Configure corporate user store for applications in the Neo environment to allow users to users to authenticate with their corporate credentials, without the need to use another set of credentials for their cloud access.
The content in this section is only relevant for SAP BTP, Neo environment.
The content in this section is not relevant for China (Shanghai) region.
Identity Authentication can connect with the following corporate user stores:
- Microsoft Active Directory
- SAP NetWeaver AS JAVA, with the following variants:
- SAP NetWeaver AS JAVA - UME
- Multiple Active Directories connected to SAP NetWeaver AS JAVA - UME
- SAP NetWeaver AS ABAP connected to SAP NetWeaver AS JAVA - UME
This scenario works with an SAP BTP application named proxy and provided by an SAP BTP subaccount named sci. The proxy application on SAP BTP uses the OAuth authentication mechanism when communicating with Identity Authentication.
The sci proxy application is not supported for China.
The connection between SAP BTP and the corporate user store is carried out with an Cloud Connector.
The Corporate User Store option is configured properly. A user tries to access a trusted application for the first time with the on-premise credentials, Login Name and Password entered correctly. This user is authenticated successfully against the corporate user store. With this initial successful authentication of the user, a partial user record is created in the user store for Identity Authentication. It is created with user details taken from the corporate user store. The cloud user store does not copy the user's credentials. For more details about what data is copied from the corporate user store, see User Records. With subsequent logins, the user is always authenticated against the corporate user store, and the user record is updated.
For the first logon with on-premise credentials, the user enters his or her Login Name and a Password. For subsequent logins the user can use either his or her Login Name, Email, or User ID, and the Password .
If the user has enabled the Remember me option, the following limitations are observed:
- when a user is authenticating with remember me cookie, his or her user record in Identity Authentication is not updated.
- if the user changes his or her password in the corporate network, the remember me cookie is not invalidated.
For more information, see Use the Remember Me Option.
The user in the corporate user store must have the
The tenant administrator needs to monitor and prevent the coexistence of a cloud and on-premise user with one and the same email address. The tenant administrator has to instruct the users to logon for the first time with their Login Name, not with the Email.
If a user with a user record in the cloud user store is deleted in the corporate user store, the user cannot authenticate using Identity Authentication. The user record for this user remains in the cloud user store, and the tenant administrator can delete it via the administration console for SAP Cloud Identity Services. For more information, see Delete Users.
For all users from the corporate user store, a second factor for authentication can be enabled for some applications, or cloud user groups can be assigned. For more details, see Configure Risk-Based Authentication for an Application and Assign Groups to a User.
In the scope of the Corporate User Store scenario, you can manage access to applications and their resources based on the groups available in the corporate user store.
The corporate user groups are sent to an application in the SAML 2.0 assertion. corporate_groups
is the attribute that contains the groups that the user in the corporate user store is assigned to. For more details about how the groups are sent to the application in the SAML 2.0 assertion, see Configuring User Attributes from the Identity Directory.
If your application is deployed on the SAP BTP, the corporate user store groups, relevant for the application, and contained in the
corporate_groups
attribute in the SAML 2.0 assertion, can be mapped to assertion-based groups created in SAP BTP cockpit. For more information, see the 4. (If Using an Identity Provider) Define the Group-to-Role Mapping section in Managing Roles.
You can also restrict access to applications based on membership in a corporate user group by setting different rules via risk-based authentication. For more information, see Configure Risk-Based Authentication for an Application.
When a user has been successfully authenticated for the first time with the credentials from the corporate user store, a record for that user is created in Identity Authentication. That user record is created with details from the corporate user store. In this record, the user is created with a User Type employee
. This User Type cannot be changed.
For more information about the attributes taken from the Active Directory and their mapping to the user store of Identity Authentication, see Configure SAP BTP When Connecting to an LDAP User Store in Configure SAP BTP.
Related Information
To configure connection to a corporate user store, you have to make the following configurations in SAP BTP and in Identity Authentication.
For more details about how to configure these systems, see:
The configuration of SAP BTP depends on the type of the user store. You have two options: Microsoft Active Directory user store and SAP NetWeaver AS Java user store.
-
Log on to SAP BTP cockpit with the cockpit administrator role. For more information, see Subaccounts.
-
In the SAP BTP cockpit, choose Services in the navigation area > Identity Authentication Add-On > Enable in the detailed view of the service.
This enables the extension service of Identity Authentication named proxy and provided by an SAP BTP subaccount named sci.
