cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP IAS Federated Access AWS Cognito

diego_lima3
Explorer

a month ago

0 Kudos
200

Hello SAP-Community,

In a recent project for a client, we had a feature request that consisted of making a Fiori application available in SAP BTP Workzone, so far so good. Currently, this client has a mobile application developed by a third party that uses AWS Cognito as an identity provider (IdP) and our need is to provide access to this Fiori application without a request new login.

My question would be whether it is possible to establish a trust relationship between SAP IAS and AWS Cognito so that a new login operation is not required? If so, is there any documentation or a step-by-step guide to help us?

Thanks in advance.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
Juliuspereira
Active Contributor
a month ago
0 Kudos

Hi Diego,

What is your current setup? Do you have IAS today or is build workzone directly talking with your idp? Where is the third party app hosted? in BTP?

I believe the steps should be the same to establish trust between Build workzone, IAS and any Idp.

Thank you.

Julius

Show replies
Show replies
diego_lima3
Explorer
4 weeks ago
0 Kudos

Hi Julius,

I'm not very familiar with the currently landscape of this client, as far as I've know, they are introducing SAP BTP solutions for their customers very recently. But what I know is that they are using AWS solutions for hosting their systems, that's why they want to integrate AWS Cognito with SAP IAS avoiding a new login screen and user management as well.

I've seen some tutorial at sap developers tutorial page but I've only found out the steps to integrate Microsoft Azure (Entra ID) and SAP IAS, but nothing about AWS Cognito. I tried to follow those steps but I'm not sure if it was done right, that's why I'm asking for some guidance/advice and how to proceed it.

In my SAP BTP trial Account, the Workzone and IAS trust are done automatically when the booster completes but I'm kinda lost with the procedure between SAP IAS an AWS Cognito.

Juliuspereira
Active Contributor
4 weeks ago

Hi Diego,

In general there isn't much in the setup, even though it sounds complex. 🙂

You exchange metadata between the 2- AWS and IAS. Basically IAS metadata will be exported and used in AWS to create an app and AWS metadata will be exported and will be used in IAS to create an application. Once this is done, the trust is established between AWS and IAS.

Once that is done, you have 2 options depending on whether AWS is your IDP or you want IAS to be the IDP

1. if AWS is the IDP then you can just set IAS as a proxy using conditional authentication. so when the request comes from the user, IAS just passes that request to AWS for authentication etc. This is the simplest approach and all you need to do is map parameters (for e.g. first name, last name, user name etc.) in AWS in the app that was created for IAS.

2. If however you want IAS to be the IDP going forward, then there is much more involved where you need to sync or create users in IAS which will then be used as the Idp for user authentication for the app. You will also have to adjust/ map certain parameters (for e.g. first name, last name, user name etc.) between IAS and your end user application.

I hope this gives you some insight in the setup. 

Julius

P.S: The booster did just that. It setup trust between your IAS and the BTP subaccount where the build workzone service resides. 

Ask a Question