Establish Trust and Federation Between SAP Authorization and Trust Management Service and Identity Authentication
Use your SAP Cloud Identity Services - Identity Authentication tenant as an identity provider or a proxy to your own identity provider hosting your business users. This method avoids the upload and download of SAML meta data by using Open ID Connect (OIDC) to establish trust.
-
You've subaccount administrator permissionsor you are a security administrator (cloud management tools feature set A) of this account. For more information, see the related link.
-
You've a tenant of SAP Cloud Identity Services - Identity Authentication.
For more information, see Tenant Model and Licensing in the documentation for Identity Authentication.
-
The Identity Authentication tenant is associated with the customer IDs of the relevant global account of SAP BTP.
For more information, see Reuse SAP Cloud Identity Services Tenants for Different Customer IDs in the documentation for Identity Authentication.
The content in this section is not relevant for China (Shanghai) and Government Cloud (US) regions.
Consider the following restrictions and tips before you start.
You can only establish trust with a single tenant of Identity Authentication per subaccount using this method.
Your Identity Authentication tenant can be changed only when no Identity Authentication-based subscriptions (for example, SAP Build or SAP Integration Suite, advanced event mesh) exist.
You've already created a trust configuration with a custom identity provider for applications. In this case, you can't add a trust configuration with the same Identity Authentication tenant using another protocol.
Consider the upper limits for trust configrations in the subaccount. See Limits for the Subaccount.
We recommend that you always use SAP Cloud Identity Services - Identity Authentication as single identity provider for SAP BTP. If you use corporate identity providers, connect them to your Identity Authentication tenant, which then acts as a hub. We especially recommend this if you are using multiple corporate identity providers. For platform users, the use of SAP Cloud Identity Services - Identity Authentication is mandatory.
For more information, see Corporate Identity Providers and Configure Conditional Authentication for an Application in What Is Identity Authentication and SAP Cloud Identity Services - Identity Authentication
We provide APIs so you can perform this procedure programmatically. For more information, see the Identity Provider Management API on SAP Business Accelerator Hub.
-
In the SAP BTP cockpit, go to your subaccount(see Navigate in the Cockpit) and choose Security > Trust Configuration.
-
Choose Establish Trust.
The Configure Tenant wizard opens.
-
Choose the Identity Authentication tenant. The identity providers listed are the Identity Authentication tenants associated with your customer ID. Continue with Next.
-
Choose the domain configured with the Identity Authentication tenant and continue with Next.
-
You can change the name and the description of the tenant, display the resulting origin key, and enter a link text for user logon (see Using Multiple Identity Providers from the Same Subaccount). Continue with Next.
-
Review your configuration and confirm using Finish.
You've configured trust in your tenant of the Identity Authentication service, which is your identity provider. Identity Authentication creates an application with the prefix SAP BTP subaccount and the display name of your subaccount in the administration console for Identity Authentication.
If your subaccount was named My Subaccount, the resulting application in Identity Authentication would be SAP BTP subaccount My Subaccount.
Older applications start with XSUAA_.
To troubleshoot problems with tokens from Identity Authentication, see Logging OpenID Connect Tokens in the documentation for Identity Authentication.
If the OIDC issuer is changed in the trust configuration, the trust breaks. To adapt the trust configuration on SAP BTP side, use the
btp update security/trustcommand of the SAP BTP command line interface together with the--refreshparameter. This parameter refreshes the trust configuration to reflect changes in the Identity Authentication tenant, for example the issuer value. For more information, see Managing Trust from SAP BTP to an Identity Authentication Tenant.
If you don't need the default identity provider anymore, set it to inactive or hide the logon link.
Related Information
Managing Security Administrators in Your Subaccount [Feature Set A]