SAP Cloud Identity Service is the cloud service for authentication, single sign-on and user management for SAP Cloud Applications. Many customers use Identity Authentication Service (as the Identity provider, or the Identity Authentication is used as a proxy to the existing corporate Identity providers.
As the software landscapes become complex due to hybrid model, it creates a challenge for identity services.
In this blog series we would like to answer some common “How to?” questions, starting with How to configure admin user in Identity Authentication.
Cloud Identity Services
An instance of the SAP Cloud Identity Authentication Service (Authentication)
Initial Setup: Who?
The tenant administrator who received the welcome email will have the full access to start the setup. In most cases, the email is sent to the IT person who was nominated / named by the customer.
Go to the Authentication admin console and click on Users & Authorizations -> Administrators
Click on Add
The first thing you need make sure is to add a standby admin user with all authorization as a backup, this would help one to have at least two users who could login before the setup is completed.
Once you add the user, the new admin user would receive an email with access link to the Authentication tenant admin console. You could also check the user in “User Management”.
Protecting the Admin user with Multi-Factor Authentication (MFA)
Identity Authentication supports Multi Factor Authentication (MFA) using the Time-based one-time password (TOTP) , Web Authentication and E-Mail One-time password (OTP) option, once you enable them and the operation is successful you see the below system messages
Two Factor Authentication for the Admin User
Here I am selecting TOTP (time based one-time password) once this is done, the admin will have to register using the SAP Authenticator app or similar apps and then to use the passcode generated for every login thereafter
I would like to also share how the admin could configure the Two-Factor Authentication in IAS. My colleague marko.sommer covered it here.
Configuring System Notifications and Alerts
System alerts are critical as they inform the admin for any changes made in the instance, the tenant admin should configure the system notifications via e-mails prior to start creating the user base for Identity Authentication tenant.
These settings are not set by default and the admin should configure e-mail notifications and alerts. By doing so will get notified about expiring certificates, system notifications and addition of new administrators to the Identity Authentication tenant.
Configuring Identity Authentication Service as Proxy
Identity Authentication Service could be configured to use with existing single sign-on infrastructure with the corporate IdP. These are based on SAML standards where Identity Authentication acts as a proxy. Doing so can simplify the authentication setup with existing infrastructure and SAP applications, the Identity Authentication would just forward the authentication data from IdP to the applications instead of storing data, or it could enrich the user profile. In this example we are considering Azure AD as the corporate IdP.
Next, configure the Identity Authentication by creating a new corporate Identity Provider and give a name, here its would “Azure AD IdP”
Upload the metadata XML from Azure AD here
Select the Identity Provider as Microsoft ADFS / Azure AD (SAML 2.0)
Set the Name Id Format to E-Mail and Allow Create to “Default”
And finally, change the default identity provider in admin console
Now, when I access the Admin portal after logout, it would take me to the Azure AD login page and after successful login the Admin page is accessible.
In this first blog post, we described the steps Admin user has to initially perform once they receive the tenant and prior to implementing Single Sign-On (SSO) or other requirements like user provisioning or identity lifecycle management.
In my next post, we will talk about Multi-factor Authentication using TOTP.