SAP PaPM Cloud: BTP Trust Configuration with SAP IAS using SAML Protocol

Note: There will be lots of images in this blogpost to guide the readers.

In case the images are too small, double-click on the image to zoom-in.

Hi Everyone,

The title of this blogpost already gives a hint that this once again is a technical blogpost that provides vanilla steps that can guide you to register an Identity Provider in SAP Business Technology Platform (SAP BTP) which later on can be used by SAP Profitability and Performance Management Cloud (SAP PaPM Cloud) in logging in to the application. Since this will be a very technical topic, I will try my best to give you the steps as simple as possible. In case though you are looking into a more sophisticated setup, I suggest you read through BTP trust configuration documentation and communicate with SAP BTP experts so they can help you with your questions. 

To those who are not familiar of this so called ‘Trust Configuration’, here is a visual representation before we proceed with the steps:

hhhj

SAP BTP: Trust Configuration & SAP PaPM: Identity Provider List

Now that we are all set.. As promised, I will show you how we can create this Custom Identity Provider.

Before we proceed with such, please take note that you will read a lot about IAS (SAP Identity Authentication Service). This then is the one we will use to manage our users which later on will be authorized to login to SAP PaPM Cloud. Let me now show you how…

1. SAP IAS : Login to SAP IAS

As an Administrator in SAP IAS, you can then start by logging into your profile.

shall you are not familiar of the URL to use, you must then contact your SAP IAS administrators, usually that is the IT team of your company.

https://<custromerIASaccount>.accounts.ondemand.com/ui/protected/profilemanagement

double-click%20the%20image%20to%20zoom-in

SAP IAS: Profile Management Screen

2. SAP IAS : Downloading MetaData

Once you have successfully login, download then the metadata which is to be used by SAP BTP to establish Trust Connection. In SAP IAS, adjust the URL to

https://<custromerIASaccount>.accounts.ondemand.com/saml2/metadata?action=download

then hit keyboard Enter (Return). It will download a metadata that will be stored in your laptop’s default download director

double-click%20to%20zoom-in

SAP IAS: Download Metadata

3. SAP BTP : Upload SAP IAS downloaded metadata

As mentioned in step2, our goal is to establish trust between SAP IAS and SAP BTP and for this, we need to upload then the downloaded metadata by going into your SAP BTP Subaccount and following below steps

a) Go to SAP BTP Subaccount > Trust Configuration

b) Choose New Trust Configuration

c) Upload the downloaded metadata from Step#2

d) Provide a unique name

e) Provide a description

f) Choose Parse

g) Choose Save

Upon successful save a new entry in ‘Custom Application Identity Providers’ section will appear.

double-click%20to%20zoom-in

SAP BTP: Registering Custom Application Identity Provider

4) SAP BTP : Download XML Trust File from BTP

After step 3, we have already accomplished establishing trust from SAP IAS to SAP BTP, now we will have to do the same –this time from SAP BTP to SAP IAS.  This means we will need to also download the Metadata from our subaccount and upload to SAP IAS. to do this follow below

a) in your SAP BTP subaccount, go to Trust Configuration

b) Choose SAML Metadata

c) an XML metadata file will be downloaded and will be stored in your default download folder.

double-click%20to%20zoom-in

SAP BTP: Download Metadata

5) SAP IAS: Login back to SAP IAS and visit the Admin Screen

https://<custromerIASaccount>.accounts.ondemand.com/admin

SAP%20IAS%3A%20Admin%20Screen

SAP IAS: Admin Screen

6) SAP IAS: Application Creation

a) Go to Applications

b) Choose Create

c) A popup window will appear, fill it with information starting with Display name

d) Provide SAP PaPM Cloud Tenant’s URL for the home URL, for example: https://<tenant>.eu20.papm.cloud.sap/webpages/index.html

e) Choose SAP BTP Solution as Type

f) Choose Save

SAP%20IAS%3A%20Application%20Creation%20Screen

SAP IAS: Application Creation Screen

7) SAP IAS: Application Configuration

a) Look for the application you recently created in Step 6 and update some configurations

b) double check that the url listed is actually the SAP PaPM Cloud Application URL

c) Choose Protocol

d) Change Protocol to SAML 2.0, then go back to previous screen

e) Choose SAML 2.0 Configuration

f) Upload the metadata from Step 4, this will establish the trust from SAP BTP Subaccount to SAP IAS.

g) Choose Assertion Attributes

h) Add a Group Attribute

i) Change afterwards the Assertion Attribute value to ‘Groups’

SAP%20IAS%3A%20Application%20Configuration

SAP IAS: Application Configuration

8) SAP IAS: Creation of User Groups

User Groups must be created or must be maintained with specific users. later on this User Group that we are about to create is then linked to SAP PaPM Cloud Roles, to ensure that only specific users get access to specific applications. For now let us create the Group!

a) Go to Users and Authorization

b) Choose User Groups

c) Choose Create

d) Provide a group name. For PaPM Groups I suggest you create one group per PaPM Role

e) Provide a description

f) Choose Create

SAP%20IAS%3A%20Create%20Group%20Screen

SAP IAS: Create Group Screen

9) SAP IAS: Assigning of Users to the Group

It is important to maintain this user group with people or users who are to use SAP PaPM Cloud Applications. To add users follow below steps:

a) Choose ‘User Groups’

b) Search for the Group created from Step 8.

c) Open the Group

d) Add a user

e) Search the user to be added (optional)

f) Choose the user to be added

g) Save the configuration

SAP%20IAS%3A%20Add%20user%20to%20a%20group

SAP IAS: Add user to a group

Now we are fully done in SAP IAS, everytime user is to be added this user group should be maintained accordingly in SAP IAS.

10) SAP BTP: Link BTP Role to IAS Group

As I mentioned the group we created in the previous steps will need to be linked to SAP BTP subaccount Role Collection. Having said this, let us visit back SAP BTP as an administrator and follow below steps

a) Go to Trust Configuration

b) Choose the Custom Application Identity Provider that is involved in the setup

c) Choose Role Collection Mappings

d) Choose New Role Collection Mapping

e) In the popup window, choose the BTP Role Collection that is meant to be assigned to the group of users.

f) Attribute will always be ‘Groups’

g) Attribute Value is equivalent to the Group Created in SAP IAS. In this case SAP_PAPM_ADMIN_ALL

once fully mapped choose Save, and you are done!

SAP%20BTP%3A%20Link%20BTP%20Role%20to%20IAS%20Group

SAP BTP: Link BTP Role to IAS Group

You just linked your SAP IAS User Group with SAP BTP Role Collection that is including SAP PaPM Cloud Role. Next time that you need to manage users, it is then possible that you just manage it in SAP IAS and automatically this user then will be able to access SAP PaPM depending on the role collection mapped to the SAP IAS Group.

I hope this helps!!!

Thank you so much for reading through.. Happy configuring in the cloud!