In this blog I will go through the steps to Integrate IAG with SAP BTP Subaccount(Cloud foundry). This blog is not applicable for Neo Environment.
The SAP Cloud Identity Access Governance solution offers multiple core services that help streamline identity and access management. You can use individual services independently or combine them with others. With this product, you can also integrate cloud applications that belong to SAP and its partners. In addition, customers whose primary system is SAP Access Control 12.0 can use the Cloud Bridge scenario to access the same services or applications in the cloud environment. This is a multi-tenant product built on top of SAP Business Technology Platform (SAP BTP)
SAP Cloud Identity Access Governance is available as a cloud bundle solution. It includes two other services – Identity Provisioning and Identity Authentication that are essential for successfully configuring the product.
Prerequisite: IAG Administrator, SAP BTP administrator or knowledge in SAP BTP is preferred to do this setup.
Make sure you completed initial setup for IAG (IAS and IPS enablement) in IAG before following the below steps.
There are four overall steps to enable integration between SAP Business Technology Platform (SAP BTP) and the SAP Cloud Identity Access Governance solution and its services:
Connect Identity Provisioning with IAG
Create Proxy System for Cloud Foundry In the IPS
Create an instance for Cloud Foundry in the IAG
Run the repository synch job to sync user data and provision access requests.
The URL for Identity Provisioning is as follows:
https://UNIQUEID.accounts.ondemand.com/ips
Login to the IAS > User & Authorizations > Administrators > Add System user and provide the Access Proxy System API access. Note down the Client ID and Secret ( Once Secret is generated, you cannot retrieve or change it.)
Login to the IAG BTP Subaccount and create a destination with the name IPS_PROXY as shown in the table below.
Enter the Properties listed in the table below for the destination. All properties must be entered. Some properties must be added as Additional Properties. Copy the names of all properties as displayed. Property names and values are case sensitive.
Check the Use default JDK truststore checkbox.
Save your entries.You can test the destination in the BTP Cockpit. However, the URL does not point to a valid API for Identity Provisioning, and shows green status, but HTTP 301 or similar.
Name | IPS_PROXY |
Type | HTTP |
Description | IPS Destination |
URL | https://<<YOUR_IPS_URL_BUT_WITHOUT_THE__ips>>; (For example: https://UNIQUEID.accounts.ondemand.com |
Proxy Type | Internet |
Authentication | BasicAuthentication |
User | <<CLIENT_ID_FROM_STEP_1_ABOVE>> |
Password | << SECRET_FROM_STEP 1_ABOVE>> |
Accept | application/scim+json |
GROUPSURL | /Groups |
serviceURL | /ipsproxy/service/api/v1/scim/ |
USERSURL | /Users |
Space Creation
Choose Service and Plan details like below and Create
Once instance has been created, Go to the created instance and Create the Service Key.
Service Key Creation
Open your Identity Provisioning Launchpad.
Copy the external system ID and use it to set up the Cloud Foundry instance in the Systems app.
Add a proxy system for Cloud Foundry and choose Save. The Type should be SAP BTP XS Advanced UAA.
Type | SAP HANA XS Advanced UAA Server |
System Name | XSUAA |
Destination Name | |
Description | XSUAA test system |
4. Enter the Properties as shown in below table
Type=HTTP Authentication=BasicAuthentication ProxyType=Internet URL=<<apiurl_FROM_STEP_2.1_ABOVE>> OAuth2TokenServiceURL=<<URL_FROM_STEP_2.1_ABOVE>>+/oauth/token User=<<CLIENT_ID_FROM_STEP_2.1_ABOVE>> Password=<< SECRET_FROM_STEP 2.1_ABOVE>> xsuaa.origin=Enter the location of your identity provider. To do this:
xsuaa.origin.filter.enabled=true scim.support.patch.operation=true xsuaa.patch.response.with.resource=false |
Log into the SAP Cloud Identity Access Governance launchpad and open the Application app.
Create a system for Cloud Foundry. For System Type, select Cloud Foundry.
Enter the external system ID mentioned in step 2.2 in the section Create Proxy system and Save.
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category dropdown list, schedule the following jobs:
https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/c299...
https://help.sap.com/docs/identity-provisioning/identity-provisioning/proxy-sap-btp-xs-advanced-uaa-...
Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
18 | |
14 | |
11 | |
10 | |
10 | |
10 | |
7 | |
6 | |
5 | |
5 |