If you don't see the Identity Authentication Add-On tile in the cockpit, you need to report an incident with a subject "Enable Corporate User Store Feature" on SAP Support Portal Home under the component
BC-IAM-IDS
. You have to provide information about your SAP BTP subaccount name and region. -
In your subaccount on SAP BTP, register an OAuth client for the subscribed proxy application provided by the sci subaccount.
The procedure is described in the documentation of SAP BTP in the link below.
Beware that for each flow the respective grant type must be selected. All other grant types can be deselected if they aren't required by the application.
Since Identity Authentication will create the subscription to the proxy application, the Prerequisites section in the respective document isn't relevant for the current scenario.
For the Authorization Grant field in the SAP BTP cockpit, choose Client Credentials from the dropdown, and for the Subscription field, choose sci/proxy.
For more information about how to register an OAuth client, see Register an OAuth Client.
-
Install a Cloud Connector in your corporate network.
For more information, see Installation.
-
Connect the Cloud Connector with your SAP BTP account.
-
If you haven't used your Cloud Connector before, see Initial Configuration.
-
If you have used your Cloud Connector before, you can start the configuration from Set up Connection Parameters and HTTPS proxy.
-
-
Connect SAP BTP with your corporate user store.
You have to specify the SAP BTP settings. The Prerequisites section in the document describing the configuration is already configured for the proxy application, and you should proceed with the configuration steps. For more information, see Configure the User Store.
The User Name field must be in the
<service_user_name>@<domain>
format.For the User Path and Group Path fields, specify the Microsoft Active Directory tree that contains the users and groups, respectively. For example, if the tree has the following structure:
The user and group paths should appear as in the table below:
User Path
ou=People,dc=example,dc=com
Group Path
ou=People,dc=example,dc=com
-
Optional: Include additional attributes.
You can add the
employeeNumber
,division
,department
, andorganization
attributes that are defined in the SCIM Enterprise User Schema Extension.Cloud Connector uses the SCIM protocol to transfer the data, so the Active Directory attributes are mapped first to the SCIM attributes. When the data is provisioned, the SCIM attributes are mapped to the user store attributes of Identity Authentication.
-
In your system go to
/sapcc-<version>/config_master/com.sap.core.connectivity.protocol.scim/
-
On that level, create a new idstorage.cfg file based on the idstorage_extended_schema.cfg file which is given as an example in the folder.
-
Edit the newly created file. For more details, see the information below:
To add new user attributes you have to edit the whole file.
This file overwrites the configurations you made in Configure the User Store Be careful not to change the user attributes taken from Microsoft Active Directory.
In this section, provide the same information as when you specified the SAP BTP settings in the previous step.
{ "LDAPServers": [ { "Host": "<The host name of the LDAP server to be contacted>", "Port": "<The port where the LDAP service is running. If omitted then the default LDAP port will be used - 389 for plain connections and 636 for SSL connections>" } ], "UserPath": "<LDAP subtree containing the users. Example "DC=users,DC=organisation,DC=location">", "GroupPath": "<LDAP subtree containing the groups. Example "DC=groups,DC=organisation,DC=location">", "ServiceUser": { "Name": "<The name of the user that will be used to establish communication with the LDAP. In case of Active Directory the user name should contains Domain suffix, e.g. "[email protected]">", "Password": "<Password of this user>" },
If you want to use SSL, we recommend that you configure this section.
"UseSSL": "<Possible values are "true" or "false". If true then the communication to LDAP will go over SSL>", "IdentityKeystorePath": "<File system path to the client identity keystore - must be set if the used LDAP server requires client certificate authentication>", "IdentityKeystorePassword": "<The password of the client identity keystore>", "TrustKeystorePath": "<File system path to the trusted CAs keystore - must be set if UseSSL is true>", "TrustKeystorePassword": "<The password of the trusted CAs keystore>", "IsActiveDirectory": "<Possible values are "true" (default value if missing) or "false". "true" indicates that the LDAP server is Active Directory>", "ExcludeUsersAttribute": { "AttributeName": "<Name of user attribute that will be used to exclude some users from the result depending on their type. Attribute is treated as bitwise. Such attribute for Active Directory is "UserAccountControl">", "AttributeMask": "<Bitwise mask represented as decimal value. In case any of the high bits of this mask match with the corresponding bit of the value of the above attribute, the user will be excluded from the result. Example mask for Active Directory is "67121154" - it is the sum of the following flags ACCOUNTDISABLE(2), WORKSTATION_TRUST_ACCOUNT(4096), SERVER_TRUST_ACCOUNT(8192) and PARTIAL_SECRETS_ACCOUNT(67108864)>" },
