Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
ani29
Explorer
1,595

Introduction


Hi Everyone,

This is Anita Gupta, I am currently working in EY as SAP Basis and BTP administrator.

In this blog post, we will be talking about an amazing feature which SAP just released in BTP Security which will decrease the manual efforts immensely.

This blog post will guide you to perform migration of trust configuration from  SAML to OIDC.

Why we want to do it and how this will be helpful ?


There are certain functionalities (like some automated processes defined by SAP) which only works with  OIDC. For example: Now if there is an OIDC trust between Subaccount and IAS- Developers can bind their applications to specific cloud identity service instances and it creates another IAS application(OIDC) which can provide more control  and developers can control authentication at every application level they are binding to.

Now if we have performed trust setup using SAML protocol with IAS tenant and we have been using it for a while - there will be multiple users created against this Identity provider. and if we want to switch to OIDC, there will be certain steps to be performed.

  • Export the list of users along with details of role collections.

  • Cleanup of Users created against this Identity provider

  • Delete the trust configuration

  • Establish trust configuration again using "Establish trust button"

  • Provision all the users again manually with new Identity provider.


All these manual activities can be performed with few set of BTP CLI commands and can make your simple a little simple with respect to BTP Security.

If we talk in terms of time - it will reduce the manual work of weeks to few minutes.

Now before you get started, let's follow below pre-requisite steps to make sure we don't get stuck in between ...


Prerequisites:



  • You should have Security Administrator Privileges inside subaccount in which you want to perform this migration.

  • BTP CLI should be download and configured. We can't perform this activity from UI layer and will need to run commands to perform the migration.


  • In the SAP BTP cockpit under Custom Identity Provider for Applications, there are no trust configurations with the OpenID Connect protocol.


let's see how it looks before we perform the migration


Pre-Migration Trust Configuration Status


SAML trust configuration with origin key - samltrust



Users exist against this Identity provider.


When perform login using SSO to IAS - we can see SAML traces , assertions in SAML Tracer.



Now lets get started ...


Steps to perform migration


Open Command prompt( in case of windows) or terminal (in case of linux and macOS) and Login to BTP using BTP CLI


btp login --sso


Press Enter


It prompts to open browser to perform login using your ID.


Click on Yes


Login Successful




 

List all subaccounts to find the subaccount id to login to specific subaccount


btp list accounts/subaccount


 

Perform login to specific subaccount by running below command


btp target --subaccount 32295e80-db37-4a83-a3a9-645c42b805ea


 

Check for available identity providers


btp list security/available-idp


 

Perform Migration from SAML to OIDC connectivity


btp migrate security/trust samltrust --idp ajnnqsktl.trial-accounts.ondemand.com



Let's see how it looks once migration is performed


Post Migration Trust Configuration Status


It changes the origin key of old saml configuration to oidc-migration-backup and set it as inactive and perform trust configuration with OIDC and keeps the origin key same as older one.


You can update the details like link text for user logon by clicking on the change button


 

When you login  using SSO to IAS - SAML tracer don't capture any traces(SAML assertion) and we can see the oidc traces inside IAS troubleshooting logs.


 

Conclusion


In this blog post we learnt how to migrate the SAML Trust configuration to OIDC using BTP CLI.

 

Frequently asked questions


Question 1: We are unable to see any option to perform Migration from SAML to OIDC in BTP subaccount

Answer: As part of Q2-2023 SAP has released this functionality and it can only be performed using BTP CLI as of now. Please refer to SAP Standard documentation for more information

 

Question 2: Can i perform it in SAP BTP - Feature Set A?

Answer: BTP CLI is not available in Feature set A and these steps are only applicable for Feature Set B.

 

Question 3: Is this activity performed for which kind of users - Platform users or Business Users.

Answer: As we are establishing trust inside a subaccount (or performing changes) - this is applicable only for Business users who are accessing that subaccount or applications inside that subaccount.

 
Labels in this area