In today’s world, hardly any application is built in which there is no distinction between different users, roles or rights. Of course, the same also applies to SAP UI5 applications that are to run on the  SAP Business Technology Platform. In this small post I would like to go into more detail about the configuration....

As modern enterprise landscape is evolving and becoming more and more cloud oriented, we have seen direct impact of this evolution on the way SAP customers run and deploy their mission critical applications. SAP customers are adopting SAP Business Technology platform to achieve their journey into cloud world. Without compromising security one of the key....

As part of the risk-based authentication concept, the Identity Authentication service (IAS) offers various options for multi-factor authentication. One of the alternatives is to use hardware security keys for strong phishing resistant access protection combined with ease-of-use for the end user. In this blog I will explain – jointly with Mr. Rolf Steinbrück from Yubico....

The SAP Task Center service enables integration with various SAP applications to provide a single entry point for end users to access all their assigned approval tasks. The tasks can be accessed by end users through the SAP Task Center Web application This blog details integration of Task Center in BTP with S/4HANA on-premise. Prerequisites:....

SAP BTP Developer onboarding for SAP Build Apps. Pre-requisites, how to configure, and how to create an example project that accesses a back-end LoB system via a SAP BTP destination. Tutorial video embedded with references and additional information. For the main article, see SAP BTP Developer Onboarding | Hands-on Video Tutorials Anything to add? Leave....

Note: This blog post is the sixth part of a tutorial series. If you arrived here without reading the first part, please do so before you continue, and then come back here again. Part I explains the key concepts and technology standards for principal propagation in the context of calling a simple Web Service deployed on SAP Business Technology Platform (BTP)....

This blog post shows how to do client-credentials flow with IAS using “identity” service in SAP BTP. We create a minimalistic sample app2app scenario where 2 application communicate with each other while authentication is done with the OAuth flow called “client-credentials”. Used technologies: SAP Business Technology Platform (SAP BTP), Cloud Foundry Environment, SAP Cloud Identity....

This blog post shows how to do client-credentials flow with IAS using “identity” service in SAP BTP. We create a minimalistic sample app2app scenario where 2 application communicate with each other while authentication is done with the OAuth flow called “client-credentials”. The difference to previous tutorial is that this time we’re using a client certificate in order....

This blog post shows how to do client-credentials flow with IAS using 2 different instances of  “identity” service in SAP BTP. We create a minimalistic sample app2app scenario where 2 application communicate with each other. Today, both apps are bound to a different instance of identity service. Used technologies: SAP Business Technology Platform (SAP BTP),....

This article goes through the best practice of authentication flow to identify who the user is and then goes through authorization flows if the user has permission for the roles assigned at a Group level.   In this blog, we are also covering Top-Down User Sync Best Practice as well when users are assigned with appropriate group....

Working with Identity Provisioning transformations requires some knowledge of JSON data format and JSONPath syntax. A good understanding of the system-specific user and group attributes is also a must. But even if you feel confident in your expertise, managing transformations can be tough at times. “How do I map user or group attributes from source....

This blog post shows how to get a client certificate in an easy way. We do the required steps with respect to the certificate in understandable manual way. The goal is to replace the X509_GENERATED statement, which we used in previous tutorial. The setup is a simple client-credentials scenario. Used technologies: SAP Business Technology Platform....

Welcome to How to configure Trust Configuration in Global Account in Cloud Foundry step-by-step. In this whitepaper we will discuss all the steps required in order to configure a trust configuration between Identity Authentication Service and BTP Cloud Foundry. The idea is to allow the platform users from an IAS tenant to login to global....

In this blog we cover some basics, explain the functionality, and use cases of the most relevant standards like SAML 2.0, OAuth 2.0, and OpenID Connect. In addition, we provide you with a configuration guideline that provides a deeper insight and supports your identity federation setup between your SAP IAS and Azure tenants. UPDATE: E-Book for this blog....

This is the final part of the 3 blog posts about the reference architecture for Identity and Access Management scenarios: SAP Reference architecture for IAM – Employee provisioning  with Azure AD SAP Reference architecture for IAM – Employee provisioning  with SAP IAS SAP Reference architecture for IAM – HR Driven identity lifecycle management – Recruit-to-Retire (this....

Introduction In this 2 part blog series, I will demonstrate on how you can create a full fledged youb application using Micronaut framework using groovy programming language. Micronaut is a cloud native JVM framework targeted specifically at creating microservices for the cloud. Micronaut has extremely fast startup time, leaves low memory footprint and very easily....

Introduction This is in continuation to the earlier post wherein I explained how can we deploye a custom Micronaut app written in Groovy to SAP Cloud Foundry BTP. Please read the earlier post here. In this part I will explain how we can use SAP HANA cloud as a persistence layer for the application. and how....

