Fundamentas of Security in SAP BTP – Introduction Part 1

This blog series is mainly targeted for developers and administrators. If you are someone who has gone through the plethora of tutorials, documentation, and presentations on security topics in SAP BTP and still lacks the confidence to implement security for your application, you have come to the right place.

In this blog series, we will learn:

  • How to protect an app in SAP BTP, Cloud Foundry environment from unauthorized access
  • How to implement role-based features
  • How SAP Identity Provider and Single-sign-on works

For ease of reading, I have split this in multiple blogs, which are:

  1. Fundamentals of Security in BTP: Introduction Part 1 
  2. Fundamentals of Security in BTP: Introduction Part 2
  3. Fundamentals of Security in BTP: OAuth Concept (optional) [To be published]
  4. Fundamentals of Security in BTP: Implement Authentication in a Node.js App [To be published]
  5. Fundamentals of Security in BTP: Implement Authorization in a Node.js App [To be published]

This is blog 1 of the series.

In my opinion, security in SAP BTP is a simple topic. All we need is a clear understanding of all the basic concepts.

Let’s be honest that most of the developers don’t design the application keeping security in mind at first place. We always try to prove the feasibility of use-case first. Once we succeed, then only we think about securing the application. One of the reasons, why people get on back foot when it comes to security implementation.

In SAP BTP, it’s super easy to develop a full-stack business application using sophisticated frameworks like SAP Cloud Application Programming Model, SAP Cloud SDK and many other out-of-the-box cloud services. With little bit effort on understanding the core concepts, you can also solve all the pieces of puzzle in security.

In this blog series, we will make it extremely simple. First, we will understand the basic concepts:

  • Identity Provider (IdP)
  • OAuth
  • Application Router
  • Authentication and Authorization Implementation etc.

To get a hands-on experience, we will

  1. First deploy an Unsecured Hello World Node.js application in BTP Cloud Foundry.
  2. Then step-by-step we will implement authentication and authorization.
  3. We will also touch upon Identity Provider to be used for single-sign-on.

Note: This blog series is focused on SAP BTP, Cloud Foundry environment. I may skip mentioning Cloud Foundry every time.

I will not touch upon the basic concepts of BTP, otherwise this blog will be super lengthy. You should have basic idea of SAP BTP, BTP Cockpit and basic Node.js skill to understand these series. Even if you are new to Node.js, you should be managed to go through it.

Here are couple of links you may go through to refresh your knowledge:

Let’s start with the basic concepts.

Applications in SAP BTP does not store user information. Instead, the applications redirect the authentication to an Identity Provider. This concept makes it possible to decouple and centralize authentication functionality.

Below image shows a very high-level architecture of a typical Identity Provider.

In SAP BTP, there are 2 options for Identity Provider – SAP ID Service and SAP Cloud Identity Authentication service (IAS).

SAP ID Service

SAP ID Service is the default identity provider in SAP BTP. It is a pre-configured, standard SAP public IdP ( that is shared by all customers.

Few important points about SAP ID Service:

  • Trust to SAP ID service is pre-configured in all BTP subaccounts.
  • SAP ID Service is managed by SAP.
  • SAP ID service manages the users of official SAP sites, including the SAP developer and partner community. It is the place where the S-Users, P-Users, and D-Users are managed.

You can view the SAP ID service pre-configured in BTP subaccounts in the cockpit, as shown below.

SAP Cloud Identity Authentication service (IAS)

For many customers, business users might be stored in corporate identity providers. SAP recommends using SAP Cloud Identity Services – Identity Authentication Service (IAS)  as a hub.

We can connect IAS as a single custom identity provider to SAP BTP. Further use IAS to integrate with corporate identity providers.

IAS can be configured in SAP BTP cockpit, in the Trust Configuration section, as shown below.

To know more on establishing trust between SAP BTP and IAS, you may refer to the help document.

Why do we really need SAP Identity Authentication Service (IAS)?

Most customers already have huge on-premises or cloud ecosystem. Their business user data is already available in their corporate identity provider.

When these customers build applications on BTP, an important question comes up – “How can employees authenticate to the applications with known credentials?”

In simple words, customer needs to provide single sign-on for their custom solution on BTP, SAP S/4HANA Cloud, SAP SuccessFactors and other SAP solutions. The answer to this is SAP Identity Authentication Service.

As shown in the above image, IAS can either act as an IdP itself or delegate the authentication to a corporate identity provider. IAS acts a central hub to provide single-sign-on to all SAP cloud applications as well as BTP applications.

I hope you got the basic idea of Identity Provider. If you have any question, let me know in the comment.

Next blog in the series:

  • Fundamentals of Security in BTP: Introduction Part 2