cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Users/Identity provider service sap BTP

prasad
Participant

on ‎2023 Aug 11 2:52 PM

1,020

Hi Team,

Wanted to understand on the licensing cost of SAP BTP Default identity provider . we deploy certain apps in sap subaccounts and for a user who wants to access this app ,we were creating a user in default identity provider and providing certain roles.

If an app with standalone app router is developed and this needed to be provided to around 10k users in an org . How would we handle this easily instead of adding 10k users in Default identity provider.

Have an idea that our Microsoft Active directory services can be configured to use as IDP in SAP BTP . How does this affect the licensing cost.

How the licensing cost in SAP BTP for 10k users created in default provider and using an external IDP like Microsoft active directory as identity provider service differs.

Regards

Prasad

Show replies
Show replies
Wallace
Active Participant
‎2023 Aug 14 5:07 PM

Hello Prasad,
As its been a few days without an answer, I ask a question... Have you looked into Cloud Identity Services from SAP? I think it will contain part of the answer you look for.

Best Regards, Wallace

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2023 Aug 14 11:19 PM
0 Kudos

Hi prasad.vsrk,

All BTP Subaccounts are created with a default IdP, which points to SAP ID Service. This service is not meant for productive solutions you deploy onto a BTP account. All customers are encouraged to switch the IdP of all productive subaccounts to a productive IdP.

SAP offers customers SAP Identity and Authentication Service (a.k.a.: IAS). This BTP service can be easily integrated into any BTP subaccount to provide authentication services using SAML 2.0 protocol to all BTP applications. IAS can also be integrated with any other SAML 2.0 compliant system - such as ADFS - by proxying authentication requests to them. So you could have a mix of users where some are persisted/managed by IAS and some are persisted on AD (via ADFS):

https://blogs.sap.com/2018/11/06/sap-cloud-platform-authentication-setup-using-ias-with-on-premise-c...

SAP doesn't encourage you to create all of your 10K users into SAP ID Service. This service is used by SAP to provide authentication services for its own services (like me.sap and all other SAP websites). Therefore, SAP is entitled to make any changes to this system without prior notice - and you may end-up with an unwanted downtime that could be neither related to BTP nor your own systems.

The service metric is based on: Logon Request is a single authentication request managed by the Cloud Service. Multiple authentication requests by the same user in a single day are counted as a single logon request.

This BTP service is now included with all BTP Global Accounts as long as you are not integrating it with 3rd party solutions (such as Azure AD, ADFS or any other SAML compliant service). If you are using it to perform logons with any SAP SaaS, BTP Application or SAP On-Premise solutions, you are not going to consume this metric. The metric is counted when you use IAS integrated with 3rd party solutions.

IAS allows you to create users via CSV or via Self-Service UI - so your users could be provisioned on IAS easily:

https://help.sap.com/docs/identity-authentication/identity-authentication/import-csv-file-with-full-...

https://help.sap.com/docs/identity-authentication/identity-authentication/configure-user-access-to-a...

For more information, please read:

https://discovery-center.cloud.sap/serviceCatalog/identity-authentication?region=all

Best regards,
Ivan

Show replies
Show replies
melhughes1946
Discoverer
‎2023 Nov 27 8:00 PM

These questions are addressed to @Ivan Mirisola. I see from your Profile that you: "..help SAP Partners design and develop their solutions on top of SAP BTP and related technologies". Our team is particularly interested in developing solutions on top of BTP in an environment where 90% of our 'As-Is' platform plus SAP components remain in an On-Prem enclave and where we're incrementally transitioning to cloud service provision. I've been studying the "Security & Authorization for BTP" certification and gain the impression that BTP is an ideal platform against which to manage such a transition. If I'm correct, please point me in the direction of any Strategic Planning / Operational Design Guide documentation produced by SAP (et al) which provides strategies and tactics which our Team may follow to achieve such a transition. While writing, I'm contracted at a Canadian Government defence agency which must comply with stringent confidentiality regulatory requireets, so the classification of BTP as a platform and the IAS as an IdP service has been questioned. Therefore, this is to ask whether SAP has plans to assure "Secret" level classification of data transiting through or at rest in the BTP.

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2023 Nov 27 8:35 PM
0 Kudos

Hi melhughes1946,

Could you please post such questions on a new question as it is a completely new topic?

Best regards,
Ivan

Ask a Question