SAP BTP Custom Trust Configuration – Role Collection Mapping
(Example images are taken from a trial account)
Managing BTP Role Collection via SAP Cloud Identity Service
In this blog I will explain how SAP BTP role collections can be handled by SAP Cloud Identity Services. Multiple services and applications can be deployed on SAP BTP Cockpit, and these services may have different role collections. Most of the time, these services are deployed on different subaccounts. We can manage users and roles individually for every subaccount. However, we can manage all users and roles from one identity service by establishing a trust between the identity service and BTP subaccounts. In this blog, we will create role collection mapping to manage BTP role collections via SAP Cloud Identity Services. So, we will be able to manage different role collections from only one identity provider.
If you have an identity provider, you can configure it as a custom provider for a BTP subaccount. It can be used as the source of users and role collections. There are some prerequisites for creating role collection mappings.
- Have a Subaccount Administrator role in the subaccount that will be trusted with SAP Cloud Identity Services
- SAP Cloud Identity Services tenant, could be subscribed in different subaccount but should be in the same Global account and region
Here is the help.sap document to configure trust between your subaccount and the SAP IAS tenant:
NOTE: To be able to use the role collection mapping, you should be authorized with your custom identity provider to your application.
1. BTP Role Collections
Before creating a role collection mapping, you must ensure that you have the role on “Role Collections” in your subaccount. Navigate to <Your Subaccount> -> Security -> Role Collections
You can use default role collections that are defined for the standard BTP applications. Also, you can create a new custom role collection with clicking on the Create button from the top right.
In this example, I created a new custom role collection called “My_Custom_Role”.
2. SAP Cloud Identity Services
Before starting to configure role collection mapping, we must ensure that we send necessary attributes to the application. In the SAP Cloud Identity Service, navigate to Application & Resources -> <Your Application> -> Single Sign-On -> Assertion Attributes
In the assertion attributes, you must have a Groups attribute. This is what we will send to the application as a BTP role.
Then we should create a group for a BTP role that we will be mapping. Navigate to Users & Authorizations -> Groups. Create a new group, if you have already one, add members who will have this BTP role.
3. BTP Role Collection Mapping
Now we are ready to make role collection mapping. Go to your BTP subaccount and navigate to <Your Subaccount> -> Security -> Trust Configuration and click on the custom identity provider that you have established in the beginning.
Click on the New Role Collection Mapping and choose your BTP role collection (1). You can also choose your BTP custom role collection. For “Attribute”, you should write what you defined in IAS as a Groups attribute (2). In this case, we can leave it as “Groups”. In the “Value” section, you should write your IAS group’s name which corresponds to your BTP role collection (3). Then save it.
You can see your mapping from Role Collections.
In the end:
- You can manage this role collection on SAP Identity Authentication Service with managing the corresponding group’s members.
- In the BTP subaccount, you cannot see the user’s role assigned by IAS. These roles are assigned to users when they are authorized to your application via SAP IAS.
Please be aware that your IAS user must be created in your SAP BTP subaccount as well. You can check more about to create user on BTP from here:
Hope this blog will help you to manage your BTP roles from your identity provider!
Thank you so much for reading my first blog!