In this blog I will go through the steps to Integrate IAG with SAP BTP Subaccount(Cloud foundry). This blog is not applicable for Neo Environment.
The SAP Cloud Identity Access Governance solution offers multiple core services that help streamline identity and access management. You can use individual services independently or combine them with others. With this product, you can also integrate cloud applications that belong to SAP and its partners. In addition, customers whose primary system is SAP Access Control 12.0 can use the Cloud Bridge scenario to access the same services or applications in the cloud environment. This is a multi-tenant product built on top of SAP Business Technology Platform (SAP BTP)
SAP Cloud Identity Access Governance is available as a cloud bundle solution. It includes two other services – Identity Provisioning and Identity Authentication that are essential for successfully configuring the product.
Prerequisite: IAG Administrator, SAP BTP administrator or knowledge in SAP BTP is preferred to do this setup.
Make sure you completed initial setup for IAG (IAS and IPS enablement) in IAG before following the below steps.
There are four overall steps to enable integration between SAP Business Technology Platform (SAP BTP) and the SAP Cloud Identity Access Governance solution and its services:
Connect Identity Provisioning with IAG
Create Proxy System for Cloud Foundry In the IPS
Create an instance for Cloud Foundry in the IAG
Run the repository synch job to sync user data and provision access requests.
1.Connect Identity Provisioning with IAG
The following step is applicable for an Identity Provisioning bundle tenant was created or updated on the SAP Cloud Identity (SCI) platform for use with SAP Cloud Identity Access Governance.
Login to the IAS > User & Authorizations > Administrators > Add System user and provide the Access Proxy System API access. Note down the Client ID and Secret ( Once Secret is generated, you cannot retrieve or change it.)
Login to the IAG BTP Subaccount and create a destination with the name IPS_PROXY as shown in the table below.
Enter the Properties listed in the table below for the destination. All properties must be entered. Some properties must be added as Additional Properties. Copy the names of all properties as displayed. Property names and values are case sensitive.
Check the Use default JDK truststore checkbox.
Save your entries.You can test the destination in the BTP Cockpit. However, the URL does not point to a valid API for Identity Provisioning, and shows green status, but HTTP 301 or similar.
xsuaa.origin=Enter the location of your identity provider. To do this:
Open your SAP BTP cockpit.
Go to your Cloud Foundry global account and choose your subaccount.
From the left-side navigation, choose Trust Configuration.
Copy/paste the Origin Key value.
3.Create an instance for Cloud Foundry in the IAG
Log into the SAP Cloud Identity Access Governance launchpad and open the Application app.
Create a system for Cloud Foundry. For System Type, select Cloud Foundry.
Enter the external system ID mentioned in step 2.2 in the section Create Proxy system and Save.
4.Run the repository synch job to sync user data and provision access requests.
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category dropdown list, schedule the following jobs:
Repository Sync to synchronize the relevant data from Cloud Foundry to the access request service.
In the System Type dropdown list, select Cloud Foundry.
In the System dropdown list, select the configured Cloud Foundry System.
These steps completes the Integration of SAP BTP Subaccount (Cloud foundry) with IAG. Please check the help.sap.com for SAP Cloud Identity Access Governance for more detailed document on how to integrate SAP BTP Subaccount with IAG