I’m still new to cloud development with SAP and got confused the other day about the different roles that exist in the BTP, IAS and Launchpad service. I want to write this blog to help people who are also just new in this environment. Simply put: BTP = Roles / Role Collections IAS = Groups Launchpad Service =....

Introduction There is no doubt that security is the MOST critical topic for any organizations.  Nowadays organizations cannot afford to have any security issues in their solutions. Specially in cloud world, it is extremely important to bridge the gap between development and security.   In my previous blog series Fundamentals of Security in SAP BTP, we....

This blog will explain the steps that need to be followed for adding another Administrator to your IAS tenant before creating a technical support case with SAP Product Support. There are two scenarios:   Use Case Current Administrator of the IAS tenant is unknown or unavailable: When the Administrator is not known, and you need....

Using a technical user for accessing SAP Business Technology Platform is often hinted at in SAP Help or community tutorials, but how exactly this can be achieved, has not been documented as far as I can tell. I’m writing this blog to share the lessons learned and to teach you how you can manage your....

As a follow-up to the blog post below, i will describe the specific configuration we tried with the following applications in depth and step by step. https://blogs.sap.com/2021/06/14/setup-multiple-identity-providers-for-sap-analytics-cloud/ The following applications were used to test the configuration. 1. SAP Identity Authentication Service – Act as IdP proxy 2. SAP Identity Authentication Service – Corporate IdP 3.....

Multiple Identity Providers for END2END SSO with SAP Analytics Cloud and SAP HANA Database – Part 1 https://blogs.sap.com/2022/09/30/multiple-identity-providers-for-end2end-sso-with-sap-analytics-cloud-and-sap-hana-database-part-1/ Live Data Connection with SAML SSO using Multiple IdPs In this scenario, we have two options to configure SAP HANA with SAML SSO Using IdP proxy to Multiple IdP Directly using IdP 1. Using ldP proxy to....

Migrating your Identity Provisioning tenant from SAP BTP, Neo environment to SAP Cloud Identity Services infrastructure brings key benefits. Would you click the Migrate button when you read this? Or processes like update, upgrade, migrate – you name it, make you feel apprehensive about change no matter what the benefits are? It’s a known fact....

This blog series is mainly targeted for developers and administrators. If you are someone who has gone through the plethora of tutorials, documentation, and presentations on security topics in SAP BTP and still lacks the confidence to implement security for your application, you have come to the right place. In this blog series, you will....

As a Identity Authentication – tenant administrator, you can now configure target systems for real-time provisioning and provision users to these target systems. Prerequisites Identity Authentication Admin Access Target System SCIM API URL (SCIM 2.0) Provision All the Users to Target Systems Tenant administrators can provision users of Identity Authentication to Identity Provisioning target systems . At a High Level Flow Remember....

Recently when demonstrating to a customer, one of our most popular workflow content package Document Centric Approval Process, I realised the customer’s environment had several Users on IAS side and the current implementation of the sample UI5 application from our SAP GIthub.com Cloud Workflow Sample Collection, is querying the entire IAS user directory. In real world, you wanted....

Update 30.08.2022: Please note – This use-case is currently being refactored as public SAP IAS tokens (issued by the PKCE flow) do not contain the required SAP XSUAA audience anymore. Therefore, an additional token exchange is required to run the end-to-end scenario. Covid has in some way affected every part of our lives, be it....

This article is mainly for partners and customers who wants to automate internal & external users sync (on-boarding) to SAP IAS by using the below SCIM APIs from your external system or applications. I have listed out all the examples for you to understand.. This below flow makes you understand to automate Users Sync from....

Note: There will be lots of images in this blogpost to guide the readers. In case the images are too small, double-click on the image to zoom-in.   Hi Everyone, The title of this blogpost already gives a hint that this once again is a technical blogpost that provides vanilla steps that can guide you....

Just as driving simulator helps with driving, provisioning job simulator helps with provisioning. By using driving simulators, you gain confidence on the road, experience the consequences of your actions (without risk of real damage) and ultimately learn how to avoid accidents. With the latest new feature of Identity Provisioning – the Simulate job, it’s pretty....

My name is Imre working at SAP since 2004. Now I’m at Identity Authentication Service area. In this blog post I will explore in detail how to configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps) I’m working in the Identity Authentication Service team, and we got several questions regarding the realization....

In this tutorial we configure trust (SAML) between 2 Cloud Foundry subaccounts located in different regions in SAP Business Technology Platform (SAP BTP). This allows us to call a protected application across subaccounts, across regions. Used technologies: XSUAA, SAML2, OAuth2, Destination, OAuth2SAMLBearerAsertion, Node.js, Quicklinks: Quick Guide Sample Code Disclaimer: This tutorial is not a recommendation....

