Introduction

In this blog, I describe how to set up SAP’s custom identity provider (IdP) to configure basic inbound authentication for sender systems to call an integration flow endpoints or for API clients to access the OData API.

When setting up trust relationships in SAP BTP cockpit, in most cases SAP ID service is used as default identity provider. However, you’ve the option to define a custom IdP as your default IdP.

This procedure only works for SAP Identity Authentication Service.

Prerequisite 

• You already have a Cloud Integration tenant provisioned in a cloud foundry subaccount, or you have enabled Cloud Integration capability for SAP Integration Suite.
• You have subaccount administrator permissions, or you are a security administrator.
• You have access to a SAP Cloud Identity Services – Identity Authentication tenant that is used as an identity provider hosting your business users.

Description

Create a service instance for XS user authentication and authorization service (XSUAA) under the apiaccess plan:

1. From your subaccount, choose Instances & Subscription from the left pane and click Create. Specify the parameters as per below screenshot.
2. Specify your existing space and enter a meaningful name for your instance. Click Next.
3. Enter below json file and click Next to review.                                                  {
   {“roles”: [“xs_idp.read”,”xs_idp.write”]}
4. Click Create to create a service instance for XS user authentication and authorization service (XSUAA) under the apiaccess plan.
5. Select the service instance and choose Create Service Key.
   

6. Enter a name for the service key.

7. Choose Create.

8. Choose the newly created service key to display the details of the service key. Values from service key will be used in subsequent calls.

9. Use a REST client (for example, Postman) and request an access token by providing details from the service key:

   URL	https://<url from service key>/oauth/token?grant_type=client_credentials
   Authorization	Basic Auth
   User	clientid
   Password	clientsecret

10. Use the access token value from the response body of previous call for all subsequent calls in the following sections.

Create a custom OpenID connect (OIDC) IDP for your XSUAA tenant:

1. To establish a trust relationship between XSUAA and an IAS tenant, first list all IAS tenants available for your XSUAA tenant by calling the below URL using a REST client:

2. Operation	GET
   URL	Value from apiurl of service key suffixed with /sap/rest/identity-providers/ias Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/identity-providers/ias
   Authorization	Bearer Token
   Token	Value from previous step

3. As a result,you get your IAS in json format:
   {
   “displayName”:”<name of your IAS>”,
   “host”:”<IAS host>”
   }
4. Choose IAS tenant hosts from returned list and use it as body of a POST request to configure IAS as Open ID Connect:

5. Operation	POST
   URL	Value from apiurl of service key suffixed with /sap/rest/identity-providers/ Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/identity-providers/
   Authorization	Bearer Token
   Token	Value from previous step
   Header	Content-Type with value as application/json
   Body	{ “type”:”oidc1.0″, “config”:{ “iasTenant”:{ “host”:”<IAS host value from GET request>” } } }

6. The response of the previous POST request shall be 201 created. With this trust is established between XSUAA of the subaccount and IAS IdP as Open ID connect (OIDC).
7. Above request can additionally be verified via account cockpit. From your subaccount, choose Trust Configuration from the left pane. Your IAS tenant is now configured as list of trusted IdPs:

Configure SAP Custom IAS as default IdP:

1. To configure custom IAS as one of IdP for your subaccount, perform a PATCH request using a REST client:
   

   Operation	PATCH
   URL	Value from apiurl of service key suffixed with /sap/rest/authorization/v2/securitySettings Example: https://api.authentication.sap.hana.ondemand.com/sap/rest/authorization/v2/securitySettings
   Authorization	Bearer Token
   Token	Value from previous step
   Header	Content-Type with value as application/json
   Body	{ “defaultIdp”: “sap.custom” }

2. The response of previous PATCH request you get 200 OK HTTP code and a response body with the following content:
   “defaultIdp”: “sap.custom”.
3. Now, both SAP’s default IDP and SAP’s custom IDP (IAS) will be active. Based on  its requirement, the user may choose to use both or make the default IDP inactive (in case only the Custom OIDP created previously is to be used).
4. To deactivate SAP default ID service, perform the following steps:
   1. Go to SAP BTP cockpit.
   2. Select your subaccount.
   3. Choose Trust Configuration from the left pane.
   4. Choose Edit and set the Status parameter to Inactive.

Once you have successfully accomplished the above steps, you can now use your new IDP users and assign Cloud Integration roles or role collections to users registered on the IAS tenant. While assigning Cloud Integration roles, choose Custom IAS Tenant from the drop down list for the Identity Provider. Also, the concept of role mappings assignment can be used as normal.