cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Connect Cutomer IAS to our BTP Subaccount using Estrablish Trust (OpenID Connect)

nicorunge
Participant

on ‎2023 Sep 07 9:46 AM

0 Kudos
3,632

Hi Experts,

we want to connect a customer IAS to our BTP. This works fine by exchanging the SAML Metadata files.

But as we're encountering this restriction when using SAML, we want to switch to OpenID Connect Protocol. This can be done by using the Establish Trust button in the Trust Configuration (like here). But as the customer IAS is not related to our Global Account, it does not show up (at least that is my assumption). In the documentation, I could find the following chapter related to this Problem, which mentions the following prerequisite:

The Identity Authentication tenant is associated with the customer IDs of the relevant global account of SAP BTP.

So my guess is, the Customer ID is the missing piece. I tried to follow the steps described in the linked chapter, but I cannot complete step 4, because in my case, there is no drop-down in the IAS like it is described in the docs...
My user has all required permissions.

carlos.roggan wrote in his Blog the following:
In the wizard you should see at least one entry of IAS tenant that is assigned to your account by SAP.
If not, you probably need to open a support ticket.

So my questions are, how do I find out our Customer ID and how to add the Customer ID to the IAS? Is it really necessary to open a support ticket? Would be nice if customers could fix this by themselves.

Thanks & Regards

Nico

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

istvanbokor
Product and Topic Expert
Product and Topic Expert
‎2023 Sep 07 10:06 AM

Hi,

Is this the screenshot of your IAS tenant? It has cost center, not customer ID, so either it is internal tenant, or related to a SuccessFactors Demo tenant, which has cost center and cannot have customer ID, so you cannot Establish Trust with that.

Regards,
Istvan

Show replies
Show replies
nicorunge
Participant
‎2023 Sep 07 2:24 PM
0 Kudos

Hi istvan.bokor,

you are right! The screenshot is from an IAS which is used with our Demo SF System. As I currently don't have access to the customer IAS myself, I just wanted to check, if I can archive the same with our Demo System. So good to know that this is not possible. Then we will have to do this directly with the customer IAS.

But then my questions still remain the same. Where do I find our customer ID and how can the customer add it to his IAS, so that we will see his IAS on our BTP Account?

Thanks & Regards
Nico

nicorunge
Participant
‎2023 Sep 07 2:58 PM
0 Kudos

Completely forgot that I've already found our customer ID some time ago via this link: https://iamtenants.accounts.cloud.sap/.
So the only missing piece, how we can assign this ID to the IAS from the customer. 🙂

Step 4 in the documentation only mentions:

The Customer records drop-down contains only the customer ID numbers that are assigned to the global ultimate (the most important company within the corporate family).

istvanbokor
Product and Topic Expert
Product and Topic Expert
‎2023 Sep 07 3:19 PM
0 Kudos

This assignment is for IAS tenants with customer IDs. If the IAS tenant is having cost center (got with SF demo), then it is not possible to assign customer ID, and there is no dropdown.

nicorunge
Participant
‎2023 Sep 07 3:33 PM
0 Kudos

Hi istvan.bokor,

I got this point! It's not possible when using the SF Demo IAS Tenant.

But I'm now talking about a scenario without SF Demo IAS. We have a Multitenant Application which is an extension for SF. Therefore, we need to connect the customer's SF Systems to our BTP, where the Application is running. And to get SSO working for the customer, we also need the customer's IAS System to be connected to our BTP. If I've read the documentation correct, the customer has to add our customer ID to his IAS Tenant, so that we see his IAS Tenant when hitting "Establish Trust" in our BTP? Is this correct? If yes, how and where can he add this customer ID?

Thanks & Regards
Nico

istvanbokor
Product and Topic Expert
Product and Topic Expert
‎2023 Sep 07 3:53 PM
0 Kudos

Hi Nico, the IAS tenant can be seen in the Global account if the customer ID of the GA and IAS are the same. If you have subsidiary companies, technically they are different customer IDs, and at that place of your screenshot you can assign that IAS tenant to parent/child companies. So it is not working to customer IDs that are not related to each other.

nicorunge
Participant
‎2023 Sep 11 10:40 AM
0 Kudos

Hi istvan.bokor,

thanks for the quick reply!

In other words, it is not possible to use the "Establish Trust" functionality, when dealing with customer IAS tenants.

Also, this would mean, it is not possible to use the OpenID Connect Protocol to connect customer IAS tenants. Is this correct? Or is there any other way, we can set up the IAS connection with OpenID instead of SAML?

The main reason we want to do this, is because we want to create a user on the IAS, which the customer can use in his systems as a technical user to call API Endpoints of our application. But as we run into this restriction, currently this approach is not possible, and we would need to create a user directly on the BTP. But a BTP user requires a valid S-User account, and it is not recommended to do for technical users.

