Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert
In this blog I will go through the steps to Integrate IAG with SAP BTP Subaccount(Cloud foundry). This blog is not applicable for Neo Environment.

The SAP Cloud Identity Access Governance solution offers multiple core services that help streamline identity and access management. You can use individual services independently or combine them with others. With this product, you can also integrate cloud applications that belong to SAP and its partners. In addition, customers whose primary system is SAP Access Control 12.0 can use the Cloud Bridge scenario to access the same services or applications in the cloud environment. This is a multi-tenant product built on top of SAP Business Technology Platform (SAP BTP)

SAP Cloud Identity Access Governance is available as a cloud bundle solution. It includes two other services – Identity Provisioning and Identity Authentication that are essential for successfully configuring the product.

Prerequisite: IAG Administrator, SAP BTP administrator or knowledge in SAP BTP is preferred to do this setup.

Make sure you completed initial setup for IAG (IAS and IPS enablement) in IAG before following the below steps.

Process Overview

There are four overall steps to enable integration between SAP Business Technology Platform (SAP BTP) and the SAP Cloud Identity Access Governance solution and its services:

  1. Connect Identity Provisioning with IAG

  2. Create Proxy System for Cloud Foundry In the IPS

  3. Create an instance for Cloud Foundry in the IAG

  4. Run the repository synch job to sync user data and provision access requests.

1.Connect Identity Provisioning with IAG

The following step is applicable for an Identity Provisioning bundle tenant was created or updated on the SAP Cloud Identity (SCI) platform for use with SAP Cloud Identity Access Governance.

The URL for Identity Provisioning is as follows:

  1. Login to the IAS > User & Authorizations > Administrators > Add System user and provide the Access Proxy System API access. Note down the Client ID and Secret ( Once Secret is generated, you cannot retrieve or change it.)

  2. Login to the IAG BTP Subaccount and create a destination with the name IPS_PROXY as shown in the table below.

  3. Enter the Properties listed in the table below for the destination. All properties must be entered. Some properties must be added as Additional Properties. Copy the names of all properties as displayed. Property names and values are case sensitive.

  4. Check the Use default JDK truststore checkbox.

  5. Save your entries.You can test the destination in the BTP Cockpit. However, the URL does not point to a valid API for Identity Provisioning, and shows green status, but HTTP 301 or similar.

Description IPS Destination
URL https://<<YOUR_IPS_URL_BUT_WITHOUT_THE__ips>>; (For example:
Proxy Type Internet
Authentication BasicAuthentication
Accept application/scim+json
serviceURL /ipsproxy/service/api/v1/scim/

2.Create Proxy System for Cloud Foundry In the IPS

Need to create a proxy system to enable Cloud Foundry to connect with the IAG Subaccount. Before create a proxy system, please create the Service Key in the SAP BTP Subaccount.

2.1) How to create a service key in the SAP BTP Subaccount?

Login to the BTP Subaccount and make sure your id is added as Org Manager in the Org Managers of the BTP Subaccount.

Go to space and Click Create Space and assign Space Developer and Space Manager Role to you. If space is already created make sure you are assigned with Space Developer and Space Manager role.

Space Creation


Go to Instances and Subscriptions >Instances > Create

Choose Service and Plan details like below and Create

Once instance has been created, Go to the created instance and Create the Service Key.


Service Key Creation

Please note down the apiurl, url, Client Id, Secret from the service key once it created.

2.2)Create a Proxy System

  1. Open your Identity Provisioning Launchpad.

  2. Copy the external system ID and use it to set up the Cloud Foundry instance in the Systems app.

  3. Add a proxy system for Cloud Foundry and choose Save. The Type should be SAP BTP XS Advanced UAA.

    Type SAP HANA XS Advanced UAA Server
    System Name XSUAA
    Destination Name
    Description XSUAA test system

  4. Enter the Properties as shown in below table







    Password=<< SECRET_FROM_STEP 2.1_ABOVE>>

    xsuaa.origin=Enter the location of your identity provider. To do this:

    1. Open your SAP BTP cockpit.

    2. Go to your Cloud Foundry global account and choose your subaccount.

    3. From the left-side navigation, choose Trust Configuration.

    4. Copy/paste the Origin Key value.



3.Create an instance for Cloud Foundry in the IAG

  1. Log into the SAP Cloud Identity Access Governance launchpad and open the Application app.

  2. Create a system for Cloud Foundry. For System Type, select Cloud Foundry.

  3. Enter the external system ID mentioned in step 2.2 in the section Create Proxy system and Save.

4.Run the repository synch job to sync user data and provision access requests.

In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category dropdown list, schedule the following jobs:

  • Repository Sync to synchronize the relevant data from Cloud Foundry to the access request service.

    In the System Type dropdown list, select Cloud Foundry.

    In the System dropdown list, select the configured Cloud Foundry System.


These steps completes the Integration of SAP BTP Subaccount (Cloud foundry) with IAG. Please check the for SAP Cloud Identity Access Governance for more detailed document on how to integrate SAP BTP Subaccount with IAG




Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance.