Set Up Trust Between SAP Cloud Identity Services and SAP BTP, Cloud Foundry environment

Requires Customer/Partner License

Beginner

25 min.

ABAP Development, ABAP Extensibility, Beginner, Tutorial

Set up trust between SAP Cloud Identity Services - Identity Authentication and SAP Business Technology Platform, Cloud Foundry environment for secure communication via SAML 2.0 with SAP S/4HANA Cloud.

You will learn

How to set up SAP BTP subaccount for secure communication (with Security Assertion Markup Language = SAML 2.0)
How to set up SAP BTP subaccount on SAP Cloud Identity Services for secure communication
How to get necessary information from your SAP BTP subaccount and your SAP Cloud Identity Services tenant to set up the mutual trust between them

Peter PersielNovember 27, 2024

Created by

June 7, 2023

Contributors

Prerequisites

Authorizations: Your user needs
- Administrator access to your SAP Business Technology Platform (aka SAP BTP) Cloud Foundry subaccount
- Administrator access to your SAP Cloud Identity Services tenant

Glossary

Identity: individual people, but also computers, services, computational entities like processes and threads, or any group of such things

Identity Provider: system entity that creates, maintains, and manages identity information for identities

Identity Authentication: process of authenticating an identity

SAP Cloud Identity Services: SAP’s solution to enable identity authentication

SAP Cloud Identity Services tenant: a customer’s instance of the services

SAP Cloud Identity Services console: Web application to configure your tenant

Additional Information

Tutorial last updated in September 2024

Documentation: SAP Cloud Identity Services - Identity Authentication

Be aware that in case of an integration with SAP S/4HANA Cloud the used Identity Authentication for the SAP BTP subaccount should be the very same as the one used for the SAP S/4HANA Cloud system.

Your SAP S/4HANA Cloud system you got already delivered by SAP with a configured trust between it and your SAP Cloud Identity Services tenant. Now you will configure the trust between that and your SAP BTP subaccount on your own.

Step 1
To set up the trust from Identity Authentication to the SAP BTP subaccount you need the subaccount’s SAML metadata.

Enter the SAP BTP subaccount’s cockpit as an administrator and expand the Security area.

Open Trust Configuration.

Click Download SAML Metadata.

The metadata will be downloaded as XML file.
Step 2
Open the SAP Cloud Identity Services administration console with its URL which follows the pattern:

https://<YOUR_TENANTS_ID>.accounts.ondemand.com/admin

The Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with an URL in it. This URL contains the tenant ID.

SAP Cloud Identity Services administration console entry screen looks (depending on authorizations) like that
Step 3
The SAP BTP subaccount is represented in SAP Cloud Identity Services as Application.

Choose Applications & Resources (1) and go to Applications (2). Click Create (3) on the left hand panel and enter a Display Name (4) to represent your SAP BTP subaccount. Create (5) the application.
Step 4
The newly created application will be shown, choose SAML 2.0 Configuration.

Browse (1) for the SAML metadata XML file of your SAP BTP subaccount that you downloaded before and upload it.

All the needed properties will be automatically fetched from the XML file.

Save (2) the SAML 2.0 configuration.
Step 5
Now you have to configure which attribute is used to identify users during SAML2.0 secure communication. By default this is User ID, but as SAP S/4HANA Cloud by default works with Login Name it shall be switched to that.

Still being in your application’s Trust settings select Subject Name Identifier.

Under Primary Attribute use Identity Directory as Source, choose Login Name as Value and save your changes.
Step 6
As most common use case the SAP Cloud Identity Services - Identity Authentication does not act as Identity Provider itself but as proxy for an already existing corporate identity provider. This has to be set now.

Still being in your application’s Trust settings scroll down and open Conditional Authentication.

Under Default Authenticating Identity Provider select your corporate identity provider as Default Identity Provider and click Save.
Step 7
To set the SAP Cloud Identity Services tenant as trusted identity provider in the SAP BTP subaccount next, you need to get its SAML metadata first.

Choose Applications & Resources

Switch to Tenant Settings

Go to Single Sign-On section

Open SAML 2.0 Configuration

Click the Download Metadata file button

In the pop-up that opens, use Default certificate and press the Download button.

Alternatively you can open the metadata XML by entering your tenant’s web address for it which follows pattern https://<YOUR_TENANTS_ID>.accounts.ondemand.com/saml2/metadata and saving that XML to a file.
Step 8
Switch back to your SAP BTP cockpit trust configuration.

Choose New SAML Trust Configuration to add a trusted identity provider.

Upload the metadata XML file of your SAP Cloud Identity tenant in the Metadata File field, give a Name, as for example the tenant id. Save your changes.
Step 9
What is a synonym for your SAP BTP subaccount in the context of trust configuration?
Application in SAP Cloud Identity Services
Application in SAP S/4HANA Cloud system
Communication System in SAP S/4HANA Cloud system