The Trust Management API for Neo environment allows exporting of the trust configuration from one subaccount and importing it in the same or another subaccount (this overwrites the existing trust configuration for that subaccount).
A trust configuration consists of the local service provider settings and application identity providers (IdPs).
For more information about the trust configuration, see Application Identity Provider.
Prerequisites
This platform API is protected with OAuth client credentials.
-
Create an OAuth client for platform API with required scopes
readTrustSettingsandmanageTrustSettings.For exporting the trust configuration, you need only
readTrustSettings. For importing it, you need bothreadTrustSettingsandmanageTrustSettings. -
Get an access token with the above scopes.
For more information, see Using Platform APIs.
API URL
https://api.<cloud platform host>/trust/v2/accounts/<subaccount>
For the cloud platform host, see Regions and Hosts Available for the Neo Environment.
API Reference
See Trust Management API Reference.
Use Cases
|
Use Case |
Description |
Corresponding Trust Settings |
|---|---|---|
|
Fully featured application identity providers |
For delegating the authentication and authorization of your applications to a third-party identity provider. For more information, see Authorization and Trust Management in the Neo Environment. |
Local Service Provider Configuration Type: Custom Application Identity Providers At least one fully featured (not only for IdP-initiated SSO or only for OAuth 2.0 SAML Beared Flow) |
|
Configuration with application identity providers only for IdP-initiated single-sign on (SSO) or only for OAuth 2.0 SAML Bearer Flow |
This allows a more fine-granular and secure control of which IdPs are allowed during login. Only for IDP-initiated SSO: This identity provider can be used only for IdP-initiated single sign-on scenarios. The applications deployed at SAP BTP cannot use it for user authentication from their login pages, for example. Only users coming from links to the application at the IdP side will be able to authenticate. Only for OAuth 2.0 SAML Bearer Flow: The IdP will only be used to validate SAML Assertions received via the OAuth SAML Bearer Flow. |
Local Service Provider Configuration Type: Default Application Identity Providers Only for IdP-initiated SSO: enabled or Only for SAML Bearer Flow: enabled |
|
Principal propagation |
Enables applications to propagate principal information to each other. Choose this use case if you want to enable application-to-application single sign-on. |
Local Service Provider Configuration Type: Default Application Identity Providers None Principal Propagation: enabled |
|
Cross-subaccount principal propagation |
Enables principal propagation between applications in different subaccounts. For more information, see Principal Propagation Between Neo Subaccounts. |
Local Service Provider Configuration Type: Default Principal Propagation: enabled Application Identity Providers: at least one identity provider for IdP-initiated SSO Only for IdP-initiated SSO: enabled |
In the use cases with Configuration Type: Default, SAP ID Service will be used as the application identity provider. We recommend using this for testing purposes only.
Example 1: Configuration with Fully Featured Application Identity Providers
If you want to configure custom application identity providers for your subaccount, you need to create a custom local service provider configuration, specifying the signing key, certificate, and additional properties.
The application identity providers also need to have their basic settings, such as name, description, Single Sign-On URL and so on. You can also define additional user attributes and groups (default or assertion-based). For more information, see Configure Trust to the SAML Identity Provider.
