map-user-attributes-from-a-corporate-identity-provider-for-platform-users-40c2e54.md

Map User Attributes from a Corporate Identity Provider for Platform Users

When you enable trust with a tenant of SAP Cloud Identity Services, you get an OpenID Connect (OIDC) application in SAP Cloud Identity Services to represent SAP BTP, in the context of platform users. When you authenticate users using a corporate identity provider, map the user attributes provided by the corporate identity provider to the attributes required by SAP BTP. The following information explains which attributes SAP BTP needs for which purpose, and how you can map those attributes.

Prerequisites

• Ensure that your corporate identity provider allows local users from SAP Cloud Identity Services. If local users are not allowed, you must enrich the attributes coming from the corporate identity provider. For more information, see Enrich Assertion Attributes Coming from Corporate IdP.

Finding the Application for Your Platform Users

The name of the application in the administration console of SAP Cloud Identity Services that represents SAP BTP in the context of platform users has the name, SAP Business Technology Platform.

For more information, see OpenID Connect in the documentation of SAP Cloud Identity Services.

Customizing Attribute Mappings

There are several options to customize attribute mappings in SAP Cloud Identity Services, depending on whether identity federation is enabled or disabled. For more information about identity federation, see Configure Identity Federation.

• When identity federation is disabled, SAP Cloud Identity Services always propagates all the attributes received from the corporate identity provider to all the applications, on a 1:1 basis. You have the following options:

  • Configure the corporate identity provider to directly send the attributes (see the table below).

  • If needed, use enriched token claims or enriched assertion attributes (depending on whether the corporate identity provider is connected with SAML or OIDC) to map the attributes sent by the corporate identity provider, to the attribute names needed by SAP BTP.

    Enriched token claims or enriched assertion attributes add additional attributes, either based on the corporate identity provider attributes (for example, by renaming them) or on static values.

• When identity federation is enabled, SAP Cloud Identity Services doesn't automatically propagate any attributes from the corporate identity provider to the application. This option requires mappings in the SAP Cloud Identity Services application, for each attribute that is needed by the application.

  Use the attributes in the SAP Cloud Identity Services application representing SAP BTP.

  Note:

  You can add attribute sources or disable the default application attributes. You can also add self-defined attributes for mapping to role collections.

  For example, you have so many groups being added to your token and you're running into size limits. You can disable the standard groups configuration and add a regular expression to include only those groups, which begin with BTP. So, to the groups attribute, you add a source of type Expression with the value ${companyGroups:regex[BTP.*]}.

  To check which groups SAP Cloud Identity Services actually sends, use the troubleshooting logs for OpenID Connect. For more information, see Logging OpenID Connect Tokens in the documentation for SAP Cloud Identity Services.

  Note:

  Ensure that you enter the accurate value names for the attributes as they are provided by your corporate identity provider.

  Default Configuration of Application Attributes in SAP Cloud Identity Services

  Attribute Name	Source	Attribute Value
  email	Identity Directory	Email
  	Corporate Identity Provider	email
  groups	Identity Directory	Groups
  mail	Identity Directory	Email
  	Corporate Identity Provider	email
  uuid	Identity Provider	User ID

  If the corporate identity provider sends user attributes for email address, first and last name with other names than mail, first_name, or last_name, set the right attribute name by replacing those values.

  Example:

  If your corporate identity provider sends users' last names as the sn attribute, add the corporate identity provider as source to the last_name attribute with the value sn.

  For more information, see User Attributes in the documentation of SAP Cloud Identity Services.

The following table provides the information needed for mapping the attributes.

The subject name identifier attribute is used by SAP BTP to uniquely identify the user in Neo subaccounts. In the Cloud Foundry environment, the email address is used as the user identifier for the global account, directory, and multi-environment subaccount.

For more information, see Configure the Subject Name Identifier Sent to the Application in the documentation of SAP Cloud Identity Services.

Attribute Mapping in SAP Cloud Identity Services Tokens

User Attribute Expected by SAP BTP	Purpose
Subject name identifier	User identifier for Neo subaccounts. Default value: User ID
mail	E-mail address of the user. Note: User identifier for all the account levels (global account, directory, multi-environment subaccount), and for the Cloud Foundry environment. The e-mail addresses of all the users in the SAP Cloud Identity Services tenant must be unique. For more information, see the prerequisites for establishing trust and federation of custom identity providers for platform users.
first_name	First name of the user.
last_name	Last name of the user.
groups	Any groups the subject is assigned to in the identity provider.

Related Information

Establish Trust and Federation Between SAP Authorization and Trust Management Service and SAP Cloud Identity Services

Map User Attributes from a Corporate Identity Provider for Business Users