configuration. Optionally, you can add additional trust settings or set the default trust to inactive, for example, if you prefer to use another identity provider.

Note

When you use a custom identity service as an alternative to SAP ID, add the following texts to the end of each service path involved in the integration setup.

?login_hint=%7B%22origin%22%3A%22sap.custom%22%7D 

For example, for the service Credit/Debit Memo – Send Confirmation of Creation with Invoice Reference, the path is /api-password/selfbilling-confirmation-service/v1/api/CreditDebitMemoConfirmation_In if you use the SAP ID service, but the path is /api-password/selfbilling-confirmation-service/v1/api/CreditDebitMemoConfirmation_In?login_hint=%7B%22origin%22%3A%22sap.custom%22%7D if you use your own identity provider service.

Establishing Trust Automatically

If you want to use a custom identity provider instead of the SAP ID service, you must set up trust between your SAP BTP subaccount and the Identity Authentication service.

  1. Log on to the SAP BTP cockpit (Cloud Foundry environment) with your registered subaccount.
  2. From the navigation area, choose Security > Trust Configuration.
  3. Choose Establish Trust.
  4. In the pop-up that opens, select an identity provider from the drop-down list.
  5. Choose Establish Trust.
    Trust of type OpenID Connect between your subaccount and the identity provider is generated.
  1. Log on to the Identity Authentication service.
  2. From the navigation area, choose Applications & Resources > Applications.
  3. Search for the application that has been created as part of the trust setup.
    The name of the application has the format XSUAA_<Subaccount Name>, but you can change it if needed.
  1. Verify that the subject name identifier is set to E-Mail.

(Optional) Creating Identity Provider Users and Groups

This configuration is needed to simplify user authentication using the Identity Authentication service. With the creation of identity provider groups, you can also more easily map role collections to entire user groups instead of single users if needed.

Creating an Identity Provider Group

In the administration console of the Identity Authentication service, you can create an identity provider group when required.

  1. Log on to the tenant’s administration console for the Identity Authentication service at https://<tenant ID>.accounts.ondemand.com/admin as an administration user.
  2. In the navigation area, choose Users & Authorizations > User Groups.
  3. If there is no user group, choose + Add.
  4. Enter a name, for example, Billing_Clerk.
  5. Enter a display name and a description.
  6. Save your settings.
  7. Note down the group name for future use.

Creating Identity Provider Users

You can create identity provider users if you work with your own custom identity provider, such as the Identity Authentication service for SAP BTP.

  1. Log on to the tenant’s administration console for the Identity Authentication service at https://<your Identity Authentication tenant>.accounts.ondemand.com/admin as an administration user.
  2. In the navigation area, choose Users & Authorizations > User Management.
  3. Choose + Add User.
  4. Enter the name, e-mail address, and logon name of the user.
  5. Leave the user type set to Employee.
  6. Make sure that the account activation is set to Send activation e-mail.

    Note
    If you can’t use the entered e-mail address to activate the user, set Account Activation to Set initial password and enter an initial password.
  1. Save your settings.

Follow-Up Procedure

If user activation is not possible by using the entered e-mail address, do as follows:

  1. Choose the user you’ve created previously.
  2. Choose the edit icon (pencil) on the right of Personal Information.
  3. Choose E-Mail Verified.
  4. Save your settings.

Assigning an Identity Provider User Group to Identity Provider Users

You can assign an identity provider user group to the identity provider users that you have created.

  1. Log on to the tenant’s administration console for the Identity Authentication service at https://<your Identity Authentication tenant>.accounts.ondemand.com/admin as an administration user.
  2. In the navigation area, choose Users & Authorizations > User Management.
  3. Choose the identity provider user that you have created.
  4. Choose the User Groups
  5. Choose Assign Groups.
  6. Choose the identity provider group that you have created (for example, Billing_Clerk).
  7. Save your settings.

Mapping a Role Collection to an Identity Provider Group

You can assign a role collection to the user group in your custom identity provider.

  1. Log on to the SAP BTP cockpit (Cloud Foundry environment) as an administrator user.
  2. Go to your global account and then subaccount.
  3. From the navigation area, choose Security > Role Collections.
  4. Choose the Billing Clerk role collection.
  5. Go to the User Groups section and choose Edit.
  6. Choose the identity provider where the user group is stored.
  7. Enter the name of the user group that you created earlier, for example, Billing_Clerk.
  8. Save your settings.

Summary

You can set up a custom identity provider service as an alternative to the SAP ID service to simplify user authentication.

If you’re interested in similar topics, you can follow its tag and my profile.

Surely, you’re cordially invited to provide your feedback and insights in the comments section.

Additional Information

Blog Post Series for SAP Self-Billing Cockpit

 

 

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.