Migrate trust configuration from SAML to OIDC in BTP subaccount
This is Anita Gupta, I am currently working in EY as SAP Basis and BTP administrator.
In this blog post, we will be talking about an amazing feature which SAP just released in BTP Security which will decrease the manual efforts immensely.
This blog post will guide you to perform migration of trust configuration from SAML to OIDC.
Why we want to do it and how this will be helpful ?
There are certain functionalities (like some automated processes defined by SAP) which only works with OIDC. For example: Now if there is an OIDC trust between Subaccount and IAS- Developers can bind their applications to specific cloud identity service instances and it creates another IAS application(OIDC) which can provide more control and developers can control authentication at every application level they are binding to.
Now if we have performed trust setup using SAML protocol with IAS tenant and we have been using it for a while – there will be multiple users created against this Identity provider. and if we want to switch to OIDC, there will be certain steps to be performed.
- Export the list of users along with details of role collections.
- Cleanup of Users created against this Identity provider
- Delete the trust configuration
- Establish trust configuration again using “Establish trust button”
- Provision all the users again manually with new Identity provider.
All these manual activities can be performed with few set of BTP CLI commands and can make your simple a little simple with respect to BTP Security.
If we talk in terms of time – it will reduce the manual work of weeks to few minutes.
Now before you get started, let’s follow below pre-requisite steps to make sure we don’t get stuck in between …
- You should have Security Administrator Privileges inside subaccount in which you want to perform this migration.
- BTP CLI should be download and configured. We can’t perform this activity from UI layer and will need to run commands to perform the migration.
- In the SAP BTP cockpit under Custom Identity Provider for Applications, there are no trust configurations with the OpenID Connect protocol.
let’s see how it looks before we perform the migration
Pre-Migration Trust Configuration Status
SAML trust configuration with origin key – samltrust
Users exist against this Identity provider.
When perform login using SSO to IAS – we can see SAML traces , assertions in SAML Tracer.
Now lets get started …
Steps to perform migration
Open Command prompt( in case of windows) or terminal (in case of linux and macOS) and Login to BTP using BTP CLI
btp login --sso
It prompts to open browser to perform login using your ID.
Click on Yes
List all subaccounts to find the subaccount id to login to specific subaccount
btp list accounts/subaccount
Perform login to specific subaccount by running below command
btp target --subaccount 32295e80-db37-4a83-a3a9-645c42b805ea
Check for available identity providers
btp list security/available-idp
Perform Migration from SAML to OIDC connectivity
btp migrate security/trust samltrust --idp ajnnqsktl.trial-accounts.ondemand.com
Let’s see how it looks once migration is performed
Post Migration Trust Configuration Status
It changes the origin key of old saml configuration to oidc-migration-backup and set it as inactive and perform trust configuration with OIDC and keeps the origin key same as older one.
You can update the details like link text for user logon by clicking on the change button
When you login using SSO to IAS – SAML tracer don’t capture any traces(SAML assertion) and we can see the oidc traces inside IAS troubleshooting logs.
In this blog post we learnt how to migrate the SAML Trust configuration to OIDC using BTP CLI.
Frequently asked questions
Question 1: We are unable to see any option to perform Migration from SAML to OIDC in BTP subaccount
Answer: As part of Q2-2023 SAP has released this functionality and it can only be performed using BTP CLI as of now. Please refer to SAP Standard documentation for more information
Question 2: Can i perform it in SAP BTP – Feature Set A?
Answer: BTP CLI is not available in Feature set A and these steps are only applicable for Feature Set B.
Question 3: Is this activity performed for which kind of users – Platform users or Business Users.
Answer: As we are establishing trust inside a subaccount (or performing changes) – this is applicable only for Business users who are accessing that subaccount or applications inside that subaccount.