Set Up Trust Between Identity Authentication and SAP Business Technology Platform Neo Environment

Enter the SAP Business Technology Platform subaccount as an administrator and expand the Security area to open Trust Management by clicking the Trust section.

To enable secure (Security Assertion Markup Language = SAML 2.0) communication the SAP Business Technology Platform Subaccount has to be set up as Service Provider.

Being in the trust management, click Edit to change the default Local Service Provider.

Change and add following information to your local provider:

Click Generate Key Pair

Save your changes.

Confirm the “Now you can proceed to configuring the trusted identity provider settings on the next tab.” pop up.

To set up the trust from Identity Authentication to the Subaccount soon you need the subaccount’s metadata.
Download the metadata by clicking Get Metadata.

Open the SAP Cloud Identity Services - Identity Authentication Administration Console with its URL which follows the pattern:

https://<YOUR_TENANTS_ID>.accounts.ondemand.com/admin

Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID.

SAP Cloud Identity Services - Identity Authentication Administration Console entry screen looks (depending on authorizations) like that

The SAP BTP subaccount is represented in SAP Cloud Identity Services as Application.

Choose Applications & Resources (1) and go to Applications (2). Click Create (3) on the left hand panel and enter a Display Name (4) to represent your SAP BTP subaccount. Create (5) the application.

1. The newly created application will be shown, choose SAML 2.0 Configuration.

   

2. Browse (1) for the SAML metadata XML file of your SAP BTP subaccount that you downloaded before and upload it.

   

   All the needed properties will be automatically fetched from the XML file.

3. Save (2) the SAML 2.0 configuration.

Now you have to configure which attribute is used to identify users during SAML2.0 secure communication. By default this is User ID, but as SAP S/4HANA Cloud by default works with Login Name it shall be switched to that.

1. Still being in your application’s Trust settings select Subject Name Identifier.

   

2. Under Primary Attribute use Identity Directory as Source, choose Login Name as Value and save your changes.

   

As most common use case the SAP Cloud Identity Services - Identity Authentication does not act as Identity Provider itself but as proxy for an already existing corporate identity provider. This has to be set now.

Still being in your application’s Trust settings scroll down and open Conditional Authentication.

Under Default Authenticating Identity Provider select your corporate identity provider as Default Identity Provider and click Save.

Save that XML to a file.

To set the SAP Cloud Identity Services tenant as trusted identity provider in the SAP BTP subaccount next, you need to get its SAML metadata first.

1. Choose Applications & Resources

2. Switch to Tenant Settings

3. Go to Single Sign-On section

4. Open SAML 2.0 Configuration

5. Click the Download Metadata file button

   

6. In the pop-up that opens, use Default certificate and press the Download button.

   

Alternatively you can open the metadata XML by entering your tenant’s web address for it which follows pattern https://<YOUR_TENANTS_ID>.accounts.ondemand.com/saml2/metadata and saving that XML to a file.

Switch back to your SAP BTP cockpit and the Neo subaccount’s trust management.

Choose Application Identity Provider to add a trusted identity provider.

Upload metadata XML file of your SAP Cloud Identity Services tenant in the Metadata File field. Add it as identity provider.