In the context of SAP Business Technology Platform (SAP BTP), an identity provider provides the user store.
This stores the user’s access to certain subaccounts (such as for administration or development) and access to certain business applications. When choosing an identity provider, SAP BTP offers a great deal of flexibility. The figure below shows the different options.
Supported Identity Providers
A distinction can be made between a platform identity provider and an application identity provider.
By default, the SAP ID service is used as the platform identity provider for SAP BTP, but the Identity Authentication service can also be used, as shown below. In the Identity Authentication service, users are authenticated via the customer’s own user store (corporate user store) without having to be created separately. A customer’s own identity provider is not permitted with this variant.
- The platform identity provider is characterized by the following features:
- It provides the user base for accessing the subaccount.
- It is used in the SAP BTP cockpit, in various development tools, and in the command line.
- By default, the SAP ID service is used.
- Optionally, the Identity Authentication tenant and thus the Identity Authentication service can be used.
- Users managed in the platform identity provider are typically administration and development users.
The application identity provider is used to authenticate the users or consumers of an application running on SAP BTP. In addition to the SAP ID service and the Identity Authentication service, a customer-specific identity provider (called a custom identity provider) can also be used as an application identity provider, as shown in the next figure. The custom identity provider must be a Security Assertion Markup Language (SAML)-based identity provider, such as Microsoft Azure Active Directory (Microsoft Azure AD).
The application identity provider is characterized by the following properties:
- It provides the user base for accessing applications in a subaccount of SAP BTP.
- It is used to access to user interfaces (UIs), user tools, and application-to-application (A2A) communication.
- By default, the SAP ID service is used.
- Optionally, the Identity Authentication tenant or a third-party corporate identity provider can be used.
- Users managed with the application identity provider are typically end users.
Now, let’s take a closer look at the identity provider options:
SAP ID service
By default, SAP BTP is preconfigured with a trust relationship to the SAP ID service. Thus, the SAP ID service is used both as a platform identity provider and as an application identity provider. No further configuration is required from your side, except for the assignment of users to the subaccount. No additional costs are incurred for using the SAP ID service.
The SAP ID service manages the users of the official SAP sites, including the SAP developer and partner community. Users can be created either via a self-service capability or via SAP Support Portal by an authorized user within your organization.
The SAP ID service consists of the following components:
- Centralized user store for all identities that require access to protected application resources
- Standards-based single sign-on (SSO) service that allows users to log on only once and gain seamless access to all applications deployed through SAP BTP
Custom Identity Provider
Optionally, your own custom identity provider can be used in both SAP BTP, Neo environment and SAP BTP, Cloud Foundry environment. Apart from the license, no additional costs are associated with SAP BTP services for the use of such an identity provider.
Identity Authentication service
Another option is to use the Identity Authentication service as a platform identity provider. This service can be used in the platform identity provider role as a proxy for on-premise user stores, such as an LDAP directory. However, you can also use this service as a proxy for third-party identity providers such as Microsoft Azure AD. The use of this service is basically included in the license of SAP BTP. However, an additional license must be purchased for certain use cases. The metric used for billing is the number of logons.
Supported Authentication Scenarios
The following scenarios are supported by SAP BTP for authenticating users via the identity provider:
- Standard identity federation through the SAP ID service
- Identity federation through the Identity Authentication tenant
- Identity federation through a corporate identity provider
Standard Identity Federation
You can also use the SAP ID service as an identity provider for your identity federation scenario. The trust relationship with the SAP ID service is preconfigured by default on SAP BTP, as mentioned earlier, so you can use it without further configuration. Optionally, you can configure additional trust settings on SAP BTP, such as service provider registration, role assignments to users and groups, and so on.
The use of the SAP ID service for a standard identity federation is shown below. However, if a user wants to gain access to SAP BTP, authentication is performed via the SAP ID service and is classified as trustworthy by SAP BTP using trust. Access is therefore possible if the SAP ID service has confirmed positive authentication.
