Skip to Content
Product Information
Author's profile photo Juergen Adolf

Custom platform IdP support for feature set B released!

It has been a long journey. A highly-requested and long awaited feature has been released on the 25th of July 2022. You can now use your custom SAP Identity Authentication service tenant to log in to your BTP management tools. That includes the BTP cockpit (including Neo), BTP CLI, and the different clients for the Cloud Foundry Environment. In the past that was only possible in feature set A with a rather complicated setup. In feature set B, however,  the setup process is as easy as the trust setup for an application identity provider in a subaccount, and you do this centrally for a whole global account. The magic happens behind the scenes. Now all customers on feature set B can manage their BTP accounts in a fully compliant way, and integrated into their corporate IAM processes. For instance, think about enforcement of multi-factor authentication, full control over password policies and user lifecycle as well as the usage of technical users for automation.

More information can found in the release note.

A detailed procedure description on how to use a custom identity provider for the platform users of SAP BTP is already available on SAP Help Portal: Establish Trust and Federation of Custom Identity Providers for Platform Users [Feature Set B].

 

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Diego Ismael Ibarra
      Diego Ismael Ibarra

      Hello Juergen,

      So glad to hear about this feature is now released.

      We've just setup the trust relationship  according to the help.sap.com document. The procedure is in fact very straightforward.

      However, when we try to login to our cockpit we see that we go though our Custom IDP MFA process correctly but we are not able to get to the cockpit main screen. Instead of getting to the cockpit screen we receive the error:

      HTTP STATUS 500 - Internal server Error.

       

      Do we have some way to trace this error?

       

      Kind regards

      Diego

       

      Author's profile photo Luca Falavigna
      Luca Falavigna

      Hi Diego,

      please check whether you have the attribute "mail" defined in your SAML2 payload. If not, you have to instruct your IDP to send it.

      For instance in Azure I needed to define "mail" to take value from user.mail:

      Attribute

      Attribute

       

      Here are listed all assertion attributes which Identity Authentication Service expects: Configure the User Attributes Sent to the Application

       

      Hope it helps,

      Luca

      Author's profile photo Heiko Ettelbrueck
      Heiko Ettelbrueck

      Actually, the user attributes needed for custom platform IdPs with BTP cockpit are quite few ones, no need to check the generic IAS documentation linked above. What you need are:

      • mail
      • first_name
      • last_name

      (Specific documentation for this will follow.)

      These are the attribute names expected by BTP. Where you define them depends on your IAS configuration: If it's working as proxy, without the internal user store being enabled (see screenshot below)

      you need to either define these names in the corporate IdP itself, or in IAS using "Enriched Assertion Atributes" (see next screenshot, sample with Azure AD connected using OpenID Connect):