cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Cloud Identity Services and SAP ALM for business users

Go to solution
viacheslav1987
Explorer

on ‎2024 Nov 13 12:51 PM

0 Kudos
555

SAP Cloud ALM ; SAP Cloud Identity Services ; 

Dear SAP Community, 

I am working on getting more details and understanding of capabilities of SAP Cloud Identity Services through implementing cases focused on the integration of SAP Cloud Identity Services with local or customer identity providers, such as AD, ADFS, or local LDAP.

Currently, I would like to set the connection to SAP ALM for users who belong to a local identity provider (business users). We have many people who would like to work in ALM but I don't want to create manually the account for each user. The best is the user can login in ALM with the password of local identity provider and if the user belongs to the specific group in local Idp, then it should get a basic rights in ALM tenant. Specifically and most interesting, I am aiming to configure a scenario where users can log in to SAP ALM using their local identity provider passwords. From my understanding, there are three possible approaches:

  1. User provisioning operates in real-time, creating users upon their first connection to ALM. However, it appears that there is no target application related to ALM within IPS documentation.

  2. User provisioning operates in real-time, where the user is first created in IAS, with provisioning configured so that both source and target are set as IAS. A specific group can then be assigned to the user in IAS based on their group membership in the local identity provider. Using AD as a source in IPS is not good for us because we don't want to synch all AD users with IAS. *but may be we can use group as a filter to restrict the user list, however, AD as a source in IPS should be the last option if nothing else is available.

  3. Using the shadow user feature within the ALM tenant.

Questions:

  1. I have not found any documentation on configuring a scenario where a user can login to a BTP application using the login and password from a local identity provider. Is there guidance on this setup?

  2. Which of the three integrations above do you think would be the most effective for this task?

Thank you in advance for your feedback.

SAP Cloud ALM
SAP Cloud ALM
Software Product
SAP Cloud Identity Services
SAP Cloud Identity Services
SAP Business Technology Platform

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
Paul_Babier
Product and Topic Expert
Product and Topic Expert
‎2024 Nov 28 12:45 PM
0 Kudos

Hello,

You need to set up a reverse proxy in the IAS tenant assigned to SAP Cloud ALM that forwards to the Corporate IDP.

More detailed information is in Help SAP : https://help.sap.com/docs/SUPPORT_CONTENT/btpcfsec/3361873417.html?q=IAS
https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/corporate-identity-provide...
https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/corporate-identity-provide...

Regards,

Paul

Show replies
Show replies
viacheslav1987
Explorer
‎2024 Nov 29 10:33 AM
0 Kudos

Hello Paul,

It seems the page https://wiki.one.int.sap/wiki/display/AGILE/Configuring+Corporate+IdPs is closed for the access. I tried to use my S-user or email to login, but received the error that I don't have an account.

 

Pick an account
Selected user account does not exist in tenant 'SAP SE' and cannot access the application 'https://accounts.sap.com' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.
Paul_Babier
Product and Topic Expert
Product and Topic Expert
‎2024 Nov 29 11:05 AM
0 Kudos

Updated URLs

paula_augedahl
Product and Topic Expert
Product and Topic Expert
‎2025 May 12 5:21 PM
0 Kudos
Dear viacheslav1987, since an answer was provided to your question, and there has been no other activity on the topic, we have accepted the answer as a solution on your behalf. You can unaccept it anytime if the answer provided was not helpful enough or if you have further questions. Thank you for bringing this question to SAP Community! Best regards, Paula
Ask a Question