cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IAS configuration with BTP Global Account and AD

davide_bramati
Advisor
Advisor

on ‎05-12-2023 8:33 AM

0 Kudos

Hi everyone,

I’m working with a customer that would like to use its Azure groups to access its BTP Global Account.

The customer has already established trust with the IdP.

In the BTP Global Account cockpit, the GA provides 3 role collections and going into edit it would seem to be possible to define an attribute (e.g. the group).

But, on the IAS the customer is unable to go into edit mode to define the attribute.

Is it because the option to add an attribute is compatible only for the SAML and not for the OpenID (which is automatically activated as soon as the trust is made on the GA)?

Are there any alternatives to this configuration that allow the customer to use its Azure groups to access its BTP Global Account?

Thanks a lot!

Davide

Show replies
Show replies
Answer
View Entire Topic
H_Ettelbrueck
Advisor
Advisor
‎07-04-2023 10:52 AM
0 Kudos

Hi Davide,

so far, the UI in BTP cockpit was a bit misleading, since it suggested that you could already map groups or other user attributes to role collections for account members, but actually this wasn't supported yet. However, in the meanwhile this works.

Roadmap entry (will soon be resolved): https://roadmaps.sap.com/board?PRODUCT=73555000100800000287⦥=CURRENT-LAST#Q4%202020;INNO=E78B0E4728D...

Release note: https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?locale=en-US&version=Cloud&Component...

Foundational Services - Federation Support for Account Management in SAP BTPSAP BTP supports the dynamic assignment of platform authorizations to users over attributes, such as groups. This improvement enables you to manage administrators in your platform identity provider instead of assigning authorizations directly to users in SAP BTP cockpit. For more information, see Mapping Role Collections in the Subaccount.

For user groups, BTP expects them with user attribute "groups". You can either configure AD to send this attribute, or configure IAS to map it accordingly.

Kind regards

Heiko

Area product owner BTP security services

Show replies
Show replies
Ask a Question