Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
MSo
Product and Topic Expert
Product and Topic Expert
8,712

Introduction


SAP offers different Trial and so-called Free Tier instances for the Business Technology Platform (BTP) with which one can try out BTP with certain limits and time constraints. The SAP Cloud Identity Services (SCI) were so far only offered for BTP Free Tier accounts, however SCI was recently also made available as part of BTP trial accounts.

 

Service Offering and Limitations


The trial versions of SCI offer almost the full functional scope, just limited to a maximum of 50 users and connectivity plan not being available. Thus, corporate user store scenario or user provisioning from/to on-premise environments will not be possible with trial tenants. But aside from that trial users – and admins – can try out the SAP Cloud Identity Services free of charge.

One can request one SCI tenant per BTP global (trial) account. The SCI tenant can then be used in all subaccounts as application identity provider. The tenant cannot be used as a platform identity provider.

SCI tenant lifetime is bound to the BTP trial account (90 days – see Trial Lifecycle for details); if the BTP trial account is terminated, the corresponding SCI tenant will also be retired.

Landscape: SCI trial tenants are only offered in US East region. Thus, independent from the BTP trial landscape – currently offered in the US and Singapore – SCI tenants will always be deployed in US East region.

 

Service Request


Here’s how you can request your own SAP Cloud Identity Services trial tenant:

  1. Go to your SAP BTP Trial account -
    in case you don’t have one yet, please have a look at the following tutorial.

  2. Navigate to a subaccount -> Service Marketplace -> the Cloud Identity Services default plan should be auto-entitled:

  3. Create a new instance for Cloud Identity Services default plan:


  4. Verify that SCI tenant creation was successful:

  5. You will receive an account activation email for your admin user in the newly created SCI tenant

    and with that user you can access the admin console of your SCI tenant:

  6. Going back to the BTP cockpit:
    you may use the new SCI tenant as application identity provider for your BTP subaccount.
    Go to your BTP trial subaccount -> Security -> Trust Configuration:

    ‘Establish Trust’ button will create a trust configuration from the BTP subaccount to SCI based on the OpenID Connect protocol:

    It is also an option to establish the trust manually based on the SAML protocol.

  7. In the SCI administration console -> Applications & Resources -> Applications you will see the trust configuration that was established by your BTP trial account:

  8. That’s it!
    Applications you deploy in your BTP subaccount can now delegate authentication to the SCI tenant you just created. And in the SCI admin console you may configure the various options for authentication, multi-factor authentication or use SCI just as a proxy for a corporate identity provider that you may have established.


 

Links



 

Conclusion


If you ever wanted to get hands-on experience with the SAP Cloud Identity Services, it’s now the right time to do so.
18 Comments
yogananda
Product and Topic Expert
Product and Topic Expert
Great marko.sommer for Introducing this to BTP Trail account!

This is really going to be Game changer 🙂
martinfrick
Product and Topic Expert
Product and Topic Expert
Hi team,

I can only second yoganandamuthaiah This is a real game changer! Thanks for all your hard work making it possible!

Wow!

 
nils-lutz
Participant
0 Kudos
Hello there,

+1. Love to see this as a addition to the free-tier world.

Huge!
Chandrashekhar
Explorer
0 Kudos

Dear Marco

Thank you!

Glad to know that SCI made available as part of BTP trial account. However, when I tried to follow the steps as per the blog, the SAP Identity Service is not shown for my trial account. Could you please suggest if any prerequisite need to be followed.

Just to Add my Sub account is in below location.

Provider Amazon Web Services (AWS)

RegionUS East (VA)

Environment Multi-Environment

SCI Trial

MSo
Product and Topic Expert
Product and Topic Expert
Maybe it's a BTP Trial account created at a time when the Identity Services plan was not yet available for Trial? (SCI plan was enabled beginning of April)
Chandrashekhar
Explorer
Dear Marko

Thank you!

Quite possible, I tried to add the SCI from the Entitlements for my trial subaccount, and this works as expected.

Steps Followed:

From the trial account -> Entitlements, Click on Configure Entitlements -> Add Service Plan -> Cloud Identity Services.

