Set Up Trust Between Identity Authentication and SAP Business Technology Platform
- How to set up SAP Business Technology Platform Subaccount for secure communication (with Security Assertion Markup Language = SAML 2.0)
- How to set up SAP Business Technology Platform Subaccount on SAP Cloud Identity Services - Identity Authentication for secure communication
- How to get necessary information from your SAP Business Technology Platform Subaccount and your SAP Cloud Identity Services - Identity Authentication tenant to set up the mutual trust between them
Authorizations: Your user needs
- Administrator access to your SAP Business Technology Platform subaccount
- Administrator access to your SAP Cloud Identity Services - Identity Authentication tenant
Be aware that in case of an integration with S/4HANA Cloud the used Identity Authentication for the Subaccount should be the very same as the one used for the S/4HANA Cloud system.
Your S/4HANA Cloud system you got already delivered by SAP with a configured trust between it and your SAP Cloud Identity Services - Identity Authentication tenant. Now you will configure the trust between that and your SAP Business Technology Platform subaccount on your own.
- Documentation: SAP Cloud Identity Services - Identity Authentication
- SAP S/4HANA Cloud Release (tutorial’s last update): 1911
- Step 1
Enter the SAP Business Technology Platform subaccount as an administrator and expand the Security area to open Trust Management by clicking the Trust section.
- Step 2
To enable secure (Security Assertion Markup Language = SAML 2.0) communication the SAP Business Technology Platform Subaccount has to be set up as Service Provider.
Being in the trust management, click Edit to change the default Local Service Provider.
Change and add following information to your local provider:
Local Provider Name
<platform region s URL>/<subaccount name>(set automatically)
Click Generate Key Pair
Save your changes.
- Step 3
To set up the trust from Identity Authentication to the Subaccount soon you need the subaccount’s metadata.
Download the metadata by clicking Get Metadata.
- Step 4
Open the SAP Cloud Identity Services - Identity Authentication Administration Console with its URL which follows the pattern:
Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID.
SAP Cloud Identity Services - Identity Authentication Administration Console entry screen looks (depending on authorizations) like that
- Step 5
The subaccount is represented in SAP Identity Authentication Service as Application.
Choose Applications & Resources and go to Applications. Click + Add on the left hand panel to enter the name of your SAP Business Technology Platform subaccount. Save your changes.
- Step 6
Click on the newly created application on the left side and then on Trust. Choose SAML 2.0 Configuration.
Upload the metadata XML file of your SAP Business Technology Platform subaccount. By this service provider metadata upload, the needed properties are gotten from the XML file. Save the configuration settings.
- Step 7
Now you have to configure which attribute is used to identify users during
SAML2.0secure communication. By default this is
User ID, but as S/4HANA Cloud by default works with
Login Nameit shall be switched to that.
Still being in your application’s Trust settings, select Subject Name Identifier.
Under Basic Configuration choose Login Name from the dropdown list for the attribute and save your changes.
- Step 8
As in most common use case the SAP Cloud Identity Services - Identity Authentication does not act as Identity Provider itself but as proxy for a probably already existing corporate identity provider this has to be set now.
In your application’s Trust settings switch to Conditional Authentication and select it.
Select your corporate Identity Provider as Default Identity Provider and click Save.
- Step 9
To set the Identity Authentication tenant as trusted identity provider in the SAP Business Technology Platform subaccount next, you need to get its metadata first.
Open the metadata XML by entering your tenant’s web address for it which follows this pattern:URICopy
Save that XML to a file.
- Step 10
Switch back to your SAP Business Technology Platform cockpit and go to your trust settings.
Choose Application Identity Provider to add a trusted identity provider.
Upload metadata XML file of your identity authentication tenant in the Metadata File field. Save your changes.
- Step 11
What are synonyms for your SAP Cloud Platform Subaccount in the context of trust configuration?