In this section add the additional attributes
employeeNumber
,division
,department
, andorganization
, defined in the SCIM Enterprise User Schema Extension.{ "SingularAttributes": [ { "SCIMAttribute": "userName", "mappings": [ { "LDAPAttribute": { "name": "sAMAccountname" } } ] }, "SCIMAttribute": "name", "mappings": [ { "SCIMSubAttribute": "givenName", "LDAPAttribute": { "name": "givenName" } }, { "SCIMSubAttribute": "familyName", "LDAPAttribute": { "name": "sn" } }, { "SCIMSubAttribute": "honorificPrefix", "LDAPAttribute": { "name": "personalTitle" } } ] }, { "SCIMAttribute": "displayName", "mappings": [ { "LDAPAttribute": { "name": "displayName" } } ] }, { "SCIMAttribute": "locale", "mappings": [ { "LDAPAttribute": { "name": "locale" } } ] }, { "SCIMAttribute": "timeZone", "mappings": [ { "LDAPAttribute": { "name": "timezone" } } ] }, { "SCIMAttribute": "employeeNumber", "mappings": [ { "LDAPAttribute": { "name": "<LDAP property containing the employee number" } } ] }, { "SCIMAttribute": "division", "mappings": [ { "LDAPAttribute": { "name": "<LDAP property containing the division>" } } ] }, { "SCIMAttribute": "department", "mappings": [ { "LDAPAttribute": { "name": "<LDAP property containing the department>" } } ] }, { "SCIMAttribute": "organization", "mappings": [ { "LDAPAttribute": { "name": "company" } } ] }, { "SCIMAttribute": "costCenter", "mappings": [ { "LDAPAttribute": { "name": "<LDAP property containing the cost center>" } } ] } ], "MultiValuedAttributes": [ { "SCIMAttribute": "emails", "values": [ { "primary": "true", "mappings": [ { "SCIMSubAttribute": "value", "LDAPAttribute": { "name": "mail" } } ] } ] }, { "SCIMAttribute": "phoneNumbers", "values": [ { "type": "work", "primary": "true", "mappings": [ { "SCIMSubAttribute": "value", "LDAPAttribute": { "name": "telephoneNumber" } } ] }, { "type": "fax", "mappings": [ { "SCIMSubAttribute": "value", "LDAPAttribute": { "name": "facsimileTelephoneNumber" } } ] }, { "type": "cell", "mappings": [ { "SCIMSubAttribute": "value", "LDAPAttribute": { "name": "mobile" } } ] } ] }, { "SCIMAttribute": "addresses", "values": [ { "primary": "true", "mappings": [ { "SCIMSubAttribute": "streetAddress", "LDAPAttribute": { "name": "streetAddress" } }, { "SCIMSubAttribute": "locality", "LDAPAttribute": { "name": "l" } }, { "SCIMSubAttribute": "region", "LDAPAttribute": { "name": "st" } }, { "SCIMSubAttribute": "postalCode", "LDAPAttribute": { "name": "postalCode" } }, { "SCIMSubAttribute": "country", "LDAPAttribute": { "name": "co" } } ] } ] } ] }
-
Save your changes.
-
Restart Cloud Connector to apply the new attributes mapping, which comes from idstorage.cfg
This file overwrites the configurations you made in Configuring the User Store.
-
The following table shows the default mapping between the Active Directory user attributes and the SCIM attributes. It also shows the existing mapping between the SCIM attributes and the attributes in the user store of Identity Authentication.
Detailed Attribute Mapping Between Active Directory and SCIM, and between SCIM and the User Store of Identity Authentication
Microsoft Active Directory Attributes |
SCIM Attributes |
Identity Authentication User Store Attribute |
---|---|---|
sAMAccountname |
userName |
loginName |
givenName |
givenName |
firstName |
sn |
familyName |
lastName |
personalTitle |
honorificPrefix |
title |
displayName |
displayName |
displayName |
locale |
locale |
language |
timezone |
timeZone |
timeZone |
employeeNumber |
employeeNumber |
personnelNumber |
division |
division |
division |
department |
department |
department |
costCenter |
costCenter |
costCenter |
company |
organization |
company |
|
emails.value |
|
telephoneNumber |
phoneNumbers[work].value |
telephone |
facsimileTelephoneNumber |
phoneNumbers[fax].value |
fax |
mobile |
phoneNumbers[cell].value |
mobile |
streetAddress |
addresses. streetAddress |
street |
l |
Addresses.locality |
city |
st |
Addresses.region |
state |
postalCode |
Addresses. postalCode |
zip |
co |
Addresses.country |
country |
The attributes
employeeNumber
,division
,department
,costCenter
in the Microsoft Active Directory Attributes column are given as examples. They can differ according to the specific LDAP properties containing these attributes.If the attribute
language
orcountry
comes from the corporate user store in:
small letters, then the respective keys in the master data service must be updated to small letters to be sent in this way to the service provider.
capital letters, then the respective keys in the master data service must be updated to capital letters to be sent in this way to the service provider. By default,
language
andcountry
are in capital letters in the master date service.For more information how to update the master data service, see Change Master Data Texts REST API.
