This document is intended to help you configure trust with an OpenID Connect (OIDC) corporate identity provider. In this scenario, Identity Authentication acts as a proxy to delegate the authentication to an OIDC-compliant corporate identity provider.
Identity Authentication can use OIDC-compliant identity providers as external authenticating authorities. The service acts as a proxy to delegate authentication to the external corporate identity provider. The requests for authentication sent by the relying party are forwarded to the corporate identity provider.
As an identity provider proxy, Identity Authentication acts as an OpenID identity provider to the relying party, and as a relying party to the corporate identity provider. Once a user is authenticated at the corporate identity provider, successive authentication requests from relying parties, which use the same corporate identity provider aren't forwarded to it as long as the session at Identity Authentication is active. Identity Authentication issues JSON Web Tokens (JWTs) based on the user data received during the first authentication.
To use Identity Authentication as a proxy to delegate authentication to an external OpenID Connect corporate identity provider, configure trust with that corporate identity provider.
If you want to change one corporate identity provider with another, for example move from a SAML identity provider to an OpenID Connect one, it's helpful to know the applications that the corporate identity provider uses. To see the applications that have established trust with a specific corporate identity provider, sign in to the administration console and go to Identity Providers > Corporate Identity Providers > identity provider from the list > Trusting Applications.
To configure trust with the corporate identity provider, follow the procedures below:
Configure Identity Authentication as an application at the corporate identity provider side.
-
You have registered Identity Authentication as an application at the corporate identity provider.
-
You have created a client secret.
Use the client credentials of the application's registration for Client ID and Client Secret. Use corporate identity provider tenant as Issuer. You can retrieve the information by calling the discovery endpoint of the corporate identity provider:
https://<OpenID-Connect-IdP>/.well-known/openid-configuration -
(For the authorization code flow) - You have configured the callback endpoint of the Identity Authentication tenant as
Redirect URIhttps://<Cloud Identity Services domain>/oauth2/callbackThe domain part has the following pattern:
<tenant ID>.accounts.ondemand.comor<tenant ID>.accounts.cloud.sap. If you have a configured custom domain, the domain has the following pattern: <your custom domain>.Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation email with a URL in it. This URL contains the tenant ID. For more information about your tenants, see View Assigned Tenants and Admins.
Use the OIDC Callback URL button to copy the callback URL of the Identity Authentication tenant.
The information retrieved from .well-known/openid-configuration endpoint can contain:
|
Attribute |
Notes |
|---|---|
|
|
Required. Must be a valid URI. |
|
|
Required. Must be a valid URI. |
|
|
Required. Must be a valid URI. |
|
|
Required. Must be a valid URI. |
|
|
Optional. If present it must be a valid URI.
|
|
|
Optional.
|
Configure the corporate identity provider in the administration console for SAP Cloud Identity Services.
-
You are assigned the Manage Corporate Identity Providers role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.
-
You have registered Identity Authentication as an application at the corporate identity provider.
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Under Identity Providers, choose the Corporate Identity Providers tile.
-
Select the corporate identity provider that you want to configure.
-
Under Provider Configuration enter the following information for the corporate identity provider:
Provider Configuration
Notes
Discovery URL
Required. Issuer or metadata URL of the corporate identity provider.
Name
Required. Unique URI-based Name of the corporate identity provider. The issuer is used by default.
Metadata Refresh Interval
Refreshes the OpenID Connect metadata of the corporate identity provider automatically if it's older than the selected interval and there are logons which forward the request to the corporate identity provider.
Optional. Choose from:
- 24 hours (default choice)
- 12 hours
-
Under Client Authentication enter the following information for the corporate identity provider:
Client Authentication Method
Optional. Choose from:
-
Client secret in body (default choice)
-
Client secret in authorization header
-
Private key JWT
If possible, choose Private key JWT. This choice also allows automatic credential rotation.
Client ID
Required. The Client ID of the application on the corporate identity provider side.
Client Secret
The Client Secret of the application on the corporate identity provider side.
Required when Client Authentication Method is
Client secret in bodyorClient secret in authorization header. The Client Secret of the application on the corporate identity provider side.Enable PKCE (S256)
Optional. Disabled by default. If enabled, Identity Authentication runs the authorization code flow enhanced with PKCE against the corporate identity provider.
The authorization code flow with PKCE is recommended. Only the code challenge method S256 is supported.
-
-
Optional: Populate the OpenID Connect issuer and endpoints under the Endpoints section.
The Endpoints section is read-only.
-
Optional: Add additional scopes if needed.
You can have up to 20 scopes. The
openidscope is added by default. Each scope can have a length of up to 99 characters.If you're using Microsoft Entra ID as corporate identity provider, the recommended claims are:
- openid
- profile
-
Optional: Choose the Validate button to check the configuration.
An authorization code flow is run against the corporate identity provider. The configuration is validated in a new tab where additional information about the authorization code, the token with all the claims and scopes, and the token verification is provided.
When SAP Cloud Identity Services works with an OIDC corporate identity provider, we expect a response time within 10 seconds. The response time can be a problem for on-premise identity providers, which don't have defined service level agreements like cloud-based identity providers. To use this configuration, you must ensure that the corporate identity provider can respond within this timeframe. When the corporate identity provider doesn't respond quickly enough, SAP Cloud Identity Services presents the following error message:
OpenID provider cannot process the request because the configuration is incorrect. Please contact your system administrator.
-
Save your configuration.
Once the identity provider has been updated, the system displays the message Identity provider <name of identity provider> updated.
-
Select the configured identity provider as the authenticating identity provider for the application. For more information, see Choose Default Identity Provider for an Application.
-
(Optional) Configure the Subject Name Identifier Sent to the OpenID Connect Corporate IdP
Related Information
Edit Administrator Authorizations
Microsoft identity platform application authentication certificate credentials