Skip to content

Latest commit

 

History

History
529 lines (322 loc) · 12.3 KB

map-user-attributes-from-a-corporate-identity-provider-for-business-users-bbb4a8a.md

File metadata and controls

529 lines (322 loc) · 12.3 KB

Map User Attributes from a Corporate Identity Provider for Business Users

When you enable trust with a tenant of SAP Cloud Identity Services, you get an OpenID Connect (OIDC) application in SAP Cloud Identity Services to represent your subaccount, in the context of business users. When SAP Cloud Identity Services authenticates users using a corporate identity provider, map the user attributes provided by the corporate identity provider to the attributes required by your applications.

Finding the Application for Your Subaccount

The name of the application in the administration console of SAP Cloud Identity Services that represents your subaccount has the prefix SAP BTP subaccount or XSUAA_ and the display name of your subaccount.

If your subaccount is named My Subaccount, the resulting application in SAP Cloud Identity Services is SAP BTP subaccount My Subaccount or XSUAA_My Subaccount.

Customizing Attribute Mappings

There are several options to customize attribute mappings in SAP Cloud Identity Services, depending on whether identity federation is enabled or disabled.

For more information about identity federation, see Configure Identity Federation.

  • When identity federation is disabled, SAP Cloud Identity Services always propagates all the attributes received from the corporate identity provider to all the applications, on a 1:1 basis. You have the following options:

    • Configure the corporate identity provider to directly send the attributes.

    • If needed, use enriched token claims or enriched assertion attributes (depending on whether the corporate identity provider is connected with SAML or OIDC) to map the attributes sent by the corporate identity provider, to the attribute names needed by SAP BTP.

      Enriched token claims or enriched assertion attributes add additional attributes, either based on the corporate identity provider attributes (for example, by renaming them) or on static values.

  • When identity federation is enabled, SAP Cloud Identity Services doesn't automatically propagate any attributes from the corporate identity provider to the application. This option requires mappings in the SAP Cloud Identity Services application, for each attribute that is needed by the application.

    Use the Attributes in the SAP Cloud Identity Services application representing your subaccount.

    SAP BTP expects the following attributes. The default configuration of the trust configuration sets up the values in the following table in the SAP Cloud Identity Services tenant.

    Self-Defined Attributes

    Identity Directory

    email

    Email

    email_verified

    Email Verified

    family_name

    Last Name

    given_name

    First Name

    groups

    Groups

    user_uuid

    Global user ID

    If the corporate identity provider sends user attributes with other names, set the source to the corporate identity provider and the value to the correct attribute name.

    Example:

    If your corporate identity provider sends users' last names as the sn attribute, add the corporate identity provider as source to the last_name attribute with the value sn.

    Customized Last Name Attribute Configuration in SAP Cloud Identity Services

    Attribute Name

    Source

    Attribute Value

    email

    Identity Directory

    Email

    email_verified

    Identity Directory

    Email Verified

    family_name

    Identity Directory

    Last Name

    given_name

    Identity Directory

    First Name

    groups

    Identity Directory

    Groups

    last_name

    Corporate Identity Provider

    Example:

    sn

    mail

    Identity Directory

    Email

    user_uuid

    Identity Directory

    Global User ID

    For more information, see User Attributes in the documentation of SAP Cloud Identity Services.

The subject name identifier attribute is used by SAP BTP to uniquely identify the application user.

For more information, see Configure the Subject Name Identifier Sent to the Application in the documentation of SAP Cloud Identity Services.

Default Configuration of ID Tokens

In the default configuration, the attributes provided in the ID token issued by SAP Cloud Identity Services are described in the following table.

Default Attributes of SAP Cloud Identity Services Tokens

User Attribute of SAP Cloud Identity Services

Assertion Attribute

Description

mail

email

E-mail address of the subject. By default, this value is used for the subject name identifier.

See the table Default Configurations of the Subaccount in SAP Cloud Identity Services following this table.

mailVerified

email_verified

Indicates whether the subject has confirmed their e-mail address. Your identity provider might require users to verify their e-mail address.

lastName

family_name

Last name of the subject.

firstName

given_name

First name of the subject.

companyGroups

groups

Any groups the subject is assigned to in the identity provider.

userUuid

user_uuid

An identifier for a user that’s unique across technology layers such as user interface, APIs, and security tokens, as well as across products and lines of businesses contributing to a business process in the Intelligent Enterprise.

Business applications can use this identifier to correlate information about the user. While not necessary for platform users, the attribute doesn't hinder such users either.

Note:

SAP Authorization and Trust Management service supports global user identifiers. When SAP Cloud Identity Services sends a global user identifier, it's included in the SAP Authorization and Trust Management service tokens, which means that you can use it in scenarios where you need to use global user identifiers.

For more information, see Global User ID in Integration Scenarios.

Default Configuration of the SAP Cloud Identity Services Application

In the application of SAP Cloud Identity Services that represents the subaccount, the configuration sets defaults as shown in the following table.

Default Configurations of the Subaccount in SAP Cloud Identity Services

Configuration

Description

Subject name identifier

This attribute is used to by the SAP Authorization and Trust Management service to identify the user for authentication.

Default value: E-Mail.

For more information, see Configure the Subject Name Identifier Sent to the Application in the documentation of SAP Cloud Identity Services.

List of allowed redirect URIs

The list of URIs to which SAP Cloud Identity Services is allowed to redirect from the application that represents your subaccount.

Default value: https://<subdomain>.authentication.<landscape>/login/callback/<origin>.

For example: https://mysubdomain.authentication.us10.hana.ondemand.com/login.callback/sap.custom

For more information, see OpenID Connect Application Configurations in the documentation of SAP Cloud Identity Services.

Post logout redirect URIs

The list of URIs to which SAP Cloud Identity Services is allowed to direct users when logging out.

Default value: https://<subdomain>.authentication.<landscape>/*.

For example: https://mysubdomain.authentication.us10.hana.ondemand.com/*

For more information, see OpenID Connect Application Configurations in the documentation of SAP Cloud Identity Services.

Related Information

Establish Trust and Federation Between SAP Authorization and Trust Management Service and SAP Cloud Identity Services