Identity Authentication Tenant
If you want to use subaccount users (members) from your enterprise user base instead of creating S-users for them, you can use the Identity Authentication tenant (i.e., your instance of the Identity Authentication service) as the identity provider for your applications. Identity Authentication is a cloud service for lifecycle management of the identities you manage. This service gives you the ability to integrate your own user base with SAP BTP. You can also leverage corporate branding (e.g., integrating the company logo on the authentication page) and use identity providers from social media sites (such as Facebook, Twitter, Google, or LinkedIn). In this way, you can create the basis for user provisioning in various cloud and on-premise applications.
The Identity Authentication tenant is available to all subaccounts within your global account, as shown here.
Corporate Identity Provider
In addition to using the SAP ID service and the Identity Authentication service, SAP BTP applications can delegate authentication and identity management to an existing identity provider within your company (a corporate identity provider). In this approach, SAP BTP can authenticate your company’s employees against a corporate directory service, for example. This feature allows your employees (and, if applicable, your customers and partners) to log on to the cloud application using their usual user information. All information about a user required by SAP BTP can be securely passed on with the logon process based on a proven and standardized security protocol.
In this scenario, you don’t need to manage additional systems to take care of the synchronization or provisioning of user accounts between the corporate network and SAP BTP. All you need to do is establish a trust relationship (sometimes called simply trust) between the SAP BTP subaccount running the application and your corporate identity provider. This scenario is shown below.
Configuring the Identity Provider in SAP BTP, Neo Environment
A platform identity provider is configured in the same way as an application identity provider, in the SAP BTP cockpit at subaccount level. In SAP BTP, Neo environment, navigate to Security > Trust, as shown in this figure.
Platform Identity Provider Availability: A platform identity provider is supported only for feature set A. If you deactivated the default identity provider (the SAP ID service) for business users in cloud management tools (feature set A), the process of upgrading to cloud management tools feature set B reactivates the default identity provider. SAP reactivates the default identity provider because cloud management tools feature set B currently only supports platform users from the default identity provider.
If the Platform Identity Provider tab is not visible, the SAP Platform Identity Provider service must first be activated for SAP BTP at the subaccount level:
- Navigate to the Services section of the subaccount, as shown below, and search for “Platform Identity Provider.”
- Click the Platform Identity Provider tile to jump to the service details.
- Click the Enable button, as shown in this figure.
Activating the SAP Platform Identity Provider service for SAP BTP results in the SAP ID service being stored as the default platform identity provider. You can recognize this change by the fact that the URL https://accounts.sap.com is now stored in the Name field under the Platform Identity Provider tab, as shown here.
Click the Use Identity Authentication Tenant link to use the Identity Authentication tenant as a platform identity provider. You can tell that the Identity Authentication tenant is being used as a platform identity provider by the fact that the Cockpit button (for jumping to the SAP BTP cockpit) and the Administration Console button (for jumping to the administration console) are visible, as shown in the next figure.
You can delete the connection between your SAP BTP subaccount and the Identity Authentication tenant by clicking the Delete button.
Configuring the Identity Provider in SAP BTP, Cloud Foundry Environment
In SAP BTP, Cloud Foundry environment, both the platform identity provider and the application identity provider are configured at the subaccount level under Security > Trust Configuration.
The SAP ID service is also preconfigured as the default identity provider on this screen, as shown in the final figure below. If you want to use the Identity Authentication service as the platform identity provider instead, you must first establish a trust relationship between the SAP BTP, Cloud Foundry environment subaccount and the Identity Authentication service.
Third-Party Identity Providers
Third-party or external identity providers are typically used in the role of an application identity provider. Under Security > Trust, switch to the Application Identity Provider tab area for configuration. However, in principle, a third-party identity provider can also be used as a platform identity provider. For this option, you must use the Identity Authentication service as a proxy.
Editor’s note: This post has been adapted from a section of the book Security and Authorizations for SAP Business Technology Platform by Martin Koch and Siegfried Zeilinger.