I've been tinkering around with SAP's Cloud Identity Services lately, sometimes for my clients' projects, the other times out of sheer curiosity. From barely knowing about Cloud Identity Service to integrating it with SAP Business Network to use Business Network as the Identity Provider (IdP) it has been quite a pleasant experience. In this blog post, I will touch on:

• Cloud Identity Services, breaking down IAS and IPS (for the nth time, but it'll be short 😉)


• My take on Identity Providers


• How you can leverage SAP Business Network and use it as an Identity Provider in IAS for building a reliant Supply Chain and managing Suppliers efficiently


• Integration Steps involved (you'll need SAP's help with some configurations)


• Some issues my team and I faced while making this integration work


• Tricks (which are just some functionalities that IAS provides)

PS: Worth mentioning that all this tinkering around on IAS, and exploring its functionalities and workarounds required an ally. So a shoutout to vshlkwatra for being a sport and sharing his knowledge while we were delivering this.

My 2021 self was essentially trying to keep up with the number of times someone mentioned IAS/IPS in their presentations.

 

It is indeed difficult to understand these components if you have never worked in the sphere of managing identities at a large scale all across a disparate set of applications in your IT landscape. Cloud Identity Service made it so much easier for even a novice like me to start utilizing it in the best way possible.

 

An attempt at simplifying (maybe over-simplifying)

Identity Authentication Service (IAS) can be thought of as a User Management Service. You have an organization with thousands of employees, using multiple applications, on multiple platforms and many SAP's cloud solutions are used day in and day out. Rather than having each of these application maintain these 1000s of users, why not manage them centrally? IAS can help you achieve just that and also much more.

Identity Provisioning Service (IPS) on the other hand helps to transport these users (managed by IAS) to each of the connected applications where you want to provision your user base. For example: SAP Ariba requires a user account for the user to be created in the application. However now since you are managing all your users in IAS, how is SAP Ariba going to get these accounts created for these users in the first place. Yes, you can manually create users in Ariba assign groups to them, spend endless amount of time preparing those files and what not. But isn't that what we are trying to solve? We can use IPS for that very purpose since it automates this very mundane process and replaces it with standard integration offered by these applications (SAP Ariba in this example, using SCIM API).

 

What is Cloud Identity Services now for crying out loud

It's been three years since I've been working with SAP and one thing that's constant is 'Change'. Re-branding, consolidation what not. And it makes a lot of sense to consolidate the portfolio specifically for services such as IAS and IPS. Even though these 2 services are separate applications, they are now marketed under a single umbrella that is Cloud Identity Services. Previously you'd get two decoupled tenants, one for IAS and other for IPS. With Cloud Identity Services that is no longer the case. You log into either IAS or IPS and can navigate back and forth providing a more seamless user experience, and of course a tightened integration. This consolidation was not well known to me and there I was running around reading old articles on how I could get an IAS tenant etc. Little did I know that it was as easy as Subscribing to Cloud Identity Service on one of the Subtenants in Business Technology Platform and voila, both IAS and IPS were there set up completely for use.

Also an interesting fact: via Cloud Identity Service you get IAS tenant for the whole global account and not for each sub-account separately.

Subscription for Cloud Identity Services

 

 

IDK IdP ?

If you thought I was done writing abbreviated words till now, I'm not. Recently I was working on a project where instead of maintaining User data in IAS, we had to use an external Identity Provider (IdP) instead. What this meant was that IAS would no longer manage the users or even authenticate the users, instead an external service would be doing that work and IAS would just act as a proxy or a pass through and help with the routing and integration only.

A lot of our clients have been leveraging BTP for creating custom applications to ease their businesses. They are building these Applications not just for their employees to have a seamless Procurement experience but also for their Suppliers in order to build more robust Supply Chains and efficiently manage Supplier relationships. SAP Customers have been extensively using SAP Business Network (previously called Ariba Network) for many years to collaborate with millions of Suppliers: to the extent that Business Network has become a key platform for the Suppliers to manage a variety of their customers in one single place. Leveraging the expanse of SAP Business Network and the complimentary technologies such as Cloud Identity Service, it is also possible to use Business Network as an Identity Provider.

What that means?

1. You no longer need to manage the Identity of the Supplier users in IAS


2. Business Network does the heavy lifting of storing supplier data and authenticating the Supplier users. You can sit back and enjoy your tub of popcorn 🍿

 

Using SAP Business Network as an Identity Provider with IAS

Let's take the above use case into consideration and try to see where each piece of technology fits

1. Your organization has built an application on BTP which provides functionality for the Suppliers to provide Feedback, raise a support ticket, raise a claim, or all of these


2. Your organization already collaborates with Suppliers via SAP Business Network or is planning to onboard most of their Supplier on Business Network


3. Your organization doesn't want to manage the identities of the Supplier Users themselves on IAS


4. Neither do Suppliers want the hassle of dealing with yet another User ID and Password. Side note: I want a passwordless future. But for now at least this way we can try to decrease passwords, one password at a time 🙈

This use-case cries for using SAP Business Network as an Identity Provider to allow Suppliers to login into your organization's newly created Supplier applications. With SAP Business Network now providing this functionality via Application Gateway: Supplier access to non-SAP Ariba applications via Single Sign On. Still not sure why this functionality is a 'hush hush', but it's great to see clients realizing its value add and jumping on the bandwagon.

