Configure SSO of Business Application Studio with IAS in BTP Free Tier environment
Hi Everyone, I am an SAP Basis and BTP Administrator and help clients with their journey in getting onboarded to SAP BTP Platform. If you are from SAP Basis, UI5 / Fiori developer , BTP administrator Or just getting started with BTP journey, this blog post will be helpful for you in many aspects.
If you are new to BTP and trying to learn the basics , this blog post can help with learning an end to end scenario with full hand on – as everything used in this Blog is available in Free – tier.
In this blog post we will be talking about setting up Single Sign on between SAP BAS(Business Application Studio) and IAS(Identity authentication service) in BTP(Business technology Platform) Free Tier Environment.
Personal experience with many customers
There are many customers in SAP world who are just getting started with SAP BTP and don’t want to request SUSER ID for every developer they onboard on BTP. This blog will help them to manage users in IAS and onboard seamlessly.
How this helps ?
Platform administrators will be able to manage users inside IAS tenant. Developers (in case of BAS) or business users(in case of any custom application deployed) will be able to login to Application (BAS or any custom application) using their user which is managed in IAS tenant (not the SUSER ID). They don’t need SUSER-ID which is used mainly for access to SAP Websites, help portals , support portal etc.
Now lets get started …
You should have SAP BTP Free tier account setup for this activity. You can follow below tutorials(blogs) to setup your BTP Free tier account.
Blog post: https://blogs.sap.com/2021/08/09/sap-business-technology-platform-free-tier-trial-environment/
On learning.sap.com: https://learning.sap.com/learning-journey/discover-sap-business-technology-platform
Cloud Identity Services is available in Free Tier now and we will be using it to do a quick SSO setup. Now we can request free IAS/IPS tenants in Cloud Foundry environment. This was not possible few months back.
Now let’s see the steps which you need to follow to setup the environment.
We will be using 2 service – SAP Business application studio and Cloud identity service. Lets check if both are available in our subaccount.
Business Application Studio
Cloud Identity Service
In case you are not able to find the services , Click on Configure entitlements and Add it to your subaccount
Create Subscriptions to SAP BAS and Cloud Identity Service
Click On Instances and Subscription and click on Create- Select Business Application Studio in Services and Trial in Plan. Click on Create
Click On create again and select Cloud Identity Service and Default in Plan (Selecting Subscription creates a new free IAS tenant for you)
Once created, it creates your user as first Adminstrator and triggers and email to set the password to your registered email id(which you used to setup the BTP trial access).
Once you click on the link received in email, it will ask you to setup the password for your User
Setup SSO between BTP Subaccount and IAS
Click on Security > Trust Configuration and Click on Establish Trust
Select IAS tenant – which you requested in previous step ( It shows all the IAS tenant which are there in your landscape) and click on Next button
Select the default domain
Configure Parameters – You can update the description. Origin key is not editable in scenario when we establish trust with this procedure and it takes sap.custom by default.
SSO setup is successfully completed
Make sure below options are selected as Yes.- Shadow user creation, Available for User Logon
In IAS Applications > It created an Application for this Subaccount
Setting up a test user in IAS for our SSO testing
Click on Users and Authorisations > Add User
Make sure that email verified checkbox is enabled.
Create this User in SAP BTP Subaccount
Assign SAP BAS Developer role collection
We have completed all the steps required for this scenario.
How to Test whether its working as expected?
Access BAS URL > It brings to screen where it ask to choose Identity provider> Select IAS tenant
Enter IAS – test user credentials( which we created in our previous step)
We are able to authenticate and access BAS
Testing is successfully completed
In this blog you have learnt how to establish SSO for any application(in this case BAS) with IAS in SAP BTP Free tier environment. Kindly let me know your feedback in comment section.
Happy learning !
Frequently asked questions by Users
Question1: Can i request IAS in free tier or it requires cost?
Answer: SAP has recently made Cloud Identity service( IAS/IPS) available in Free-tier so you can request it without any cost.
Question 2: How will developers onboarding be performed after performing SSO with IAS
Answer: User creation , Password reset, Management of users will be performed in IAS. Role collection assignment will be done in BTP Subaccount.
Question 3: There are multiple options while requesting Cloud Identity service Instance in BTP . Which option should i select?
Answer: If you select Cloud Identity Service Subscription while requesting- it will request a New IAS tenant and will be sending an email to your email-ID set the password.