Best Regards

Chandra
MSo
Product and Topic Expert
Product and Topic Expert
0 Kudos

Thanks Chandra for confirming!
By chance I found an old trial account of mine and could activate SCI as you described it:-)
Best, Marko

Kishore
Participant
0 Kudos
Hello Marko,

I created an instance for Cloud Identity Services in my trial account. I am getting an error while trying to establish a trust. I am doing this step as part of activation of SAP Build Apps

MSo
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Kishore,
SAP Build apps integrates with IAS based on OpenID Connect protocol.
Establishing the trust requires the 'application plan' for the Identity Services.
Unfortunately this plan is still missing in BTP Trial accounts. We are working on it to add it.
Marko
MSo
Product and Topic Expert
Product and Topic Expert
0 Kudos
Update: Application Plan is meanwhile enabled for BTP Trial accounts.
NazeerAhamad_M
Explorer
0 Kudos
Thanks allot Marko for sharing the valuable information with screens, it was really helpful to start of 🙂 as a beginner.

Just to add on before going to Step 3, one should check if the "Default" is enabled or not? if not enabled only "Application" will be available to choose and it will fail. If Default is not enabled, then we have to go to BTP cockpit -> select your account -> Entitlements -> Configure Entitlements-> search for Cloud Identity Services-> enable Default and then save and proceed with Step 3.

This is how it worked for me.

Thanks,

Nazeer
rahuljain257
Participant
0 Kudos

Thank you very much for the article.

Can you please share the insights or the steps by steps instructions / article... how can i achive single sign on with SAP S/4 HANA Public Edition & SAP BTP APPS hosted on cloud foundry using CAPM ?

Regards
Rahul Jain

H_Ettelbrueck
Advisor
Advisor
0 Kudos

@rahuljain257 Which kind of instructions are you looking for? I assume your S/4 HANA tenant uses an IAS tenant for user login already, so I would simply establish trust between your BTP subaccount and the same tenant to achieve SSO. Am I missing something? Do you need details on that?

Prasanna20
Associate
Associate
0 Kudos

I am working with BTP trial account and went through the CAP Java tutorial (https://developers.sap.com/tutorials/cp-cap-java-deploy-cf.html). I have it working and now want to figure out a way to access the API from postman. With the default IDP service (SAP ID Service), I am forced to do 2-Factor authentication and cannot test APIs from postman. So I am exploring creating an trial tenant of SAP Cloud Identity Services and use it. I created an user in the trial tenant.

Now I was hoping that without 2FA, I would be able to authenticate the new user and access the application API endpoint. But I get the below 'MAIL_NOT_VERIFIED' error even though I have verified the email. I can even login as that user in the UI and administer the tenant. The user profile also indicates that Email is verified. Any ideas why it is not working? Is this a restriction on trial account?

 

Thanks a lot in advance for any pointers!

ClientId, secret, xsuaa-authentication-endpoint are retrieved from the xsuaa service instance bound to my app. 

 

curl --location 'https://<xsuaa-authentication-endpoint>.authentication.us10.hana.ondemand.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<clientId>' \
--data-urlencode 'client_secret=<secret>' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=<email id of user created in custom tenant>' \
--data-urlencode 'password=<password>'
{
    "error": "invalid_client",
    "error_description": "{\"error\":\"invalid_grant\",\"error_description\":\"User authentication failed: MAIL_NOT_VERIFIED\"}"
}

 

Thanks

Prasanna

torstenluh
Advisor
Advisor
0 Kudos

@Prasanna20 Can you verify that the email in SAP Cloud Identity Services is indeed set to verified? You can check it by accessing the following URL:
https://<subdomain>.accounts.ondemand.com/ui/protected/userData

The page should show "Mail Verified: TRUE".

Prasanna20
Associate
Associate
0 Kudos

Thanks for the response! Yes, it indeed says MAIL VERIFIED. 

image.png

For now I am able to test APIs that not protected by any scopes. Here is what I can do: 

1.  POST /oauth/token HTTP/1.1
Host: c0a3ff3etrial.authentication.us10.hana.ondemand.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic (encoded clientId+clientsecret)
Content-Length: 29

grant_type=client_credentials

Use the access token returned from above in the following API

2. GET <>/...

Authorization: Bearer <token>
 
torstenluh
Advisor
Advisor
0 Kudos

@Prasanna20 Then I would ask you to open a bug ticket for further analysis. Thanks!

Mahesh_chandra
Newcomer
0 Kudos

Account activation email is not working, is there any open issue / limitation from using IAS from trail account(s).?

 

Thanks

Mv