Streamlining User Management: Integrating SAP Integration Suite with SAP Cloud Identity Services - Part 1

In the realm of cloud computing and enterprise technology, effective user authentication and synchronization are vital for smooth operations and enhanced security. By integrating SAP Integration Suite with SAP Cloud Identity Services, businesses can unlock the full potential of user management across SAP Business Technology Platform (SAP BTP) and its applications.

Exploring SAP BTP

SAP BTP serves as a powerful cloud platform that enables enterprises to build, extend, and integrate SAP applications, offering a comprehensive suite of pre-integrated solutions. This platform forms the foundation for innovation and scalability, supporting a wide range of business needs.

Enhancing User Authentication with SAP Cloud Identity Services

This integration is crucial for user authentication within SAP BTP and applications running on it, facilitating seamless user synchronization between SAP BTP and SAP Cloud Identity Services. It sets the stage for a unified approach to managing users across diverse applications, elevating both security and efficiency.

Understanding User Categories

For successful integration, it's essential to recognize the different types of users involved:

• Platform Users: These are typically developers, administrators, or operators tasked with deploying and managing applications on SAP BTP. They require specific permissions, whether at the global account, subaccount, or within particular development environments.
• Business Users: These individuals use applications deployed on SAP BTP, including SaaS apps like SAP Build Work Zone or custom-built solutions. Their roles focus on utilizing business applications effectively.

Choosing the Right Identity Provider

Organizations have the flexibility to host these user categories either within the same or different identity providers. Opting for SAP Cloud Identity Services - Identity Authentication offers multiple advantages compared to the default SAP ID service:

• Autonomy and Control: Gain control over user lifecycle management and single sign-on (SSO) strategies.
• Customizable Security Policies: Define tailored password and authentication policies to suit organizational objectives.

Integration Workflow Explained

In this setup, Identity Authentication functions as the identity provider, while SAP BTP acts as the application hub. Identity Provisioning plays a crucial intermediary role, providing connectors to replicate users from the identity provider to SAP BTP’s local user storages. Here, you can assign the necessary authorizations for platform access or business application use, ensuring that users have the requisite permissions for their specific roles.

SAP Help reference: https://help.sap.com/docs/cloud-identity/system-integration-guide/sap-btp-integration-scenario

Setup Instructions

Establish the trust between your SAP BTP account and your Cloud Identity Services tenant using OpenID Connect (OIDC)

Establish Trust and Federation Between UAA and Identity Authentication for business users
Prerequisites:
* You possess subaccount administrator permissions.
* You own a tenant for SAP Cloud Identity Services.
* The SAP Cloud Identity Services tenant is linked to the customer IDs of the corresponding SAP BTP global account.

I. In the SAP BTP cockpit, navigate to your subaccount and select Security > Trust Configuration. II. Click on Establish Trust to initiate the process.III. The Configure Tenant wizard will appear. Select your SAP Cloud Identity Services tenant and proceed by clicking Next.IV. The list of identity providers will display the SAP Cloud Identity Services tenants linked to your customer ID.
V. Select the domain that is configured with your SAP Cloud Identity Services tenant and continue by clicking Next.
VI. You have the option to modify the name and description of the tenant as well as view and alter the origin key. The origin key can include up to 36 characters, using only the following: aA–zZ, 0–9, - (hyphen), _ (underscore).
VII. Enter link text for user logon and proceed by clicking Next.
VIII. Review your configuration settings thoroughly and finalize the process by clicking Finish.IX. You should be able to see a success message once the trust has been established in your Global Account

SAP Help Reference: https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-betwee...

