{"id":11366,"date":"2020-07-28T09:57:27","date_gmt":"2020-07-28T07:57:27","guid":{"rendered":"https:\/\/www.xiting.us\/?p=11366"},"modified":"2025-10-01T10:52:51","modified_gmt":"2025-10-01T08:52:51","slug":"sap-identity-authentication-service-overview","status":"publish","type":"post","link":"https:\/\/xiting.com\/en\/sap-identity-authentication-service-overview\/","title":{"rendered":"SAP Identity Authentication Service (IAS) | Overview and Integration Capabilities"},"content":{"rendered":"\n

Preventing unauthorized access is an important aspect of most enterprise applications, particularly with regard to hybrid SAP landscapes that utilize both on-premise and cloud tools. <\/p>\n\n\n\n

In these cases, a centralized authentication approach can streamline authorization management. After all, an organization may use multiple cloud services (SAP\u2019s cloud solutions are just a few of many), a fact which can result in numerous login requirements. Without putting proper single sign-on (SSO) techniques into place, this would cause a significant burden for everyone involved. <\/p>\n\n\n\n

One thing is clear: without proper identity access management (IAM) solutions in place, things could get messy very quickly.<\/p>\n\n\n\n

The purpose of IAM is to provide an array of security functions in the cloud environment that include authentication, authorization and provisioning (among others). It can thereby automate access rights management, and helps to make sure the correct people with the right privileges are accessing either the cloud or local resources.  <\/p>\n\n\n\n

This blog will focus on the topic of secure authentication, and in particular on the SAP Cloud Platform Identity Authentication Service (IAS), providing an overview of its core services, features and integration capabilities. <\/p>\n\n\n\n

AUTHENTICATION CHALLENGES IN A HYBRID SAP APPLICATION LANDSCAPE<\/h2>\n\n\n\n

Before we take a closer look at IAS, let\u2019s begin with some basics. Choosing the right authentication solution should be one of the top agenda items for organizations that want to provide secure access to cloud applications. <\/p>\n\n\n\n

User identities are the foundation of a stable and secure access control system. All access to data and resources is controlled through this system, so it\u2019s far from trivial. Rather, it should be seen as central to ensuring security in this permanently-exposed application landscape. <\/p>\n\n\n\n

This is best accomplished with an underlying platform, such as Azure from Microsoft or the SAP Cloud Platform (SCP). Both enable the centralization of user identities, facilitate a connection to existing user stores, and provide various options for integrating with on-premise resources such as access governance, identity management, and\/or provisioning functions.<\/p>\n\n\n\n

Most organizations operate a hybrid landscape, with lots of standard SAP applications as well as custom-developed software running both in the cloud and on-premise. <\/p>\n\n\n\n

In cases like these, you want to prevent your employees from having to constantly enter different User IDs and passwords to access various applications by providing simple but secure access via single sign-on. <\/p>\n\n\n\n

With frequent cloud use, technologies such as SAML, OpenID Connect\/OAuth, and SCIM become even more important when it comes to authenticating or managing identities. <\/p>\n\n\n\n

This offers added value from the perspective of IT security \u2014 especially concerning the possibilities for access management and access governance \u2014 because end-users cannot bypass the secure central authentication instance. Instead, they first need to get a valid SAML token to be able to access their cloud or on-premise applications.<\/p>\n\n\n\n

SAP CLOUD PLATFORM AND IDENTITY AUTHENTICATION<\/h2>\n\n\n\n

Some cloud applications don\u2019t even have standalone user management built-in, and no longer accept password-based authentication. Instead, these applications outsource their user-management and authentication processes to a central system for obtaining the security token required for access. This allows centralization, simplified user provisioning, and simplified administration.<\/p>\n\n\n\n

One example is the SAP Cloud Platform (SCP) itself, which does not provide a user database of its own. By default, every account is connected to the SAP ID Service (for initial access of admin staff performing tasks on the global and subaccount), which is known as the concept of the platform identity provider. <\/p>\n\n\n\n

For the integration, you can set up a trust relationship between your SCP subaccount and your SAP Identity Authentication tenant. As a result, when you deploy an application to SCP that has protected resources and requires SAML authentication, the user is redirected to the logon page of your SAP IAS to provide credentials. <\/p>\n\n\n\n

