cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Connect Cutomer IAS to our BTP Subaccount using Estrablish Trust (OpenID Connect)

nicorunge
Participant

on ‎09-07-2023 9:46 AM

0 Kudos

Hi Experts,

we want to connect a customer IAS to our BTP. This works fine by exchanging the SAML Metadata files.

But as we're encountering this restriction when using SAML, we want to switch to OpenID Connect Protocol. This can be done by using the Establish Trust button in the Trust Configuration (like here). But as the customer IAS is not related to our Global Account, it does not show up (at least that is my assumption). In the documentation, I could find the following chapter related to this Problem, which mentions the following prerequisite:

The Identity Authentication tenant is associated with the customer IDs of the relevant global account of SAP BTP.

So my guess is, the Customer ID is the missing piece. I tried to follow the steps described in the linked chapter, but I cannot complete step 4, because in my case, there is no drop-down in the IAS like it is described in the docs...
My user has all required permissions.

carlos.roggan wrote in his Blog the following:
In the wizard you should see at least one entry of IAS tenant that is assigned to your account by SAP.
If not, you probably need to open a support ticket.

So my questions are, how do I find out our Customer ID and how to add the Customer ID to the IAS? Is it really necessary to open a support ticket? Would be nice if customers could fix this by themselves.

Thanks & Regards

Nico

Show replies
Show replies
Answer
View Entire Topic
FranciscoGarcia
Explorer
4 weeks ago
0 Kudos

Hi @nicorunge @istvanbokor ,

Maybe I'm gonna say a crazy thing. But, it would be technically possible to use an IAS (Let's call it IAS-1) acting as a proxy to another IAS (IAS-2), added as Corporate Identity Provider on IAS-1? Then, on your Aplication on IAS-1 set a condition to redirect authentication to IAS-2?

IAS-1 should be binded to Global Account where your CAP aplication is hosted.

That way, you would have a subaccount trusting your IAS-1 (Added with OIDC proptocol), and IAS-1 relaying authentication to IAS-2.

Regards,

Francisco

Show replies
Show replies
nicorunge
Participant
4 weeks ago
0 Kudos

Hi @Francisco,

thanks for reading the long discussion and your suggested solution! I really appreciate it!

I'm far from an IAS expert, but I think I understood your suggestion. It would look something like this:

  • Customer SuccessFactors System
  • Customer IAS
  • Provider IAS
  • Provider BTP/CAP Application

How complicated is it to set up an authentication redirect?
Would you say one should use a new IAS per customer to keep this separate in a multitenant context?

I am very curious about @istvanbokor opinion whether this is a possible/valid approach. Or whether SAP currently has other recommendations how a customer IAS can be connected via OIDC.

Thanks & regards
Nico

Ask a Question