Establish Trust and Federation of Custom Identity Providers for Platform Users for platform users

I. Start by accessing your global account in the SAP BTP cockpit, then head to Security > Trust Configuration.
II. Click on Establish Trust to kick off the process.
III. A list of identity providers will appear, showcasing SAP Cloud Identity Services tenants linked to your customer ID.
IV. Pick an identity provider from the available tenants, then hit Next to proceed.
V. Select your preferred domain for the tenant and press Next. To ensure a seamless single sign-on experience, use the same domain across all SAP BTP accounts and related non-SAP BTP applications that utilize this tenant.
VI. Give your new trust configuration a name and description. If possible, establish the origin key, which should end with -platform. Move forward by selecting Next.
VII. Check out the configuration preview provided by the wizard. If everything looks good, wrap up your new trust configuration by clicking Finish.
VIII. In your tenant of SAP Cloud Identity Services, which serves as your identity provider, trust has been successfully established.

SAP Help Reference: https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-of-cus...

Configure provisioning

Provision business and platform users from your identity provider to SAP BTP

I. Log into the SAP Cloud Identity Services administration console and go to Identity Provisioning > Source Systems. II. Setup Identity Authentication as a source system.III. Establish the connection between Identity Provisioning as the source system and Identity Authentication, and configure certificate-based authentication

i. In the settings of the Identity Authentication source system, navigate to the Outbound Certificates tab, select Generate and Download the certificate.

IV. Add the system as administrator. Navigate to Users & Authorizations -> Administrators.V. Upload the certificate you created in the previous step to the SAP Cloud Identity Services administration console. Ensure that the technical user has the Manage Users and Manage Groups authorization roles enabled.VI. Navigate to the Properties tab of the previously created source system and configure the settings as follows.VII. Go to Target Systems via the Identity Provisioning menue.VIII. Create SAP BTP Advanced UAA (Cloud Foundry) as a target system.IX. Get Access to the APIs.

i.  Sign in to the SAP BTP CLI and set your target to the appropriate global account, directory, or subaccount. ii. Execute the following command: ./btp create security/api-credential --name my-credential

X. Select the Properties tab to set up the connection settings for your system. Use the details of the previously created credentials.XI. Assign the previously created source system.XII. Navigate to the User Management menue.XIII. Create a CF provisioning user with an email address with the following pattern cf-user-provisioning-<origin_key>@sap.invalid. The origin_key refers to the origin key of the trust configuration for BTP platform users, directing to your SAP Cloud Identity Services tenant.XIV. You have set an initial password for the user and marked its email address as verified. XV. Activate the CF provisioning user account by accessing the profile page of SAP Cloud Identity Services in a incongnito browser session and updating its initial password. The URL follows this pattern: https://<tenant ID>.accounts.ondemand.com or https://<tenant ID>.accounts.cloud.sap
XVI. Navigate to the Groups menu.XVII. Create the new group cf-user-provisioning in your SAP Cloud Identity Services tenant and added the CF provisioning user to it. XVIII. Assign the CF provisioning user as an Org Member with the role of Org Manager to every Cloud Foundry organization where you plan to provision users, within the SAP BTP cockpit. XIX. To facilitate the provisioning of platform users and the assignment of user roles within the Cloud Foundry environment, please open a Support Ticket for component BC-CP-CF-SEC-IAM. Provide your SAP Cloud Identity Services tenant ID along with the origin key from the trust configuration for BTP platform users that links to your SAP Cloud Identity Services tenant.
XX. Log into the SAP Cloud Identity Services administration console and head to the Identity Provisioning Source Systems section.
XXI. Create SAP BTP Platform Members (Cloud Foundry) as a source system.XXII. Select the Properties tab to set up the connection configurations for your system as follows.
XXIII. Navigate to Target Systems under Identity Provisioning and create Identity Directory. Assign the previously created source system.XXIV. Add SAP BTP Platform Members (Cloud Foundry) as additional target system and assign the previously created Identity Authentication source systemXXV. Configure the Properties tab to configure the connection settings for your system as follows.
SAP Help References: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/source-identity-authentica..., https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/target-sap-btp-xs-advanced..., https://help.sap.com/docs/btp/sap-business-technology-platform/get-access-to-apis?version=Cloud, https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-btp-platform-members-c..., https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-btp-platform-members-c..., https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/target-local-identity-dire...

Outlook