In this tutorial we’re going to create 2 little apps and deploy them to 2 different trial accounts. We configure trust (based on SAML) and create a destination configuration of type OAuth2SAMLBearerAssertion. This tutorial is based on the explanations given in the previous blog post. Quicklinks: Quick Guide Sample Code Content Part 1: Theory-Torture (previous blog) 0.1. Introduction....

Hi Guys!!! So this is my first technical blog post on SAP CPI. Hope you guys are going to like it. As we know, Cloud Platform Integration (CPI) is SAP’s cloud middleware that allows blending between cloud and on-premise applications with third-party SAP and non-SAP products. Take it as given, I am assuming you are already familiar....

This blog post shows how to support authorization (scope, role) in a user-centric scenario where a REST endpoint is called from an application in a different subaccount (in different region). Used technologies: SAP BTP, Cloud Foundry, XSUAA, SAML2, OAuth2, Destination, OAuth2SAMLBearerAsertion, Node.js, This blog post builds completely on top of the scenario described in detail....

While using Identity Provisioning Service(IPS) to run user data sync between SuccessFactors and Identity Authentication Service(IAS) I was faced with the challenge to identify duplicate email addresses within SuccessFactors. To check for duplicate Emails please do the following: Navigate to Admin Center Open Check Tool Under Application select User Management Here you will see User Information inside....

OpenID Connect(OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. When clients want to access....

This blog post describes how to set up a central custom Identity Provider and connect it to 2 subaccounts in different regions. The goal is to enable an application to call a protected endpoint on a subaccount in a different region. Authorization is handled as well. Used technologies: SAP BTP, Cloud Foundry, XSUAA, SAML2, OAuth2,....

In this white paper, we will examine some of the key topics that ERP enterprise Information Security leaders should consider when setting up the security and controls for their SAP BTP Cloud integration with S/4 HANA and cloud applications. Based on my S/4 HANA and Cloud experience, my goal is to provide key security design aspects and....

With the Kyma 2.0 release, it is possible to configure the access to the Kyma runtime via a Custom / Corporate Identity Provider. This can be done either during provisioning of a Kyma runtime or later on via an update. Note: This is different from earlier way of doing it via XSUAA in the subaccount.....

Note: This post is part of a series. For a complete overview visit the Principal Propagation in SAP Integration Suite. This blog post explains how to propagate the identity of a principal from an app on BTP Cloud Foundry environment to SAP S/4HANA Cloud using SAP Integration Suite. This is done using OAuth 2.0 SAML Bearer....

Note: This post is part of a series. For a complete overview visit the Principal Propagation in SAP Integration Suite. This blog post covers the use case of an external system communicating with SAP S/4HANA Cloud using Principal Propagation via Integration Suite, so forwarding the identity of a user across several systems including mediation. This is....

Note: This post is part of a series. For a complete overview visit the Principal Propagation in SAP Integration Suite. This blog post covers the use case for communicating an external system or client (for example Postman) with SuccessFactors using Principal Propagation in SAP Integration Suite, that is forwarding the identity of a user across several....

This blog post is part of the series covering Principal Propagation in SAP Integration Suite. As explained in SAP Cloud Integration help page, you can set up Principal Propagation with SAP BTP to forward the identity of a user across several systems and avoid the use of technical users in each of the systems involved. In....

Well, it is now year-end, and I have some time to share my knowledge. In the past months I got many questions on how to enable SSO for SAP S/4HANA Cloud, Private Edition, so I decided to write a blog on it. I am including some SAP S/4HANA Cloud, Private Edition specifics related to the delivery/license model of....

Single sign-on (SSO) is a session/user authentication process that permits users to enter a single name and password to access multiple applications. While SSO uses a single login (username/password) to access all applications within the same organization, federated SSO (FSSO) goes a step further and extends SSO across enterprises. In other words, FSSO allows access to multiple systems....

In this blog post we will see how we can enable X.509 Certificates based single sign on for User Authentication in SAP Cloud Identity Services – Identity Authentication. Prerequisites: You are using SAP Cloud Identity Services and you have created your Identity Authentication service tenant. Trust setup between Identity Authorization service tenant and your BTP account is....

Introduction In this blog, I describe how to set up SAP’s custom identity provider (IdP) to configure basic inbound authentication for sender systems to call an integration flow endpoints or for API clients to access the OData API. When setting up trust relationships in SAP BTP cockpit, in most cases SAP ID service is used....

With the landing of SAP Cloud Platform on Alibaba Cloud, more and more stakeholders have need to get onboard or have a try on it. Thus, the main purpose of writing this series of blog posts is to emphasize the minor but important differences when developing on Alibaba Cloud, so that readers can consume it....