SAP ID service is the default identity provider for both platform users and business users (in applications) at SAP BTP. You can start using it without further configuration.
For China (Shanghai) region, a different default identity provider is used.
For more information, see this blog article on SAP Community.
For Government Cloud (US) region, a different default identity provider is used.
SAP ID service provides:
- A central user store
- A Single Sign-On (SSO) service. It enables users to log on once and get access to all your applications.
Use SAP ID service as a preconfigured user store in your starter scenarios or for testing. You can also use the default identity provider as a backup identity provider if access to your custom identity provider fails. SAP ID service is the place where you register to get initial access to SAP BTP.
SAP ID Service Authenticates Users
If you're a new user, you can use the self-service registration option at the SAP Web site The SAP website registers you with SAP Universal ID, which also registers you with SAP ID service.
SAP Universal ID manages the users of official SAP sites, including the SAP developer and partner community. If you already have such a user, then you're already registered with SAP ID service as well. SAP ID service acts as a proxy for SAP Universal ID, when users log on with their e-mail addresses. Users can log on with and manage all their SAP accounts with SAP Universal ID.
The following figure illustrates how default and custom identity providers can federate other identity providers.
Identity Providers and Federation
To add users to a subaccount, the users must exist in an identity provider.
For more information about adding users to our default identity providers, see Create SAP User Accounts.
To add new users to a subscribed app or service, such as Web IDE, add those users to your subaccount.
For more information, see Add Users from SAP ID Service for Multi-Environment Subaccounts.
As a self-service, users can enable multifactor authentication for SAP ID service.
For more information, see How to Enable Multi-Factor Authentication (MFA) on the SAP Support Portal.
Some user interfaces don't offer an interactive way to support multifactor authentication, such as time-based one time passwords (TOTP). Instead, such tools offer fixed logon ID and password fields. For such tools, enter your password directly followed, without any spaces or dividers, by the TOTP offered by your multifactor device.
User ID: MylogoniD
Password: MystrongpassworDMytotppasscodEFor some tools, this behavior affects log on to the tool itself:
Cloud Foundry command-line interface (cf CLI)
Alternatively, you can log on through a browser instead.
For more information, see Log On Manually With a Custom Identity Provider.
SAP Business Technology Platform command-line interface (btp CLI)
Alternatively, you can log on through a browser instead.
For more information, see Log in with Single Sign-On.
For other tools, this behavior doesn't affect log on to the tool itself, but log on to the platform when establishing connections or deploying software and such. For example:
Cloud Connector
SAP Business Application Studio
SAP Web IDE
Trust between your subaccount and SAP ID service is preconfigured by default, so you can start using it without further configuration.
In cloud management tools feature set A, you can set the default trust to inactive, for example if you prefer to use another identity provider.
In cloud management tools feature set B, you can hide the default trust.
For more information, see Hide Logon Link for Default Identity Provider.
To use a custom identity provider, establish trust to your custom identity provider. We describe a custom trust configuration using the example of SAP Cloud Identity Services - Identity Authentication.
For more information, see Trust and Federation with Identity Providers.
Related Information