Thanks & Regards
Nico

nicorunge
Participant
‎2023 Sep 25 7:46 AM
0 Kudos

Hi istvan.bokor,

could you give me some feedback on my previous comment? That would be super helpful!

Thanks!
Nico

istvanbokor
Product and Topic Expert
Product and Topic Expert
‎2023 Sep 27 9:03 AM
0 Kudos

Hi Nico,

Since the IAS tenant has a cost center and BTP has a customer ID, you cannot use an OIDC connection but still use SAML protocol. I'm not from SF team, but I believe the purpose of SF demo system with IAS, is to try out SF with IAS, but I'm not an expert on this topic.

Best regards,
István

nicorunge
Participant
‎2023 Oct 18 9:27 AM
0 Kudos

Hi istvan.bokor,

I think you misread my previous comments. As already said, I got the point, that it's not possible when using a demo IAS tenant with a cost center.

I'm now talking about a scenario with an IAS tenant which has a Customer ID.

We have a customer that has its own IAS tenant which has a Customer ID, and we want to connect this IAS to our BTP Global Account via OIDC.

So we have two different Customer ID's. Is there any way, we can add their customer ID to our BTP GA, so that we see their IAS when hitting the establish trust button on our BTP Account?

Thanks!
Nico

istvanbokor
Product and Topic Expert
Product and Topic Expert
‎2023 Oct 19 9:20 AM
0 Kudos

Hi Nico,

If these two different customer IDs are related to a global ultimate, then yes. At https://tenantId.accounts.ondemand.com/admin/#/tenantSettings/info you should assign an IAS tenant to these customer IDs and if any of these customer IDs are one and the same that the global account's, then it is possible.

Best regards,
Istvan

nicorunge
Participant
‎2023 Nov 09 2:18 PM
0 Kudos

Hi istvan.bokor,

somehow I didn't get a notification and missed your comment... Sorry!

"If these two different customer IDs are related to a global ultimate"

In our situation, we are a consulting company providing an CAP application, and we have a client who wants to connect their own IAS to our BTP GA, to use our SaaS solution. But our companies and BTP accounts are not related at all. So there is also no "global ultimate". Therefore, on the customer IAS, there is nothing to see, and it is not possible to enter our customer ID there.

To summarize it now:

  • It is only possible to use OIDC with IAS Tenants, that belong to the same (or sub) company.
  • The only way to connect IAS Tenants, not related to the own company, is via SAML.
  • There is no other way, to connect an IAS Tenant using the OIDC Protocol, besides using the "Establish Trust" Button from the BTP Cockpit.

Is that correct?

BR, Nico

istvanbokor
Product and Topic Expert
Product and Topic Expert
‎2023 Nov 09 3:17 PM
0 Kudos

Hi Nico,

Yes, your summary is correct. I'm not sure in your scenario what would be the most suitable. Maybe you can contact your Account Executive if he has seen such scenario.

Best regards,
Istvan

nicorunge
Participant
‎2023 Nov 09 4:18 PM
0 Kudos

Hi Istvan,

thank you for helping me clarify all these things, I really appreciate that!

The main reason we want to use OIDC is this SAML restriction. We want to be able, to call our CAP Endpoints via a technical user created on an IAS. We will therefore then focus on the third solution option SAML2 Bearer grant type.

best regards,

Nico

FranciscoGP
Explorer
‎2024 Apr 17 8:34 AM
0 Kudos

Hi @nicorunge @istvanbokor ,

Maybe I'm gonna say a crazy thing. But, it would be technically possible to use an IAS (Let's call it IAS-1) acting as a proxy to another IAS (IAS-2), added as Corporate Identity Provider on IAS-1? Then, on your Aplication on IAS-1 set a condition to redirect authentication to IAS-2?

IAS-1 should be binded to Global Account where your CAP aplication is hosted.

That way, you would have a subaccount trusting your IAS-1 (Added with OIDC proptocol), and IAS-1 relaying authentication to IAS-2.

Regards,

Francisco

Show replies
Show replies
nicorunge
Participant
‎2024 Apr 17 9:15 AM
0 Kudos

Hi @Francisco,

thanks for reading the long discussion and your suggested solution! I really appreciate it!

I'm far from an IAS expert, but I think I understood your suggestion. It would look something like this:

  • Customer SuccessFactors System
  • Customer IAS
  • Provider IAS
  • Provider BTP/CAP Application

How complicated is it to set up an authentication redirect?
Would you say one should use a new IAS per customer to keep this separate in a multitenant context?

I am very curious about @istvanbokor opinion whether this is a possible/valid approach. Or whether SAP currently has other recommendations how a customer IAS can be connected via OIDC.

Thanks & regards
Nico

Ask a Question