SAP Cloud Identity Access Governance (IAG) integration with SAP BTP Subaccount
In this blog I will go through the steps to Integrate IAG with SAP BTP Subaccount(Cloud foundry). This blog is not applicable for Neo Environment.
The SAP Cloud Identity Access Governance solution offers multiple core services that help streamline identity and access management. You can use individual services independently or combine them with others. With this product, you can also integrate cloud applications that belong to SAP and its partners. In addition, customers whose primary system is SAP Access Control 12.0 can use the Cloud Bridge scenario to access the same services or applications in the cloud environment. This is a multi-tenant product built on top of SAP Business Technology Platform (SAP BTP)
SAP Cloud Identity Access Governance is available as a cloud bundle solution. It includes two other services – Identity Provisioning and Identity Authentication that are essential for successfully configuring the product.
Prerequisite: IAG Administrator, SAP BTP administrator or knowledge in SAP BTP is preferred to do this setup.
Make sure you completed initial setup for IAG (IAS and IPS enablement) in IAG before following the below steps.
There are four overall steps to enable integration between SAP Business Technology Platform (SAP BTP) and the SAP Cloud Identity Access Governance solution and its services:
Connect Identity Provisioning with IAG
- Create Proxy System for Cloud Foundry In the IPS
Create an instance for Cloud Foundry in the IAG
Run the repository synch job to sync user data and provision access requests.
1.Connect Identity Provisioning with IAG
The following step is applicable for an Identity Provisioning bundle tenant was created or updated on the SAP Cloud Identity (SCI) platform for use with SAP Cloud Identity Access Governance.
The URL for Identity Provisioning is as follows:
Login to the IAS > User & Authorizations > Administrators > Add System user and provide the Access Proxy System API access. Note down the Client ID and Secret ( Once Secret is generated, you cannot retrieve or change it.)
- Login to the IAG BTP Subaccount and create a destination with the name IPS_PROXY as shown in the table below.
Enter the Properties listed in the table below for the destination. All properties must be entered. Some properties must be added as Additional Properties. Copy the names of all properties as displayed. Property names and values are case sensitive.
Check the Use default JDK truststore checkbox.
- Save your entries.You can test the destination in the BTP Cockpit. However, the URL does not point to a valid API for Identity Provisioning, and shows green status, but HTTP 301 or similar.
|URL||https://<<YOUR_IPS_URL_BUT_WITHOUT_THE__ips>> (For example: https://UNIQUEID.accounts.ondemand.com|
|Password||<< SECRET_FROM_STEP 1_ABOVE>>|
2.Create Proxy System for Cloud Foundry In the IPS
Need to create a proxy system to enable Cloud Foundry to connect with the IAG Subaccount. Before create a proxy system, please create the Service Key in the SAP BTP Subaccount.
2.1) How to create a service key in the SAP BTP Subaccount?
Login to the BTP Subaccount and make sure your id is added as Org Manager in the Org Managers of the BTP Subaccount.
Go to space and Click Create Space and assign Space Developer and Space Manager Role to you. If space is already created make sure you are assigned with Space Developer and Space Manager role.
Go to Instances and Subscriptions >Instances > Create
Choose Service and Plan details like below and Create
Once instance has been created, Go to the created instance and Create the Service Key.
Please note down the apiurl, url, Client Id, Secret from the service key once it created.
2.2)Create a Proxy System
Open your Identity Provisioning Launchpad.
Copy the external system ID and use it to set up the Cloud Foundry instance in the Systems app.
Add a proxy system for Cloud Foundry and choose Save. The Type should be SAP BTP XS Advanced UAA.
Type SAP HANA XS Advanced UAA Server System Name XSUAA Destination Name Description XSUAA test system
Enter the Properties as shown in below table
Password=<< SECRET_FROM_STEP 2.1_ABOVE>>
xsuaa.origin=Enter the location of your identity provider. To do this:
- Open your SAP BTP cockpit.
- Go to your Cloud Foundry global account and choose your subaccount.
- From the left-side navigation, choose Trust Configuration.
- Copy/paste the Origin Key value.
3.Create an instance for Cloud Foundry in the IAG
Log into the SAP Cloud Identity Access Governance launchpad and open the Application app.
Create a system for Cloud Foundry. For System Type, select Cloud Foundry.
- Enter the external system ID mentioned in step 2.2 in the section Create Proxy system and Save.
4.Run the repository synch job to sync user data and provision access requests.
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category dropdown list, schedule the following jobs:
Repository Sync to synchronize the relevant data from Cloud Foundry to the access request service.
In the System Type dropdown list, select Cloud Foundry.
In the System dropdown list, select the configured Cloud Foundry System.
These steps completes the Integration of SAP BTP Subaccount (Cloud foundry) with IAG. Please check the help.sap.com for SAP Cloud Identity Access Governance for more detailed document on how to integrate SAP BTP Subaccount with IAG
Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance.
Thank you for this, as IAG could very well be in our future.
When/if IAG comes, there will likely be a demand to do implement IAG capability across different subaccounts with CF capability.
I read this blog as a single subaccount.
How would we take this across multiple subaccounts? Is it different destinations on the BTP Subaccount side? some more steps?
Yes, for different subaccount, you need to create separate applications in IAG.
Then we will need to think about governance/naming standards.
Grateful for the good and quick answer.