SAP BTP supports the use of your own identity provider for platform users.
The content in this section is only relevant for cloud management tools feature set B. For more information, see Cloud Management Tools - Feature Set Overview.
Platform users perform technical development, operations, and administration tasks. They manage global accounts, directories, and subaccounts using the SAP BTP cockpit and the BTP CLI. They also develop and operate custom applications. By hosting these users in your own identity provider, you gain a number of advantages over hosting them in SAP ID service or in SAP Universal ID.
-
Integrate the management of these users with your broader identity management strategy, hosted on your own identity providers. You control your own user lifecycle and single sign-on strategies throughout the entire landscape.
-
Enforce your own password and authentication policies, such as stronger passwords or multifactor authentication.
The following figure illustrates the architecture required for platform users. This configuration is independent of the default configuration with SAP ID service. You can continue to use SAP ID service in parallel.
Authentication Architecture for Platform Users with a Corporate Identity Provider
In the preceding figure, you enable trust between the SAP BTP global account and your corporate identity provider over your tenant of SAP Cloud Identity Services - Identity Authentication. For each global account, you choose the Identity Authentication tenant to use as the identity provider for platform users. For the platform identify provider, you can have up to three Identity Authentication tenants per global account. Multiple global accounts can share the same Identity Authentication tenant. When you log on to a platform resource, such as the cockpit, you indicate the Identity Authentication tenant that you want to log on with. For example, to log on to the cockpit, copy a URL parameter from the cockpit to identify the tenant:
https://cockpit.btp.cloud.sap/cockpit/?idp=<tenant>.accounts.ondemand.com
For example: https://cockpit.btp.cloud.sap/cockpit/?idp=cidppuxhm.accounts.ondemand.com
Once you’ve logged on, the cockpit displays any global accounts and subaccounts of which your platform user is a member.
Typically, a user is identified by email and origin (your alias for the identity provider). However, to most accurately identify a user, you need both user identifier and an identifier from an identity provider. The reason is that the system treats users with the same name but from different identity providers as separate users. For example, you can have a platform user in the default identity provider, SAP ID service, and another user in your corporate identity provider with the same e-mail address. This behavior applies to global accounts, directories, multi-environment subaccounts, and Cloud Foundry orgs and spaces.
For Neo subaccounts a user is uniquely identified by the user base (hostname of the Identity Authentication tenant) and a configurable subject identifier. You can log on to the cockpit with both, but the cockpit displays different user information. This difference is because you’ve logged on with different identity providers.
With enhancements of cloud management tools feature set B, the trust configuration between SAP BTP and Identity Authentication changes for platform users (for example, administrators, developers, operators) in the Neo environment. The change only applies to global accounts in cloud management tools feature set B which have custom trust configurations for platform users.
For more information, see SAP Note 3330671.
You also see this difference when assigning roles. You must provide the origin or user base in addition to the e-mail address or user ID of the user. When platform users use the Cloud Foundry command-line interface or service dashboards, they need to remember the origin. You can choose your own origin, but the origin must be unique across all customers. We recommend that you use a meaningful name that helps identify the target it points to.
In Identity Authentication, there's one application that represents SAP BTP overall. So, if you have multiple global accounts with the same Identity Authentication tenant, they all share the same application in your Identity Authentication tenant that is where customers typically configure settings such as the corporate identity provider used for authentication and user attribute mapping between systems. For more information, see Map User Attributes from a Corporate Identity Provider for Platform Users.
Related Information
Establish Trust and Federation of Custom Identity Providers for Platform Users [Feature Set B]