Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Secure management and authentication of SAP BTP account members with custom identity providers

JürgenAdolf
Product and Topic Expert
Product and Topic Expert
‎07-07-2023 3:49 PM
Discover the latest functionality delivered in Q2 2023 for SAP Business Technology Platform (SAP BTP) users. This update introduces features that enable you to leverage multiple custom identity providers within your global account, providing new opportunities for a user administration independent from SAP ID Service. Let's delve into the benefits and improvements that come with this update.

As announced in the Roadmap Items:

We offer now enhanced User Administration and Usability:

  1. Dedicated Login URLs: Now, you can provide dedicated login URLs for SAP BTP cockpit to different user groups, allowing them to access specific Identity Authentication tenants tailored to their needs. This ensures a seamless and personalized user experience.

  2. Fallback Tenant with customer-managed administrators: With the option to add up to three Identity Authentication tenants, you can now have a fallback solution in place, equipped with customer-managed administrators. This adds an extra layer of flexibility and resilience to your user management process. For more information, see Bringing Your Corporate Identity Provider for Platform Users Feature Set B.

  3. Improved Usability: By leveraging custom domains of the Identity Authentication tenants, platform users in SAP BTP can log in using a custom domain. This offers a streamlined experience, where users consistently see the same Identity Authentication URL and benefit from single sign-on (SSO) once their session is established.

  4. Improved federation approach: We now offer federation support for account management, allowing for the dynamic assignment of platform authorizations based on user attributes such as groups. With this enhancement, you can manage administrators in your platform identity provider, streamlining the authorization process. For detailed instructions on how to map role collections in the subaccount, refer to the documentation about mapping role collections in the subaccount.


Make use of the enhanced user administration and usability with the latest functionality delivered in Q2 2023 for SAP Business Technology Platform (SAP BTP). Unlock the potential of multiple custom identity providers, dedicated login URLs, custom domains, and improved federation support. With these advancements you can streamline your user management process, provide a personalized user experience, and strengthen security measures.
Labels:
4 Comments
Wallace
Active Participant
‎07-17-2023 1:07 PM
0 Kudos

Think I found this/have it working: Establish Trust and Federation of Custom Identity Providers for Platform Users [Feature Set B] | SAP...

-------------

Thanks for this blog!

We would like to have IAS active at the global account level on the global account that holds the BTP Services/CPEA setup.

This blog makes me think its possible.

However, after establishing trust to the IAS custom IDP, on logon it is only bringing a SAP/universal id logon screen.

In the subaccounts a choice is provided which IDP to use.

Can you help guide/suggest items here?  Is IAS/custom IDP even possible at the global account (top) level?

Best Regards, Wallace

H_Ettelbrueck
Advisor
Advisor
‎07-17-2023 6:19 PM
0 Kudos
Hi Wallace,

You need a slightly different cockpit link, which specifies which IdP you want to use (because we can hardly provide the list of all customers' IdPs upon logon 😉 ). Find it on global account and (multi-environment) subaccount level under Security > Trust Configuration, link "Open".

Kind regards

Heiko
Wallace
Active Participant
‎07-18-2023 1:59 PM
0 Kudos
Thanks Heiko,

I had searched, found the answer and approach.  Its multiple items... custom IDP and then the link from the trust setting.
As this seem relatively new, at least allowing global account/platform users to custom IDP, and then downstream to subaccounts, this will be a org change/implementation approach for us and I'm working on that internally.  if I've managed to confuse you and you want a quick call/screenshare, reply back here and we can take a teams call... assuming you SAP identity follows what others seem to follow.

Best Regards, Wallace
H_Ettelbrueck
Advisor
Advisor
‎07-18-2023 2:29 PM
You're welcome, and all fine. btw, the option to use a custom IdP for platform users was introduced roughly a year ago, and it "just" got some major updates now. Take your time to adopt - it's clear this is a fundamental change for an organization to switch all members from one IdP to another one, and make sure everybody is aware and can handle it.
Labels in this area
Popular Blog Posts