cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Cloud Identity Services

tskwin
Explorer

on ‎04-08-2024 2:33 PM

0 Kudos

Hi Experts,

We have implemented Azure AD with SAP IAS. Users are provisioned from Azure AD to SAP IAS using IPS.

Now, I want to provision these users/groups from SAP IAS to the BTP using IPS and then assign BTP roles to them.

I want to disable the 'Shadow user' option in the trust configuration.

How can I automatically create users in SAP BTP who (for example) are members of a group in SAP IAS ?

 

Many Thanks 

Best regards

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

mnoe
Participant
3 weeks ago
0 Kudos

Hello @tskwin 

I think you cannot create BTP users automatically, especially when you have switched shadow users off, see:

https://help.sap.com/docs/btp/sap-business-technology-platform/switch-off-automatic-creation-of-shad...

[...]Usually, you want your administrators to be fully
 aware of which users they allow to log on. If you’ve 
switched off automatic creation of shadow users for a 
certain identity provider, you enforce that only those 
users can log on where shadow users have been created 
explicitly. [...]

What we have set:

  • Trust your identity provider (IAS)
  • enable creation of shadow users
  • User in IAS is assigned to a group in IAS (eg IAS_Group, which came from Entra ID Security Group) 
  • Map IAS_Group to a role collection (you can even select the identity provider if run multiple)

So, in our case, we have have setup Security Groups in Entra ID and assigned business users in Entra ID. The IPS provisions users and groups to IAS, the assignment of groups remains in IAS. In BTP we map the different groups to role collections. So if a user logs on to the application, authenticates via IAS (SSO to IdP), the user will be created in BTP as a shadow user (first time logon) and the role mapping happens invisible (you cannot see a direct role assignment in BTP users) 

Hope that helps.

Show replies
Show replies
tskwin
Explorer
3 weeks ago
0 Kudos

Hello @mnoe,

Thank you.

 We have implemented this scenario (Azure Groups -> BTP Role Collection), where users are added to Azure Groups and then these groups are added to SAP BTP as role collections.

You described this scenario: (Azure_Groups -> IAS_Groups -> BTP Role Collection).

Is there any specific reason or advantage to provisioning users to SAP IAS (Azure_Groups -> IAS_Groups -> BTP Role Collection)?

And what are the benefits of the second scenario (Azure_Groups -> IAS_Groups -> BTP Role Collection)?

Thank you very much.

Best Regards

mnoe
Participant
a week ago
0 Kudos

Hello @tskwin,

I think you are referring to the option to pass the group assigments through the saml2 attribute (attribute mapping) and map the Azure group in the role collection.

I wasn't aware of that when I implmeneted "our" solution, howver I think it depends individually what is best, in IAS I can see and can control memberships for thoise groups, like if I want external users (no user master data in Azure) to join a group and with the mapping in BTP. Vendor support in our case, external users with no domain membership can be created manually in IAS and receive group assignments there.

Cheers

 

Ask a Question