Application Gateway Link on Supplier Business Network Homescreen

Steps to integrate IAS with SAP Business Network as IdP

1. While logged in as an Admin, navigate to Tenant Settings -> SAML 2.0 Configuration of your IAS Tenant and Download the Metadata FileThe metadata file contains some important information like the entityId, ACS URL, and the certificate that will be required by the person configuring the SAML settings in SAP Business Network (your IdP)


2. Create a new Corporate Identity Provider and configure the SAML 2.0 Configurations. This would require the SAML Metadata for SAP Business Network which you can get by engaging SAP Ariba Support or SAP Services Teams. You can import the metadata file and it'll populate all the relevant information on the page. Once imported you'll only need to save the config.


3. Till now you have set up the IdP in IAS, however, the IAS metadata still needs to be configured on the SAP Business Network side. Since the configuration is not a self-service, you'll need to engage SAP to help with that. You can provide the IAS Metadata you exported in Step 1 to SAP and they should be able to take care of most of the configurations. In a nutshell, this is what they'll get from the metadata:
   
   
   
   • Entity ID and Service ID which is present in the metadata by the attribute name "entityID"
   
   
   • Assertion Consumer Service (ACS) URL which is the available in the metadata under the tag "AssertionConsumerService" in the "Location" attribute.
     

     Eg: https://<IAS-Tenant>.accounts400.ondemand.com/saml2/idp/acs/<IAS-Tenant>.accounts400.ondemand.com

     
      
   
   
   • Service Destination URL: This is your ACS URL concatenated with the Service Provider information.
     

     Eg: https://<IAS-Tenant>.accounts400.ondemand.com/saml2/idp/acs/<IAS-Tenant>.accounts400.ondemand.com?sp...

     
     Note: The Service Provider (sp) information will not be present in the IAS Metadata. You'll have to provide it separately.
   
   
   • The certificate which is already part of the metadata. Since some IdPs (SAP Business Network included) do not provide a metadata import functionality, all these details have to be manually entered so we need to be extra cautious that we configure exact details. I've made mistakes in this, therefore just a word of advice 😉
   
   
   • SAP will additionally be able to configure the SAML Attributes that your application require in order to perform business logic or get logged in user details. This can include the UserID of the Supplier User, their AN Account ID, contact email and a few more. You'll have to work with SAP to know what all is available and how best those attributes suit your requirement
   
   
   
   


4. I'm assuming that you have already created an application for connecting your IAS with the BTO Subtenant. This is the subtenant where your Supplier relevant application are hosted and which your suppliers will be accessing once they are authenticated by the IdP. You can check out this blog post in order to understand how you can create an application for your BTP Subaccount in IAS. Even though it talks about setting up application for Integration Suite, it is applicable to the whole Subaccount nevertheless.The important change you need to make in the SAML 2.0 Configuration of this Application is the addition of another Assertion Consumer Service URL. This URL should be the URL to your Application that you want your Suppliers to see when they click the Application Gateway link on SAP Business Network. Give it the index 1.Additionally, the Service Provider Information that I mentioned in Step 3 is what you'll get from this same page. It is the URL mentioned under "Configure Manually"

 

Some Errors: Making our lives miserable. Maybe this helps

With these configurations in place, if you are fortunate, your setup will run in one go. I wasn't, so clearly there were certain issues that my team and I faced with successfully segueing from SAP Business Network to our BTP Application. These were some of the errors that we faced:

1. Whenever we clicked on the Application Gateway Link on SAP Business Network Supplier Portal, it used to initiate SAML assertion with the IAS but failed in between with the error "Sorry, but you are currently not authorized for access"
   

   

   
   

   Error

   
   Below are the steps that can be taken to check what's happening behind the scenes:
   
   
   
   • Turn on SAML Tracer and click on the Application Gateway link. Check the SAML request in the SAML Tracer and most importantly the details that are being sent in SAML assertion from SAP Business Network. If you don't see anything wrong there, proceed with next step
   
   
   • Since the SAML Request is initiating correctly, we need to check why IAS is rejecting it. For this purpose you can check the Troubleshooting Logs in IAS. In my case the logs showed the following error:
     

     Service Provider does not match specified audience in the SAML2Assertion.Service Provider does not match specified audience in the SAML2Assertion.​

     
     
   
   
   • What this meant was that there was a clear disparity in the Audience attribute being sent by SAP Business Network and what IA....
   
