When setting up accounts, you need to assign users. While we provide you with your first users to get you started, your organization has identity providers that you want to integrate.
With your global account, you were provided a user to access to manage the platform. SAP BTP is preconfigured to use a default identity provider. As you begin to set up your account model, don't be tempted to add everyone in your organization who has a user in this identity provider.
You most likely already have your own identity and access management solution. Most importantly, in this solution you've defined your own security policies, such as password policies. The default identity provider doesn't support custom security policies. Nor does it support multifactor authentication, SCIM APIs, branding, or numerous other features.
SAP Cloud Identity Services is our solution for integrating identity and access not just with your own solution, but also across the solutions across SAP. If you didn't already have a tenant of SAP Cloud Identity Services, one was bundled with your SAP BTP account.
SAP Cloud Identity Services includes a productive tenant and test tenant. In the following figure, the left-hand landscape shows the integration of the test tenant with your development and test landscapes. This option enables you to split the users in the same way you split the business applications. The right-hand landscape shows the productive tenant integrated with your development, test, and productive landscapes. The test tenant (not shown) is used for evaluating and testing your identity and access management processes. Choose this option, if your business application layers require the security rules of the productive identity access management. This option reduces the effort of user management.
Options for Integration with the Development Pipeline
If neither of these options meet your needs, you have the freedom to define your landscape architecture yourself.
For more information about additional tenants, see Tenant Model and Licensing.
We recommend that you always use SAP Cloud Identity Services - Identity Authentication as single identity provider for SAP BTP. If you use corporate identity providers, connect them to your Identity Authentication tenant, which then acts as a proxy. We especially recommend this configuration if you're using multiple corporate identity providers. For platform users, we require the use of SAP Cloud Identity Services - Identity Authentication as the custom identity provider. This configuration ensures the best integration with our services and solutions. Of course, you can use this service as a proxy for your corporate identity provider for platform users, too.
Identity Providers and Federation
Onboard to SAP Cloud Identity Services now.
-
Add a few more administrators to your SAP Cloud Identity Services tenant.
These administrators can support the service in different time zones or if other administrators are sick or on vacation.
For more information, see Add Administrators in the documentation of SAP Cloud Identity Services - Identity Authentication.
Unsure about which tenants you have and which administrator are assigned? Use the SAP Cloud Identity Services - Tenants application from the following link: https://iamtenants.accounts.cloud.sap/
-
Protect your tenant administrators with multifactor authentication.
Administrators have critical access to the system. Set a higher security standard for authentication.
For more information, see Allow Users to Protect Accounts with Second Factor for Authentication in the documentation of SAP Cloud Identity Services - Identity Authentication.
-
Configure system notifications and alerts for SAP Cloud Identity Services.
For more information, see the following in the documentation of SAP Cloud Identity Services - Identity Authentication:
-
Configure SAP Cloud Identity Services - Identity Authentication as a proxy for your corporate identity provider.
For more information, see Corporate Identity Providers.
Now, you're ready to integrate SAP Cloud Identity Services with SAP BTP.
For more information, see SAP BTP Integration Scenario in the System Integration Guide for SAP Cloud Identity Services.
Related Information