In this scenario, the SCP acts as a service provider, and SAP IAS service acts as the so-called application identity provider in this setup. The configurations made in the administration console do not affect the authentication for the cockpit, which is carried out via the standard SAP ID service.<\/p>\n\n\n\n

Within SCP, you can provide services and applications such as Java, HTML5, HANA XS, and many more. Organizations require appropriate permissions (roles) to restrict access to these services. As a consequence, the applications running on SCP must be able to understand various user attributes. It\u2019s important to define how the required user attributes, sent by the identity provider (so-called assertion attributes or claims), are mapped to the user attributes consumed by applications on SCP. <\/p>\n\n\n\n

Authentication is one piece of the puzzle. Once logged in, authorizations (or roles) determine what a user can do. So you need some degree of mapping that utilizes attributes both sides understand. As such, the authorization concept (a.k.a. SAML group to SCP role mapping) is very important and, in this case, can be an element of the SAML authentication process. <\/p>\n\n\n\n

Of course, cloud-exposed business applications are consumed not only by employees (end-users), but also by partners and customers that require access to specific applications. Thus, modern organizations increasingly face the challenge of managing secure access and authorizations in both cloud and on-premise systems \u2014 even in business-to-consumer (B2C) or business-to-business (B2B) scenarios. <\/p>\n\n\n\n

Furthermore, many organizations prefer using their already-established authentication systems and policies, which in turn are often cloud services as well (such as Microsoft Azure). They want to decide how to authenticate an identity at the IdP for a given application, as well as which conditions, risks, and\/or rules should be evaluated during the authentication process. And yes, as you may have guessed: even this is possible in conjunction with SAP Identity Authentication.<\/p>\n\n\n\n

Because of its incredible flexibility, and due to the fact that the SAP Cloud Platform Identity Authentication service is considered as the \u201cone integration point\u201d to all SAP cloud applications, there\u2019s good reason to take a closer look at this solution. <\/p>\n\n\n\n

OVERVIEW AND POSITIONING IN THE SAP CLOUD PORTFOLIO<\/h2>\n\n\n\n

SAP Cloud Platform Identity Authentication runs on top of the SAP Cloud Platform and can be seen as a cloud service for secure authentication. It was introduced in 2014 and, for quite a while, SAP positioned Identity Authentication as a strategic central service for authentication to SAP and non-SAP cloud applications supporting B2C, B2B, and B2E scenarios. It provides Web SSO based on SAML 2.0 and OpenID Connect.<\/p>\n\n\n\n

\"Ein<\/figure>\n\n\n\n

Even though SAP Cloud Platform Identity Authentication is offered as a stand-alone service supported for both the Neo and Cloud Foundry environments, it primarily operates in tight integration with SAP Cloud Platform. <\/p>\n\n\n\n

Additionally, it comes pre-integrated as part of many SAP cloud solutions, including SAP S\/4HANA Public Cloud, SAP SuccessFactors, SAP Cloud Portal, SAP Integrated Business Planning, SAP Hybris and SAP JAM (just to name a few). If you have one of these applications, you probably already have a tenant for IAS without knowing it. <\/p>\n\n\n\n

Plus, that list of pre-bundled SAP solutions will grow significantly in the upcoming months. This provides the advantage that SAP can provision ready-to-use applications that are pre-configured with IAS. Consequently, customers have one integration point for their SAP cloud applications, which also helps to reduce overall complexity and administrative efforts during the onboarding of future applications.  <\/p>\n\n\n\n

SAP Cloud Platform Identity Authentication service is a multi-tenant system where tenants share the hardware and software and use dedicated database instances for persistence. Features such as high availability, disaster recovery, and failover are based on the capabilities of the underlying SCP infrastructure. <\/p>\n\n\n\n

SAP provides one Identity Authentication tenant per customer, regardless of the number of contracts signed in which Identity Authentication is included or bundled. You can request a second tenant (for testing purposes) which is provided upon request for no additional cost.<\/p>\n\n\n\n

Identity Authentication is the central interface that implements flexible authentication scenarios for employees, customers and partners, and bundles access to connected SAP or non-SAP cloud or on-premise applications across almost any device. <\/p>\n\n\n\n

The solution offers the following key features:<\/strong><\/p>\n\n\n\n