SAP Cloud Platform Authentication: Identity Authentication Service

SAP Cloud Platform is an essential part of SAP’s digital strategy. It is the platform for our customers’ and partners’ transformation journey toward digital business models. This open platform as a service (PaaS) provides unique in-memory database and application services. It is the proven cloud platform that enables you to rapidly develop new applications or extend existing ones, all in the cloud.

User authentication is the method of determining whether someone is who they say they are. There are several ways of authenticating uses in the SAP Cloud Platform. In this particular scenario we will look at authentication using the SAP Cloud Platform Identity Authentication service.

SAP Cloud Platform Identity Authentication service is a cloud solution for identity lifecycle management for SAP Cloud Platform applications, and optionally for on premise applications. It provides services for authentication, single sign-on, and on premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers. For administrators, it provides features for user lifecycle management and application configuration.

For almost all applications a business runs, they have the need to verify (authenticate) who the user is of that application.  On the SAP Cloud Platform, one of the ways to do that is have the application use the SAP Cloud Platform Identity Authentication service as an Identity provider (IdP) to authenticate application users. 

In this setup, SAP Cloud Platform acts as a service provider, and SAP Cloud Platform Identity Authentication service acts as an identity provider (IdP). For the integration, you must set the trust on both sides. As a result of the trust setting, when you have deployed an application to SAP Cloud Platform that has protected resources and requires SAML authentication, the user is redirected to the logon page of SAP Cloud Platform Identity Authentication service to provide credentials.

Once setting SAP Cloud Platform Identity Authentication as a trusted IdP for SAP Cloud Platform, all the services in the SAP Cloud Platform are authenticated via it. For the integration you need to make configurations in the cockpit of SAP Cloud Platform and in the administration console for SAP Cloud Platform Identity Authentication service. The configuration made in the administration console usually does not affect the authentication for the cockpit, which is carried out via the SAP-defined tenant, SAP ID service, unless the cockpit access has been configured to use the service.

When developing application for the SAP Cloud platform it is up to the application developers to implement the authentication process in their application code by selecting the authentication method. For this solution the method would be Form/SAML2.

Having a standardized method of authentication means that you only have to do the system authentication configuration once. All application programs can use the same already developed APIs for implementing authentication. SAML is a standardized format designed to interoperate with any system independent how it is implemented.

Standardization also provides a common user experience. It includes the look and feel of the logon screens but also allows for SAML’s ability for users to securely access multiple applications with a single set of credentials entered only once.

Security is of utmost importance when it comes to enterprise applications especially in the cloud. The IdP is used to provide a single point of authentication. SAML is used to assert the identity to others. This means that applications do not have to keep identities, which in turn ensures that there are fewer places for identities to be breached or stolen.

Because the IdP is cloud based, the software is always kept up-to-date. Many companies do not have the time or people to make the necessary updates in a timely fashion. This just increases the possibility that hackers will exploit vulnerabilities in the system that have not been patched.

With SAP Cloud Platform Identity Authentication service, there are many benefits of using this as default IdP for SAP Cloud Platform:

• Authentication with user name and password - Users can log on to applications with their user name and password.
• Single sign-on to applications on SAP Cloud Platform - Users can access multiple cloud applications in the current session by authenticating just once in the identity authentication.
• Social sign-in to applications on SAP Cloud Platform - Users can link their identity authentication account with a social network account. That way users can be authenticated through a social identity provider.
• Customized branding - Administrators can configure branding styles for UI elements, e-mails, and error pages so that they comply with the company’s branding requirements.
• Customized privacy policy and terms of use management - Administrators can add customized terms of use and privacy policies, which users have to accept before registering. They are shown on the registration and upgrade forms.
• Customer security policy - Administrators can select a password policy from a list in accordance with the security requirements and the rules for resetting passwords.
• Dedicated customer tenant - Customers are provided with guaranteed availability and specific configuration of their tenants.
• User import functionality - Administrators can import new users into identity authentication or can update data for existing users.
• User export functionality - Administrators can download information about existing users in the current tenant.
• Detailed change logs - Administrators have access to information about the history of operations by tenant administrators.
• User Management - Administrators can manage the users in the tenant.
• Administrator Management - Administrators can add new administrators and edit administrator authorizations.
• User Groups - Administrators can create and delete user groups, and assign and unassign users.
• Corporate User Store - SAP Cloud Platform Identity Authentication service can be configured to use a corporate user store in addition to its own user store.
• Kerberos Authentication - Administrators configure Kerberos authentication to allow users to log on without a username and password when they are in the corporate network.
• Risk-Based Authentication - Administrators define rules for authentication in accordance with the risk
• Self-services - Users can use services to maintain or update their user profiles and to log on to applications.

