Efficiently managing user access and roles is crucial for maintaining security and streamlining operations. By controlling authorization to Integration Suite, advanced event mesh (AEM) from SAP Cloud Identity Services (CIS), organizations can centralize user management, automate role assignments, and ensure seamless access control.

This blog covers two options for implementing role mapping between CIS and AEM:

1. Using CIS Groups

2. Using a Federated Identity Provider (e.g., Auth0, Microsoft Entra Id, etc..)

Option 1 - Using SAP Cloud Identity Services Groups

Prerequisites

• You have administrator access to AEM and the SAP CIS instance associated with that AEM application.

Configure Cloud Identity Services

1. Log in to the CIS Console and navigate to the Groups screen.
   

2. Create groups for the roles you’d like to map to (You can view the different AEM roles here - https://help.pubsub.em.services.cloud.sap/Cloud/cloud-user-management.htm#roles-and-permissions.)
   

3. Ensure you have at least added your AEM user to the “AEM Administrator” group.
   

4. Go to Applications & Resources → Applications, and select your AEM application.

   

5. Click on the application and then scroll down to “Attributes”
   

6. Open “Attributes” and ensure “groups” are being sent to the application:

   

Configure SAP Integration Suite, advanced event mesh (AEM)

1. Open the AEM Cloud Console.

2. At the bottom-left corner, go to User & Account → Account Details.
   
   

3. Go to the User Management tab.
   

4. Click on Create Group.

5. Set the Group Name and what roles people from that Group should have, and click Create. Create as many Groups as you like, in this case, I’ve created groups to match the ones in Cloud Identity Services.
   

6. Click on Group Management.

7. Under Group, Role Identifier or Claim enter the name of the attribute you would like to use to segment on. In this case, we’re using “groups”, as defined in the Attributes settings in CIS.

8. Click Add Mapping and set the Claim Value to the attribute value you set when creating your groups in CIS (don’t use display name). Continue to complete the mappings for the necessary groups.
   

9. To remove the need to add users to the AEM console, ensure to enable Just-In-Time (JIT) provisioning.
   

10. Now, click Test Access to ensure you’ll continue to have Admin rights when this new mapping is enabled.
    

11. If it passes, everything should be good to enable. Click Save.

Managing Users

Now that we have enabled Role and Group mapping, all access to AEM can be managed directly from Cloud Identity Services. If you would like to give someone access to AEM, just ensure that user has been added to the appropriate AEM Group in CIS, and they will automatically be able to login and given the appropriate role.

Option 2: Using a Federated Identity Provider

If you have federated your organizations identity management through Cloud Identity Services. You can also enable the same mapping to take place.

There are different ways get claims or attributes to flow from your corporate identity provider to the AEM application. I’m going to be using Auth0 in this example, but almost any Identity Provider could be used.

Prerequisites

• You have administrator access to AEM and the SAP CIS instance associated with that AEM application.

• You are an admin and have proxied your Identity Provider through Cloud Identity Services.

  • For information on Corporate Identity Providers and CIS, please see https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/corporate-identity-provide....

Configure Corporate Identity Provider

With Auth0, you have the ability to create “Roles” and assign them to users. If you’ve setup Federation through CIS, those roles can be sent from Auth0 to CIS and then to AEM.

1. Create necessary roles within Auth0, and ensure the appropriate users have been assigned those roles.

   

2. Ensure your Identity Provider is forwarding the appropriate claim values. In this case I want to ensure the roles I’ve configured here are sent as claim/attribute values. In Auth0 I can do this by creating a custom action. I’ve created the Custom Action “Add Role to Token” below:

   

3. Now that the action is deployed, I can set it to run during the Post Login Trigger. I head to Triggers and drag the “Add Role to Token” action between “Start” and “Complete”. Click Apply.

   

Configure SAP Cloud Identity Services

We want to ensure Auth0 will be federated when logging into advanced event mesh.

1. Login to the CIS console and head to Applications & Resources → Applications → <Your AEM Application> → Conditional Authentication. Ensure Default Authenticating Identity Provider is set to your Corporate IdP. In this case, my Auth0 account.

   

Configure SAP Integration Suite, advanced event mesh (AEM)

1. Enter the AEM Cloud Console.

2. At the bottom-left corner, go to User & Account → Account Details.

   

3. Go to the User Management tab.

   

4. Click on Create Group.

5. Set the Group Name and what roles people from that Group should have, and click Create. Create as many Groups as you like, in this case, I’ve created groups to match the ones in my Corporate Identity Provider (Auth0).

   

6. Click on Group Management.

7. Under Group, Role Identifier or Claim enter the name of the attribute you would like to use to segment on. Since we will be federating through CIS, we need to include the url of our CIS instance in the attribute.

8. Click Add Mapping and set the “Claim Value” to match the “Name” you set when creating your groups in your Corporate Identity Provider (Auth0). Continue to complete the mappings for the necessary groups.

   

9. To remove the need to add users to the AEM console, ensure to enable Just-In-Time (JIT) provisioning.

   

10. Now, click “Test Access” to ensure you’ll continue to have Admin rights when this new mapping is enabled.

    

11. If it passes, everything should be good to enable. Click “Save”.

Managing Users

Now that we have enabled Role and Group mapping, all access to AEM can be managed directly from your Corporate Identity Provider (in this case, Auth0). If I would like to give someone access to AEM, I just ensure that user has been added to the appropriate Role in my Corporate Identity Provider.

Additional Reading

Configuring Group Management in Integration Suite, advanced event mesh