   
   • I had made a small mistake while configuring the Entity ID in SAP Business Network. The actual Entity ID did not have "https://" prefixed and I had configured it with the prefix. Clearly that was the problem since IAS was expecting the EntityId to be sent without this prefix. Removing the prefix help us get past this error. Therefore do note that configuring the 'exact' information is important. Very important.
   
   
   
   


2. Now when the SAML Assertion between SAP Business Network and IAS started working, for some reason rather than opening the application page, a Where To page was getting loaded.
   
   
   
   • SAML Tracer was again my friend here
   
   
   • After many failed attempts of finding a potential fix, I stumbled upon a similar issue on SAP Community and couple of comments on potential resolution. What seemed to be happening was that instead of routing to the application, the IAS was routing only to the BTP Subaccount
   
   
   • This is where the 2nd ACS URL that we later configured came into use. The application URL was maintained at index 1. Therefore we need to tell IdP to send the index of the URL where IAS needs to route it
   
   
   • So just by adding "&index=1" to the Service Destination URL, we got the routing fixed. Even in the browser I could see that IAS was now routing me correctly to the Application instead of the BTP Subaccount
   
   
   
   


3. At this point, SAP Business Network was sending in right Assertion Attributes, SAML Assertion was going through at IAS and I could even see the application URL trying to get loaded on the browser. The only problem being- I was getting 'Unauthorized' error on page load 🥴
   
   
   
   • In the SAML Tracer, I could see the 2nd SAML Assertion request between IAS and BTP was failing.
   
   
   • Few attempts at trial and error, and the only thing that worked was adding "hc_login" as a query parameter for the ACS URL at index 1
   
   
   
   

Fixing these three issues, I (while acting as a Supplier user) was able to get redirected to the BTP application successfully.

 

Some neat tricks I learned in the process

1. SAML Attributes configured in the IAS Application for our BTP Subaccount were being passed on to the application even for the users getting authenticated via the IdP. For the applications to work, we needed some attributes from the IdP instead.Solution: I realized it later that while configuring, I had enabled "Use Identity Authentication User Store" in Identity Federation which meant that instead of forwarding attributes from IdP, IAS will send attributes from its own user store. Toggling this configuration off made sure that all the SAML attributes passed on from the IdP (Business Network) were getting passed on to the BTP Applications.


2. Our applications worked based on Access Control. For internal users, since we were managing them directly in IAS, we had assigned a group to the users. Using this group, the applications were able to assess if it was an internal user and authorize based on that. For users getting logged on using IdP (Business Network), a similar group assignment couldn't be done as the users are not present in IAS.Solution: Considering Business Network doesn't allow for custom attributes to be configured or sent to IAS, we needed a work-around to identify if a User was coming from IdP. IAS allows to configure Enriched Assertion Attributes at the IdP level. Note: this will only impact the attributes if the login is via the IdP, ie. your users logging in via IAS and their attributes won't be affected. Using the enrichment attribute, we assigned a static groups attribute with the value as group name. This group name would help to identify in the BTP Applications if the user is a supplier user or not. Again, I don't know if this is the best way to achieve this, but in our use case it appeared to work so we went with this approach. You can ignore the last enriched attribute (ANID), it is redundant unless you are using IAS User store.


3. In case you need to manipulate the NameID being sent to BTP Apps, you can do that too in the Enriched Assertion Attributes section. It came in handy for one of our requirements and it really helped us a lot.


4. Conditional Authentication: Since in our scenario we were using IAS User Store for Client's internal users and also an IdP for Supplier users, IAS needs to know how it needs to authenticate a user- Eg. For authenticating an internal user, should it use IdP or IAS User Store. This can be achieved using Conditional Authentication in the IAS Application that you created for your BTP Subaccount. Using the rules, we can control how IAS authenticates specific users based on say: email domain, IP range, or even user group. You can refer to muralidaran.shanmugham2's blog post to learn more about Conditional Authentication.
   Having used conditional authentication for our project, although it works out fine I still feel the conditions that can be configured are far too primitive and we could use more enhancements (like using regex patterns) and using complex conditions. In case someone has used it to make complex conditions work, do drop your use case and solutions in the comments.

 

EOF (almost) 🪫

Cloud Identity Service has a lot to offer certainly. The interface it provides makes it intuitive enough to be adopted without much hassle, so kudos to the product team. Given there are plenty of SAP applications that have started leveraging the Cloud Identity Services, be it Task Center, Work Zone, cloud solutions like SAP Ariba, Success Factors, interconnecting the applications and reusing data has never been easier. There have been some really interesting discussions on issues and use cases out there on SAP Community topic. This should be just the right start in case you run into any issues on this topic. In case you have any feedback or question on the content shared on this post, you can drop your comments down here. I'll be also glad to hear what your experience has been so far with Cloud Identity Services and if you have used Business Network as an IdP in the past (called Ariba Network previously) that will be just a cherry on top 🍒.