Skip to Content
Product Information
Author's profile photo Juergen Adolf

Secure management and authentication of SAP BTP account members with custom identity providers

Discover the latest functionality delivered in Q2 2023 for SAP Business Technology Platform (SAP BTP) users. This update introduces features that enable you to leverage multiple custom identity providers within your global account, providing new opportunities for a user administration independent from SAP ID Service. Let’s delve into the benefits and improvements that come with this update.

As announced in the Roadmap Items:

We offer now enhanced User Administration and Usability:

  1. Dedicated Login URLs: Now, you can provide dedicated login URLs for SAP BTP cockpit to different user groups, allowing them to access specific Identity Authentication tenants tailored to their needs. This ensures a seamless and personalized user experience.
  2. Fallback Tenant with customer-managed administrators: With the option to add up to three Identity Authentication tenants, you can now have a fallback solution in place, equipped with customer-managed administrators. This adds an extra layer of flexibility and resilience to your user management process. For more information, see Bringing Your Corporate Identity Provider for Platform Users Feature Set B.
  3. Improved Usability: By leveraging custom domains of the Identity Authentication tenants, platform users in SAP BTP can log in using a custom domain. This offers a streamlined experience, where users consistently see the same Identity Authentication URL and benefit from single sign-on (SSO) once their session is established.
  4. Improved federation approach: We now offer federation support for account management, allowing for the dynamic assignment of platform authorizations based on user attributes such as groups. With this enhancement, you can manage administrators in your platform identity provider, streamlining the authorization process. For detailed instructions on how to map role collections in the subaccount, refer to the documentation about mapping role collections in the subaccount.

Make use of the enhanced user administration and usability with the latest functionality delivered in Q2 2023 for SAP Business Technology Platform (SAP BTP). Unlock the potential of multiple custom identity providers, dedicated login URLs, custom domains, and improved federation support. With these advancements you can streamline your user management process, provide a personalized user experience, and strengthen security measures.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Wallace Henry
      Wallace Henry

      Think I found this/have it working: Establish Trust and Federation of Custom Identity Providers for Platform Users [Feature Set B] | SAP Help Portal


      Thanks for this blog!

      We would like to have IAS active at the global account level on the global account that holds the BTP Services/CPEA setup.

      This blog makes me think its possible.

      However, after establishing trust to the IAS custom IDP, on logon it is only bringing a SAP/universal id logon screen.

      In the subaccounts a choice is provided which IDP to use.

      Can you help guide/suggest items here?  Is IAS/custom IDP even possible at the global account (top) level?

      Best Regards, Wallace

      Author's profile photo Heiko Ettelbrueck
      Heiko Ettelbrueck

      Hi Wallace,

      You need a slightly different cockpit link, which specifies which IdP you want to use (because we can hardly provide the list of all customers' IdPs upon logon 😉 ). Find it on global account and (multi-environment) subaccount level under Security > Trust Configuration, link "Open".

      Kind regards


      Author's profile photo Wallace Henry
      Wallace Henry

      Thanks Heiko,

      I had searched, found the answer and approach.  Its multiple items... custom IDP and then the link from the trust setting.
      As this seem relatively new, at least allowing global account/platform users to custom IDP, and then downstream to subaccounts, this will be a org change/implementation approach for us and I'm working on that internally.  if I've managed to confuse you and you want a quick call/screenshare, reply back here and we can take a teams call... assuming you SAP identity follows what others seem to follow.

      Best Regards, Wallace

      Author's profile photo Heiko Ettelbrueck
      Heiko Ettelbrueck

      You're welcome, and all fine. btw, the option to use a custom IdP for platform users was introduced roughly a year ago, and it "just" got some major updates now. Take your time to adopt - it's clear this is a fundamental change for an organization to switch all members from one IdP to another one, and make sure everybody is aware and can handle it.