Configure Identity Authentication
- You have an SAP NetWeaver 7.2 or higher Application Server for the Java system.
- You have SAP Single Sign-On (SAP SSO) 2.0 or higher installed in your system landscape.
- You have installed and deployed federation software component archive (SCA) from SAP Single Sign-On (SSO) 2.0. For more information, see Downloading and Installing the Federation Software.
-
Log on to SAP BTP cockpit with the cockpit administrator role. For more information, see Subaccounts.
-
In the SAP BTP cockpit, choose Services in the navigation area > Identity Authentication Add-On > Enable in the detailed view of the service.
This will enable the extension service of Identity Authentication named proxy and provided by an SAP BTP subaccount named sci.
If you don't see the Identity Authentication Add-On tile in the cockpit, you need to report an incident with a subject "Enable Corporate User Store Feature" on SAP Support Portal Home under the component
BC-IAM-IDS
. You have to provide information about your SAP BTP subaccount name and region. -
In your subaccount on SAP BTP, register an OAuth client for the subscribed proxy application provided by the sci subaccount.
The procedure is described in the documentation of SAP BTP in the link below.
Beware that for each flow the respective grant type must be selected. All other grant types can be deselected if they aren't required by the application.
Since Identity Authentication will create the subscription to the proxy application, the Prerequisites section in the respective document isn't relevant for the current scenario.
For the Authorization Grant field in the SAP BTP cockpit, choose Client Credentials from the dropdown, and for the Subscription field, choose sci/proxy.
For more information about how to register an OAuth client, see Register an OAuth Client.
-
Install a CloudCloud Connector in your corporate network.
For more information, see Installation.
-
Connect the Cloud Connector with your SAP BTP account.
-
If you haven't used your Cloud Connector before, see Initial Configuration.
-
If you have used your Cloud Connector before, you can start the configuration from Set up Connection Parameters and HTTPS proxy.
-
-
Connect SAP BTP with your corporate user store.
-
In the configuration of Cloud Connector, configure the host mapping to the on-premise system. For more information, see Configure Access Control (HTTP). For the Limiting the Accessible Services for HTTP(S) section, be sure that the URL Path is /scim/v1, and Path and all Subpaths radio button is chosen for Access Policy.
-
Create a destination to the on-premise system. In the SAP BTP cockpit, choose Services in the navigation area > Identity Authentication Add-On > Configure Identity Authentication Add-On > New Destination.
When configuring the destination to the on-premise system, make sure of the following:
-
The Name is
SAPCloudIdentityUserStore
. -
The Type is
HTTP
. -
The URL of the destination, the host name, and the port should coincide with the virtual host name and virtual port from the setup of the access control in Cloud Connector.
The protocol of the URL must be
HTTP
.The URL of the destination should be in the following pattern: http:// <Virtual host configured in Cloud Connector>:<virtual Port>/scim/v1/
-
The Proxy Type is
OnPremise
. -
The Authentication is
BasicAuthentication
.
For more information, see Using an SAP System as an On-Premise User Store. Since Identity Authentication has already deployed the proxy application, you should start from the 2. Configure the On-Premise System section in the documentation.
-
-
Configure Identity Authentication
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Under Identity Providers, choose the Authentication Providers tile.
-
Press the Create button on the left-hand panel to add a new source system to the list.
-
Make the corresponding entries in the configuration for the target system you want to add:
-
Source System
Configuration
Description
Display Name
(optional) The name of the configuration.
Type
Select the Microsoft Active Directory type.
-
Configuration
Configurations
Description
Environment
Neo
Data Center
Select your SAP BTP subaccount's region.
Technical Name
The Technical Name must match your SAP BTP subaccount Technical Name.
Client ID
The Client ID must match the ID registered on SAP BTP under the OAuth Settings tab for your subaccount.
Client Secret
The Client Secret must match the Secret registered on SAP BTP under the OAuth Settings tab for your subaccount.
-
-
Save your configuration.
If the operation is successful, you receive the message Source system <System ID name> created.
When the configuration is complete, the user can log in to the application with the on-premise credentials. The first logon requires Login Name and password. After successful authentication, a new user record is created in Identity Authentication with type employee
.