Use this procedure to configure the SAP BTP trust settings and add the Identity Authentication tenant as an identity provider.
The Identity Authentication service is closely integrated with SAP BTP, and it is offered as part of most of the cloud platform packages. For those packages the trust between the subaccount in SAP BTP and Identity Authentication service is configured automatically and the tenant for the Identity Authentication service is set up by default, once you have a partner or customer subaccount. However, you can manually configure the trust and set up the Identity Authentication tenant if your scenario requires it.
-
In the Identity Authentication tenant, access the administration console by using the console's URL. You need to use another browser, or incognito session of the same browser.
The URL has the
https://<tenant ID>.accounts.ondemand.com/adminpattern.You can also get the URL from the Identity Authentication tenant registration e-mail.
-
You have to save the metadata of your Identity Authentication tenant on your local file system as an XML file. You can either find the tenant at
https://<tenant ID>.accounts.ondemand.com/saml2/metadataor access it via Applications & Resources > Tenant Settings > SAML 2.0 Configuration. Then choose the Download Metadata File link. You will need this metadata in Step 5. -
Open the SAP BTP cockpit and select the region in which your subaccount is hosted. Select the global account that contains your subaccount, and then choose the tile of your subaccount. For more information about regions, see Regions and Hosts.
-
Choose Security > Trust Configuration.
-
Choose New Trust Configuration and fill in the required fields:
-
In the Metadata field, upload the metadata file you have dowloaded from the Identity Authentication tenant in step 2. All the required fields are automatically filled in.
-
In the Name field, enter a meaningful name of your choice.
-
Choose Save.
-
-
In the cockpit, download the service provider SAML metadata file. Open the link
https://<subaccount_subdomain>.authentication.<region_host>/saml/metadata, where:-
<subaccount_subdomain>is part of the subaccount details in the cockpit. -
<region_host>is the API endpoint withoutapi.cf.. See Regions and Hosts.
When you are prompted, save the XML file on your local file system. This file contains the SAML 2.0 metadata describing SAP BTP as a service provider.
You will need this metadata in Step 11.
-
-
In the Identity Authentication tenant, access the administration console by using the console's URL. You need to use another browser, or incognito session of the same browser.
The URL has the
https://<tenant ID>.accounts.ondemand.com/adminpattern.You can also get the URL from the Identity Authentication tenant registration e-mail.
-
Choose Applications & Resources > Applications.
-
Choose the +Add button on the left-hand panel, and enter the name of your subaccount.
-
Choose Save.
-
Configure the SAML 2.0 trust with subaccount as a service provider. To do so, proceed as follows:
-
On the left-hand side, choose the newly created application, and then choose Trust.
-
Choose SAML 2.0 Configuration.
-
Upload the metadata XML file of your subaccount that you have downloaded in Step 6.
On service provider metadata upload, the fields are populated with the parsed data from the XML file.
-
Save the configuration settings.
-
The trust will be established automatically upon registration on both the subaccount in SAP BTP and Identity Authentication tenant side.
Related Information