(Example images are taken from a trial account)
In this blog I will explain how SAP BTP role collections can be handled by SAP Cloud Identity Services. Multiple services and applications can be deployed on SAP BTP Cockpit, and these services may have different role collections. Most of the time, these services are deployed on different subaccounts. We can manage users and roles individually for every subaccount. However, we can manage all users and roles from one identity service by establishing a trust between the identity service and BTP subaccounts. In this blog, we will create role collection mapping to manage BTP role collections via SAP Cloud Identity Services. So, we will be able to manage different role collections from only one identity provider.
If you have an identity provider, you can configure it as a custom provider for a BTP subaccount. It can be used as the source of users and role collections. There are some prerequisites for creating role collection mappings.
Here is the help.sap document to configure trust between your subaccount and the SAP IAS tenant:
Configure Trust Between SAP BTP and IAS
NOTE: To be able to use the role collection mapping, you should be authorized with your custom identity provider to your application.
Before creating a role collection mapping, you must ensure that you have the role on “Role Collections” in your subaccount. Navigate to <Your Subaccount> -> Security -> Role Collections
You can use default role collections that are defined for the standard BTP applications. Also, you can create a new custom role collection with clicking on the Create button from the top right.
SAP BTP Role Collections
Before starting to configure role collection mapping, we must ensure that we send necessary attributes to the application. In the SAP Cloud Identity Service, navigate to Application & Resources -> <Your Application> -> Single Sign-On -> Assertion Attributes
Application Page on SAP Cloud Identity Services
In the assertion attributes, you must have a Groups attribute. This is what we will send to the application as a BTP role.
Assertion Attributes of an Application on SAP Cloud Identity Services
Then we should create a group for a BTP role that we will be mapping. Navigate to Users & Authorizations -> Groups. Create a new group, if you have already one, add members who will have this BTP role.
Groups and its Users on SAP Cloud Identity Services
Now we are ready to make role collection mapping. Go to your BTP subaccount and navigate to <Your Subaccount> -> Security -> Trust Configuration and click on the custom identity provider that you have established in the beginning.
SAP BTP Trust Configurations
Click on the New Role Collection Mapping and choose your BTP role collection (1). You can also choose your BTP custom role collection. For “Attribute”, you should write what you defined in IAS as a Groups attribute (2). In this case, we can leave it as “Groups”. In the “Value” section, you should write your IAS group’s name which corresponds to your BTP role collection (3). Then save it.
SAP BTP Role Collection Mapping
You can see your mapping from Role Collections.
SAP BTP Role Collections Mapped with IAS Groups
In the end:
Please be aware that your IAS user must be created in your SAP BTP subaccount as well. You can check more about to create user on BTP from here:
Hope this blog will help you to manage your BTP roles from your identity provider!
Thank you so much for reading my first blog!