Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Cloud ALM and Identity Authentication Service (IAS)

Paul_Babier
Product and Topic Expert
Product and Topic Expert
2 weeks ago

SAP Cloud ALM user Authentication

For user identity services in the Cloud SAP offers Cloud Identity Services (CIS)
CIS consists of Identity Provisioning Services (IPS) and Identity Authentication Service (IAS)

SAP Cloud ALM does not authenticate users, Authentication is performed by the IAS tenant.

What can be confusing is users can be setup in SAP Cloud ALM and various role collections can be assigned to them allowing those users to perform role based tasks in SAP Cloud ALM.

However, and this is important, for a user to be authenticated and be able to logon to SAP Cloud ALM the users need to be maintained in the SAP IAS tenant, otherwise they cannot be authenticated, and without authentication, logon is not possible. Neither will users receive a reset password email if they use the “Forgot Password” link on the logon page. This is typically an indicator the user is not existing in the IAS. Furth further information see SAP Help – Step 1: Onboarding Users in the Identity Authentication Service

During SAP Cloud ALM Provisioning

When SAP cloud ALM is provisioned on SAP for Me, an IAS tenant needs to be assigned.
The logic that is followed ensures  Productive IAS tenant will be connected.

First the provisioning process checks to see if there is an existing productive IAS tenant.
In the event that there is no productive IAS tenant the following actions are taken

  • A productive IAS tenant is created
  • The Provisioning user is added to the IAS tenant as the administrator
  • The IAS tenant is assigned to the SAP Cloud ALM Subaccount under Security > Trust Configuration

In the event that there is already a productive IAS tenant the following actions are taken

A list of (one or more) productive IAS tenants is displayed

  • The provisioning user is able to select the IAS tenant they wish to use from the list
  • If the provisioning user exists in the IAS as a user or administrator, no action is taken
  • If the provisioning user does not exist in the productive IAS selected, they are added as a user.
  • The IAS tenant is assigned to the SAP Cloud ALM Subaccount under Security > Trust Configuration

How the Authentication process works

Now when the provisioning user logs on to SAP Cloud ALM using the access URL provided in the welcome email there is a redirect to the assigned IAS tenant, the IAS will authenticate based on the user credentials provided. Upon a successful authentication, the assigned Role collections are provided by the XSSUA (is an authorization Service and a direct fork of Cloud Foundry UAA (User Account and Authentication)). Then the authenticated user is redirected to the SAP Cloud ALM Launchpad with access to the applications their role collection assignments allow.

Using a Corporate Identity Provider (IDP)

In the event that you wish to use a corporate IDP to authenticate your users, you still need to use th IAS Tenant, however you will need to setup a Reverse Proxy in the IAS. You can get further information on setting up an IAS to use a Corporate IDP here

Finding the IAS Administrator

A customer can find the administrator of any IAS tenant under their customer number by entering the following URL: https://iamtenants.accounts.cloud.sap. But clicking on Details (…), then Show to list all the Administrators Email addresses, and the SAP Cloud ALM Administrator can check who in their company is the IAS Administrator that they can contact to arrange for the SAP Cloud ALM users to be added as per their company policies

Changing the Assigned IAS Tenant

  1. You need to navigate to the SAP cloud ALM Subaccount. On the left hand side bar, expand Security.
  2. Select Trust Configuration. Click on the link “Custom IAS”
  3. Click Edit
  4. Click on the pencil for “Host Name of Identity Authentication Tenant in the format <Hostname>.accounts.ondemand.com, where <hostname> is replaced by the actual host name of the IAS tenant

SAML vs OpenID Connect

If during the provisioning of SAP Cloud ALM if there is no Productive the IAS will be OpenID Connect.

This is the recommended protocol as it is more modern technology. Older IAS tenants may be SAML. There may be issues related to using a SAML IAS, so please use an OpenID Connect IAS tenant.

Bundled Applications

If you are modifying the Bundle applications in the IAS, do not make the SAP cloud ALM Application a Child Application. It should be defined as a parent application.

Getting Help

Should you encounter issues authenticating your users you can raise a case on component SV-CLM-INF-UAM

Should you encounter an issue with your IAS tenant, using it or configuring it you can raise a case on component BC-IAM-IDS.

Additional Information

SAP Cloud Identity Services - Identity Authentication

Identify and Access Management

Request SAP Cloud ALM

How to Onboard Users in Your Identity Authentication Service

How to Assign Roles to Users in SAP Cloud ALM

User Maintenance Setup

Labels in this area
Popular Blog Posts