I wrote a blog post nearly 2 years ago on activating trust with 3 clicks - this related to a subaccount on the SAP Cloud Platform Neo environment and a SAP Cloud Identity Authentication Service tenant. You can read this
here.
Low and behold I found out recently that the same option is available on the Cloud Foundry environment. Yes - it is that easy and it will automatically configure both the subaccount and create an application in the IAS tenant.
The intention of this blog post is to show how easy it is to set up trust between a SAP Cloud Platform Cloud Foundry subaccount and a SAP Cloud Identity Authentication Service (IAS) tenant.
Key Prerequisite
Obviously you will need an IAS tenant - this will provide access to users outside of a company's internal identity provider. I recommend using an IAS tenant for external users that are not users in your internal corporate environment.
3 Clicks to Activate Trust
Initially, the SAP ID service is the only existing Trust configuration that is enabled. This is set as the Default. This means that authentication takes place through the S userid and utilises SAP’s free SAP ID service.
Figure:1 Initial Trust settings
We are now going to set up trust with the IAS tenant with 3 clicks!
Click 1:
Select the [Establish Trust] button to start setting up trust with the aligned IAS tenant.
Figure:2 Trust settings
The following pop-up will appear.
Figure:3 Establish Trust pop-up
Click 2: Select the specific Identity Authentication tenant by selecting from the drop down list.
Multiple entries will show up in the drop down list if you have multiple IAS tenants available.
Select the correct IAS tenant.
Click 3: Click on the [Establish Trust] button to save the settings.
After a few dot dot dots you will see the IAS tenant assigned.
Once this is done trust will be established successfully and a message toast message will be displayed.
So the completed settings will look like this. Notice a new Identity provider has been added to the list - the Custom IAS tenant.
Figure:4 Completed Trust settings with IAS tenant
HOW SIMPLE IS THAT!! Awesome.
You can also make decisions on whether to have both identity providers in operation. You may want to deactivate the SAP ID service so you can change this and make it inactive. Just make sure you deactivate the Available for user Logon and Create Shadow users checkboxes first.
You can also jump straight to the Admin console by selecting the Identity provider name - in this case
Custom IAS tenant.
This will bring up the Trust configuration overview page of the Identity provider. Click on the highlighted link to get to the IAS Admin console.
Figure:5 Trust Configuration Overview screen
You should then be directed to the login page.
Figure:6 IAS Tenant Admin console logon page
That pretty much completes this blog but I will leave one more note here. The 3 click approach can still be used even if the SAP Cloud Platform subaccount is authenticating via MS ADFS or any other custom identity provider.
Thanks for reading!