openid-connect-oidc-authentication-084c6fb.md

OpenID Connect (OIDC) Authentication

Protect your applications on SAP BTP, Neo environment with OpenID Connect (OIDC) authentication method using an Identity Authentication tenant as an OpenID Connect provider.

Prerequisites

• You have administrative rights over your subaccount in the Neo environment. See Members and Roles in the Neo Environment.
• (If you want to use a tenant) You have an Identity Authentication tenant for this subccount. See (Identity Authentication documentation) Initial Setup.

Context

With the OpenID Connect authentication method, the Identity Authentication tenant or SAP ID service is used as an OpenID Connect provider. Your application's users will authenticate using the credentials defined and verified by the Identity Authentication tenant (by default, this is a user name/e-mail address and password pair but you can configure your tenant to use others).

By default, SAP ID Service is used. You can change it to an Identity Authentication tenant, and back to SAP ID Service at any time.

Note:

We support the Authorization Code flow of the OpenID Connect protocol. For more information about this scenario with Identity Authentication service, see (Identity Authentication documentation) Using Authorization Code Flow.

General information about OpenID Connect supported by Identity Authentication service: (Identity Authentication documentation) OpenID Connect.

Procedure

1. In the SAP BTP cockpit, navigate to your subaccount. See Navigate in the Cockpit ↗️.

2. Navigate to Security > Trust > OpenID Connect Authentication.

3. Click Select OpenID Connect Provider.

4. In the list of Identity Authentication tenants that appears, choose the tenant that you want to use as OpenID Connect provider.

   The required application configuration for OpenID Connect is automatically created on the tenant side. It has the following name:

   SAP BTP Neo OIDC Application - <subaccount>

   If you want to choose another Open ID Connect provider or switch back to SAP ID service, choose Delete OpenID Connect Provider.

   Note:

   This will also delete the created application configuration on the Identity Authentication tenant.

5. If required for your OIDC scenario, configure further the created OpenID Connect (OIDC) application on the Identity Authentication tenant side. For example, you may need to configure user attributes/groups or risk-based authentication.

   Group assignments are configured as OIDC application attributes (see (Identity Authentication documentation) Tenant OpenID Connect Configurations). Refer to the table below for more information:

   Scenario	Group Types	Attribute Name	Attribute Source	Attribute Value
   IAS tenant as a proxy for a third-party identity provider	Default Groups Will be assigned to all users coming from this corporate identity provider.	default_groups	Expression	The group name (String).
   	Dynamic Groups Will be assigned only to users matching a given conditon.	dynamic_groups	Expression	<tbt>condition</tbt>dynamic group name The <tbt> and </tbt> parts delimit the condition specifying which users will the group be applied to. For more information about the format of the condition, see the Identity Federation section of Configuring Attributes Based on Flexible Parameters. In the final part of the attribute value, place the dynamic group name. For example: <tbt>${corporateIdP.uid:regex[^P.*$]}</tbt>AllPUsers This expression will assign dynamic group AllPUsers to all users with user IDs starting with P.
   IAS tenant user base As a prerequisite, you have created the required tenant users and groups using the Administration Console. See Managing Users and Managing Groups.	-	groups	Identity Directory	Groups (choose the option from the dropdown)

   Note:

   Make sure you create the same groups in the SAP BTP cockpit, and assign them to the required roles. See Managing Roles.

6. In your application code, declare usng OIDC authentication method in the web.xml. See Declarative Authentication.

7. (Optional) If required, change the authentication configuration (authentication stack). See Authentication Configuration.

Related Information

(Identity Authentication documentation) OpenID Connect

(Identity Authentication documentation) Using the Authorization Code Flow

(Identity Authentication documentation) Tenant OpenID Connect Configurations

(OpenID specification) OpenID Connect Core 1.0