SAP Cloud Platform offered many method of authentication to verify and validate the identities of application users so it is important to understand some of the types. The most common type of authentication between the user and cloud base application is FORM or SAML2.

Authentication Types

FORM or SAML2 - FORM authentication implemented over the Security Assertion Markup Language (SAML) 2.0 protocol. Authentication is delegated to SAP ID service or custom identity provider.

BASIC - HTTP BASIC authentication delegated to SAP ID service or an on premise SAP NetWeaver AS Java system. Web browsers prompt users to enter a user name and password. By default, SAP ID service is used.

CERT - Used for authentication only with client certificate.

BASICCERT - Used for authentication either with client certificate or with user name and password.

OAUTH - Authentication according to the OAuth 2.0 protocol with an OAuth access token.

SAP Cloud Platform is the extension platform for SAP. It enables developers to develop loosely coupled extension applications securely, thus implementing additional workflows or modules on top of the existing solution they already have.

SAP Cloud Platform supports application scenarios for consumers (B2C), for partners (B2B), and for employees (B2E). The solution provided in this blueprint is available for all three scenarios. All types of users will be asked to authenticate.

Reference Solution Diagram

The following graphical diagram of the solution illustrates a basic architectural pattern implementing authentication using the SAP Cloud Platform Identity Authentication service.

1. Employee opens the app and requests service access
2. Service request redirected to IDP for authentication
3. User challenged for credentials
4. The user provides credentials
5. SAP Cloud Platform Identity Authentication performs authentication against the identity authentication service and if valid issues a SAML assertion
6. The request return to the service on the cloud platform with the SAML assertion (Authentication is completed at this point)

Note: The on premise systems and the other cloud systems are depicted above for completeness of the overall landscape picture. In the case of authentication using the SAP Cloud Platform Identity Authentication service, the user identity has been established on the cloud platform. The next steps of authorization (determining what a user has access to) and single sign-on (accessing other system resources without authenticating again) will be covered in other blueprints. For more information, visit the SAP Cloud Platform authorization blueprint.

Solution Components

The following list describes the main components needed to implement this scenario and the role they play in the overall solution: 

User Network

End User - This is the person who is running the SAP Cloud Platform application.  They will be the entity being authenticated.

SAP Cloud Platform

SAP Cloud Platform Identity Authentication service – A cloud solution for secure authentication and single sign-on for SAP Cloud Platform applications, and for on premise applications.

Connectivity Service - The connectivity service allows SAP Cloud Platform applications to access securely remote services that run on the Internet or on premise

Generic SAP Cloud Platform service – To keep the blueprint simplified a generic icon is used since any SAP Cloud Platform Services requiring authentication will act the same way

This is an overview of the steps needed to implement this blueprint:

1. Get IdP (SAP Cloud Platform Identity Authentication service) metadata – this contain information about the IdP URL, certificate, etc.
2. Bind IdP to SP (SAP Cloud Platform) – this will configured the SAP Cloud Platform to use IdP for authentication
3. Get SP (SAP Cloud Platform) metadata – this contains information about the SP URL, certificate, etc.
4. Bind SP to IdP – this configuration will allow the SAP Cloud Platform to use IdP for authentication
5. Configured IdP SAML attributes – There are attributes that IdP should pass in the SAML token to help identify the identity of the user.
   1. “NameID” – This value help identify the user ID that the SAP Cloud Platform may use.
   2. Group – This value is recommended to help with identity federation during role assignment in SAP Cloud Platform.

This blueprint highlights important considerations companies need to analyze when implementing authentication for cloud platform applications. It only provide a high level overview of the process. It is recommended to review further information to help you implement your authentication design and develop applications using a cloud based IdP. The following resources are a starting point:

Click below for step by step videos detailing how to authenticate user credentials on the SAP Cloud Platform using the identity authentication service:

SAP HANA Academy - Identity Authentication Service

SAP Cloud Platform Identity Authentication service  - on line documentation includes an overview of the offering as well as details on how to implement and configure the service

Enabling Authentication for Java applications – On line documentation for how to do authentication in your Java applications.

Configuring SAML 2.0 Authentication for SAP HANA applications – On line documentation for how to do authentication in your SAP HANA applications.

Authentication for HTML5 applications – On line documentation for how to do authentication in your HTML5 applications.