This blog focuses on the integration of IBM Security Verify with SAP Cloud Identity Services in SAP BTP as a proxy.
Integrating SAP Cloud Identity Services (CIS) with IBM Security Verify represents a strategic move for organisations aiming to optimise their operations and bolster their cybersecurity measures. SAP CIS offers a comprehensive suite of integrated solutions tailored to streamline business processes and enhance operational efficiency. Conversely, IBM Security Verify provides best-in-class identity verification capabilities, safeguarding sensitive data and preventing unauthorised access.
The integration of these two platforms enables companies to capitalise on their respective strengths, creating a seamless and secure business environment. This powerful combination empowers organisations with greater operational control, enhanced regulatory compliance, and an improved user experience, ultimately fostering sustainable business growth in the digital era.
IBM Security Verify facilitates automated, cloud-based, and on-premises capabilities for administering identity governance, managing workforce and customer identity and access, and controlling privileged accounts. Its support for various authentication methods, including password-less, fingerprints, and one-time passcodes, ensures flexibility and robustness against unauthorised access.
On the other hand, SAP Cloud Identity Services serves as a comprehensive Identity and Access Management (IAM) solution crafted by SAP. It is designed to empower organisations in efficiently managing user identities, access controls, and application integrations across their IT landscape.
Integrating SAP CIS with IBM Security Verify offers organisations a powerful combination of security, efficiency, and scalability. This integration strengthens the organisation's security posture, streamlines identity management processes, and effectively mitigates cybersecurity risks.
The integration process involves collaboration between the organisation and SAP, with most of the effort undertaken by the organisation. Configuration updates are required in SAP CIS and IBM Security Verify. Here, in this article, we are going to discuss about authentication utilising standard protocols that are supported by both of the components IBM Security Verify and SAP CIS, and here we are going to use SAML 2.0 for the same.
It's essential for organisations to ensure they have the necessary admin privileges or access rights for editing configurations in SAP CIS and IBM Security Verify before initiating the integration procedure. This collaborative effort between the organisation and SAP ultimately results in a seamlessly integrated and fortified security infrastructure, paving the way for enhanced operational efficiency and sustained business growth.
Reference Architecture
The diagram represents a SAP Cloud Identity Service that integrates with IBM Security Verify though which various SAP BTP application(s), SAP SaaS solution(s) and on-premises application(s) can be accessed. It demonstrates user sign-in via IBM Security Verify which allow possible password-less, bio-metric or multi-factor authentication (MFA) using mobile devices for fast application access and pleasing user-experience.
Prerequisites
· - SAP Cloud Identity Services(for trial instance check this link)
· - IBM Security Verify (for trial instance check this link)
· - A smartphone with IBM Security Verify App
Configurations and Settings in IBM Security Verify
Log in into IBM Security Verify as an administrator
When a user logs in, home screen as shown below will be displayed.
Now on the left panel, click on "Applications" under "Applications". On the right side of the screen, there is an “Add application” button. Click on it.
Fill the necessary details under “General” section as below and save the details.
Before we go further, let’s log into SAP BTP account and you will be navigated on SAP BTP Cockpit. As suggested below, navigate to the “Instances and Subscriptions” tab, which is under “Services”.
Upload the metadata file which you have recently saved on your device to IBM Verify dashboard
Configurations and Settings in SAP Cloud Identity Services
Now, get back to SAP BTP and navigate to “Instances and Subscriptions.”
Now, enable the “Cloud Identity Services” if it’s not and once done it will be accessible as below:
Once you click on “Cloud Identity Services”, you will be redirected to the login screen of the SAP authentication screen as shown below
After successful login, you can see the home screen of Cloud identity service. Go to the “Identity Providers” as highlighted below
Click on the Corporate Identity providers and create new identity provider
Once the new identity provider is added successfully, click on the identity provider type and select SAML 2.0 compliant as shown below
Go to the SAML configuration section and fill in the information as shown below.
You can browse the “Metadata” file from your device once you download it from IBM Security Verify dashboard. Go to “Sign on” section of the application and on the right side of the screen, download the file from the given URL and upload the same in SAP Cloud Identity Service as highlighted below:
Click on the Trusting application section and add SAP BTP trial sub-account.
Now, navigate back to SAP BTP cockpit and establish the trust configuration which is under “Security” section for the cloud identity application as shown in the below screenshots.
Select “Establish Trust”
You will see the below steps once you click on establish trust. As a first step, choose tenant and click on next.
After selecting a tenant in the next step choose the domain for your SAP Cloud identity services application.
Click on the next button and configure parameters as shown in below screenshot.
Click on the next button and make a final review of the setup you have done while establishing the trust. Then click on the finish button and save the details.
Once done, you can see the new active trust configuration as shown below.
To provide access to the user, click on the Users section which is inside the “Security” section on the left menu.
Click on the user and assign role collection to the user as shown below.
You can select different roles and assign them to the user. Here we have added three roles to the user. After selecting all the roles, click on the “Assign role collection” button and save the details.
We have completed the configurations in IBM Security Verify and SAP Cloud Identity Services. Let’s test it now by opening the SAP business studio application as shown below.
How does it work? Let’s Check.
Log into SAP BTP Cockpit and Navigate to “Instances and Subscriptions” under “Services” as highlighted below:
It will redirect to the sign in options screen of the SAP. Here, select SAP cloud identity service as an identity provider.
Once you select, it will redirect to the verify sign in option screen for a authentication. Here you can select a different sign in option for Verify or can log in with IBM id/Cloud directory.
Enter your IBMid for log in and click the continue button.
It will redirect you for w3 authentication screen where you can enter your w3 id & password.
Once you click on sign in, you will see below screen of SAP business application studio.
Click on the “OK” button and you will be redirected to the SAP Business Application Studio home screen.
Conclusion
To summarise, combining IBM Security Verify with SAP Cloud Identity Services via SAML 2.0 provides a strong solution for organisations wishing to:
Enhance security: By implementing multi-factor authentication and centralised user management, businesses may greatly minimise the risk of unauthorised access to vital data and applications.
Improve the user experience: SAML 2.0 integration offers single sign-on, which allows users to access various applications with a single login, eliminating login fatigue and increasing overall user experience.
Simplify identity management: Consolidating identity management across several platforms allows organisations to streamline administration operations and reduce the complexity of managing user access.
Overall, this integration enables organisations to achieve a balance between strong security and a user-friendly interface, building trust and confidence in this digital era.
More information:
IBM Security Verify
Blog for setting up Multi factor authentication using IBM Verify
Blog for setting up Password less MFA using IBM Verify
SAP BTP Trust and federation with identity providers
If you have any question or query about SAP BTP please refer to SAP Community and for any question or query about IBM Security Verify refer to IBM Security Verify Community