Skip to Content

SAP Cloud Platform Authentication: Corporate Identity Provider

Authenticating user credentials on the SAP Cloud Platform using a Corporate Identity Provider accessible from the internet. 

This blueprint provides common information, guidance, and direction for implementing a Corporate Identity Provider as the Identity Provider for applications on the SAP Cloud Platform. It will allow you to use a common source of identities for all your cloud based application.  It provides a standard, internationally adopted method for authentication using SAML assertions.


To learn how to implement this scenario in your landscape, view the HANA Academy videos in the
Learn more section.


SAP Cloud Platform is an essential part of SAP’s digital strategy. It is the platform for our customers’ and partners’ transformation journey toward digital business models. This open platform as a service (PaaS) provides unique in-memory database and application services. It is the proven cloud platform that enables you to rapidly develop new applications or extend existing ones, all in the cloud.

User authentication is the method of determining whether someone is who they say they are. There are several ways of authenticating uses in the SAP Cloud Platform. In this particular scenario we will look at authentication using a Corporate Identity Provider.

Customers have already spent time and resources implementing identity providers that are accessible on the internet to support other endeavors for their enterprises. 

Technical Scenario

For almost all applications a business runs, they have the need to verify (authenticate) who the user is of that application.  On the SAP Cloud Platform, one of the ways to do that is have the application use a corporate identity provider available on the internet to authenticate application users. 

Solution Description

In this setup, SAP Cloud Platform relies on an existing internet facing identity provider (IdP) for user authentication. For the integration, you must set the trust on both sides. As a result of the trust setting, when you have deployed an application to SAP Cloud Platform that has protected resources and requires SAML authentication, the user is redirected to the logon page of the application to provide credentials.

Once setting the Corporate Identity Provider as a trusted IdP for SAP Cloud Platform all the services in the SAP Cloud Platform would be authenticated via the Corporate Identity Provider. For the integration you need to make configurations in the cockpit of SAP Cloud Platform. You will also need access to the administration capabilities of the Corporate Identity Provider. The configurations made in the SAP Cloud Platform administration console do not affect the authentication for the cockpit, which is carried out via the SAP-defined tenant, SAP ID service, but the cockpit access can be configured to use the Corporate Identity Provider if desired.

When developing application for the SAP Cloud platform it is up to the application developers to implement the authentication process in their application code by selecting the authentication method.  For this solution the method would be Form/SAML2.

Solution Benefits

Having a standardized method of authentication means that you only have to do the system authentication configuration once.  All application programs can use the same already developed APIs for implementing authentication. SAML is a standardized format designed to interoperate with any system independent how it is implemented

Standardization also provides a common user experience.  It includes the look and feel of the logon screens but also allows for SAML’s ability for users to securely access multiple applications with a single set of credentials entered only once

Security is of utmost importance when it comes to enterprise applications especially in the cloud. The IdP is used to provide a single point of authentication. SAML is used to assert the identity to others. This means that applications do not have to keep identities, which in turn ensures that there are fewer places for identities to be breached or stolen.

Since the Corporate Identity Provider has already been implemented by the customer there is a high probability that they have also established an SSO connection to their backend on premise systems.  This will save time when configuring the third method of the security process, Single Sign-on.

Background Information

SAP Cloud Platform offers many methods of authentication to verify and validate the identities of application users so it is important to understand some of the types. The most common type of authentication between the user and cloud base application is FORM or SAML2.

Authentication Types

FORM or SAML2 - FORM authentication implemented over the Security Assertion Markup Language (SAML) 2.0 protocol. Authentication is delegated to SAP ID service or custom identity provider.

BASIC - HTTP BASIC authentication delegated to SAP ID service or an on premise SAP NetWeaver AS Java system. Web browsers prompt users to enter a user name and password. By default, SAP ID service is used.

CERT - Used for authentication only with client certificate.

BASICCERT - Used for authentication either with client certificate or with user name and password.

OAUTH - Authentication according to the OAuth 2.0 protocol with an OAuth access token.

Solution Diagram

SAP Cloud Platform is the extension platform for SAP. It enables developers to develop loosely coupled extension applications securely, thus implementing additional workflows or modules on top of the existing solution they already have.

SAP Cloud Platform supports application scenarios for consumers (B2C), for partners (B2B), and for employees (B2E). The solution provided in this blueprint is available for all three scenarios. All types of users will be asked to authenticate. 

Reference Solution Diagram

The following graphical diagram of the solution illustrates a basic architectural pattern implementing authentication using a Corporate Identity Provider.  

  1. Employee opens the app and requests service access
  2. Service request redirected to IdP for authentication
  3. User challenged for credentials
  4. The user provides credentials
  5. The Corporate Identity Provider authenticates against the corporate user store and issues a valid SAML assertion
  6. The request return to the service on the cloud platform with the SAML assertion (Authentication is completed at this point)

Note: The on premise systems and the other cloud systems are depicted above for completeness of the overall landscape picture. In the case of authentication using a Corporate Identity Provider, the user identity has been established on the cloud platform.  The next steps of authorization (determining what a user has access to) and single sign-on (accessing other system resources without authenticating again) will be covered in other blueprints. For more information, visit the SAP Cloud Platform authorization blueprint.

Solution Components 

The following list describes the main components needed to implement this scenario and the role they play in the overall solution.

User Network

End User – This is the person who is running the SAP Cloud Platform application.  They will be the entity being authenticated.

Corporate Identity Provider – An internet facing identity provider for authenticating users that the customer is already using or has set up new for use with SAP Cloud Platform applications. It may be used by other systems for authentication also.

SAP Cloud Platform

Connectivity Service – The connectivity service allows SAP Cloud Platform applications to access securely remote services that run on the Internet or on premise.

Generic SAP Cloud Platform service – To keep the blueprint simplified a generic icon is used since any SAP Cloud Platform Services requiring authentication will act the same way.

High Level Implemention Process

This is an overview of the steps needed to implement this blueprint:

  1. Get IdP (Corporate Identity Provider) metadata – this contain information about the IdP URL, certificate, etc.
  2. Bind IdP to SP (SAP Cloud Platform) – this will configure the SAP Cloud Platform to use the IdP for authentication
  3. Get SP (SAP Cloud Platform) metadata – this contains information about the SP URL, certificate, etc.
  4. Bind SP to IdP – this configuration will allow the SAP Cloud Platform to use the IdP for authentication
  5. Configured IdP SAML attributes – There are attributes that IdP should pass in the SAML token to help identify the identity of the user.
    1. “NameID” – This value helps identify the user ID that the SAP Cloud Platform may use.
    2. Group – This value is recommended to help with identity federation during role assignment in SAP Cloud Platform.

Learn more

This blueprint highlights important considerations companies need to analyze when implementing authentication for cloud platform applications. It only provide a high level overview of the process. It is recommended to review further information to help you implement your authentication design and develop applications using a cloud based IdP. The following resources are a starting point:

Click below for step by step videos detailing how to authenticate user credentials on the SAP Cloud Platform using a corporate identity provider accessible from the internet:

SAP HANA Academy - Corporate Identity Provider

Corporate Identity Providers - on line documentation on how to implement and configure figure the SAP Cloud Platform to use a corporate identity provider

Enabling Authentication for Java applications – On line documentation for how to do authentication in your Java applications.

Configuring SAML 2.0 Authentication for SAP HANA applications – On line documentation for how to do authentication in your SAP HANA applications.

Authentication for HTML5 applications – On line documentation for how to do authentication in your HTML5 applications.

Back to top