{ "configurationType": "Custom", "localServiceProvider": { "name": "ExampleSPName", "signingKey": "<private-key>", "signingCertificate": "<public-certificiate>", "principalPropagationEnabled": "false", "forceAuthenticationEnabled": "false", "useCustomApplicationDomains": "true", "centralRedirectUrl": "<valid-url>", "defaultIdentityProviderName": "<idp-name>", "customDomainSloUrls": [ { "customDomainSloUrl": "<valid-url>" } ] }, "applicationIdentityProviders": { "identityProviders": [ { "name": "ExampleIdP", "description": "<description>", "enabled": "true", "ssoUrl": "https://example.com", "ssoBinding": "HTTP-POST", "assertionConsumerService": "AssertionConsumerService", "sloUrl": "", "sloBinding": "HTTP-POST", "userIdSource": { "type": "Attribute", "value": "UserId" }, "userIdPrefix": "Company", "userIdSuffix": "Ltd.", "signatureAlgorithm": "SHA-256", "signingCertificate": "<idp-certificate>", "assertionBasedAttributes": [ { "assertionAttribute": "First Name", "principalAttribute": "firstName" } ], "defaultAttributes": [ { "defaultAttribute": "Company", "value": "Company Ltd." } ], "assertionBasedGroups": [ { "group": "Manager", "rules": [ { "assertionAttribute": "Department", "operation": "equals", "value": "Team Manager" }, { "assertionAttribute": "Manager", "operation": "regexp", "value": "[.*]" } ] }, { "group": "Developers", "rules": [ { "assertionAttribute": "Position", "operation": "regexp", "value": "[.*]" } ] } ], "defaultGroups": [ { "group": "Developers" } ], "onlyForIdpInitiatedSSO": "false", "onlyForOAuthSAMLBearerFlow": "false" } ] } }
Example 2: Configuration with Application Identity Providers Only for IdP-Initiated SSO or Only for OAuth 2.0 SAML Bearer Flow
{ "configurationType": "Default", "applicationIdentityProviders": { "identityProviders": [ { "name": "OnlyForIdPInitiatedSSO", "description": "Example Description", "enabled": "true", "ssoUrl": "https://www.example.com", "ssoBinding": "HTTP-POST", "assertionConsumerService": "AssertionConsumerService", "sloUrl": "", "sloBinding": "HTTP-POST", "userIdSource": { "type": "subject", "value": "" }, "userIdPrefix": "", "userIdSuffix": "", "signatureAlgorithm": "SHA-1", "signingCertificate": "<idp-certificate>", "assertionBasedAttributes": [ { "assertionAttribute": "attribute", "principalAttribute": "principalAttribute" } ], "defaultAttributes": [ { "defaultAttribute": "defaultAttr", "value": "values" } ], "assertionBasedGroups": [ { "group": "Developers", "rules": [ { "assertionAttribute": "Position", "operation": "regexp", "value": "[.*]" } ] }, { "group": "Users", "rules": [ { "assertionAttribute": "Position", "operation": "regexp", "value": "[.*]" } ] } ], "defaultGroups": [ { "group": "Developers23" } ], "onlyForIdpInitiatedSSO": "true", "onlyForOAuthSAMLBearerFlow": "false" } ] } }
Example 3: Configuration for Principal Propagation
{ "configurationType": "Default", "localServiceProvider": { "name": "ExampleSPName", "signingKey": "<private-key>", "signingCertificate": "<public-certificiate>", "principalPropagationEnabled": "true", "forceAuthenticationEnabled": "false" }, "applicationIdentityProviders": { "identityProviders": [] } }
Example 4: Configuration for Cross-Subaccount Principal Propagation
{ "configurationType": "Default", "localServiceProvider": { "name": "ExampleSPName", "signingKey": "<private-key>", "signingCertificate": "<public-certificiate>", "principalPropagationEnabled": "true", "forceAuthenticationEnabled": "false" }, "applicationIdentityProviders": { "identityProviders": [ { "name": "ExampleOnlyForIdPInitiatedSSO", "description": "Example description", "enabled": "true", "ssoUrl": "https://www.example.com", "ssoBinding": "HTTP-POST", "assertionConsumerService": "AssertionConsumerService", "sloUrl": "", "sloBinding": "HTTP-POST", "userIdSource": { "type": "Attribute", "value": "UserId" }, "userIdPrefix": "Company", "userIdSuffix": "Ltd.", "signatureAlgorithm": "SHA-256", "signingCertificate": "<idp-certificate>", "assertionBasedAttributes": [ { "assertionAttribute": "First Name", "principalAttribute": "firstName" } ], "defaultAttributes": [ { "defaultAttribute": "Company", "value": "Company Ltd." } ], "assertionBasedGroups": [ { "group": "Manager", "rules": [ { "assertionAttribute": "Department", "operation": "equals", "value": "Team Manager" }, { "assertionAttribute": "Manager", "operation": "regexp", "value": "[.*]" } ] }, { "group": "Developers", "rules": [ { "assertionAttribute": "Position", "operation": "regexp", "value": "[.*]" } ] } ], "defaultGroups": [ { "group": "Developers" } ], "onlyForIdpInitiatedSSO": "true", "onlyForOAuthSAMLBearerFlow": "false" } ] } }
Rate limits are used to limit the number of requests against this REST API. Requests may be throttled (delayed), and if there is a very high load also denied.
The following limits are available:
Limit
If this limit is fully exceeded, the service responds with '429 - Too many requests'.
The rate limit defined for the API is 100 requests per minute per subaccount.
Depending on the service health, this limit may be ignored or further reduced to keep the service operational.
Related Information