sap-btp-cloud-identity-services

# SAP Cloud Identity Services

SAP Cloud Identity Services are a group of services on SAP BTP that manage identity and access across cloud and on-premise systems. They provide single sign-on, user provisioning, and policy-based authorization.

The services comprise:

- **Identity Authentication (IAS)** — cloud-based authentication, SSO (OIDC/SAML 2.0), corporate IdP federation, conditional authentication, and user store management. Acts as the identity provider for SAP BTP applications.
- **Identity Provisioning (IPS)** — identity lifecycle management as a service. Synchronizes users and groups between source and target systems (SAP and non-SAP) with full and delta read modes, real-time provisioning, and transformation support.
- **Identity Directory** — the central user store. Provides SCIM 2.0 REST API, custom schemas, and generates the Global User ID distributed by IPS to SAP cloud applications.
- **Authorization Management (AMS)** — policy-based authorization for BTP applications. Developers define policies in Data Control Language (DCL); administrators refine and assign them via the administration console.

## Related Skills

- **sap-btp-connectivity** — destination service and connection authentication mechanics (OAuth client credentials, principal propagation through Cloud Connector)
- **sap-cap-capire** — CAP application-level auth usage (role templates, @requires annotations, cds deploy with xs-security.json)
- **sap-btp-best-practices** — high-level security governance and production deployment patterns
- **sap-btp-cloud-platform** — BTP account setup, subaccount configuration, service instance creation

## When to Use This Skill

- Registering an OIDC or SAML 2.0 application in IAS
- Configuring corporate identity provider federation (IdP proxy)
- Establishing trust between a BTP subaccount and an IAS tenant
- Setting up Identity Provisioning source/target systems and jobs
- Writing or refining AMS authorization policies (DCL)
- Migrating from XSUAA to IAS-based authentication
- Troubleshooting token validation, audience, or issuer mismatch errors
- Configuring conditional authentication (risk-based, MFA)
- Integrating IAS with the SAP BTP Identity service (automatic OIDC app creation)

## Quick Reference

| Service | Purpose | Key Objects |
|---------|---------|-------------|
| IAS | Authentication & SSO | Applications (OIDC/SAML), IdPs, conditional auth, user store |
| IPS | User/group provisioning | Source systems, target systems, proxy systems, transformations, jobs |
| Identity Directory | User persistence | Users, groups, custom schemas, Global User ID |
| AMS | Policy-based authorization | Authorization policies, DCL rules, policy templates, restrictions |

## Identity Authentication (IAS)

IAS is the entry point for authentication in SAP BTP applications. It supports OIDC and SAML 2.0 protocols, acts as an identity provider or a proxy to corporate IdPs, and provides conditional authentication based on user attributes, email domain, user group, or IP range.

### Application Registration

Register applications in the IAS admin console under **Applications and Resources** > **Applications**. Each application defines:
- **Application Type** — OIDC or SAML 2.0
- **Trust Configuration** — SP metadata upload (SAML) or redirect URIs (OIDC)
- **Authentication** — method, conditional rules, IdP selection
- **User Attributes** — which attributes are sent in tokens/assertions

When using the **SAP BTP Identity service** (`xsuaa` replacement), the service instance automatically creates an OIDC application in IAS. No manual registration is needed.

### Corporate IdP Federation

IAS can act as a proxy: end users authenticate at a corporate IdP (Azure AD, Okta, etc.), and IAS bridges the token for SAP applications. Configure under **Applications and Resources** > **Corporate Identity Providers**.

For details, see `references/identity-authentication.md`.

## Identity Provisioning (IPS)

IPS synchronizes users and groups between systems. It supports source, target, and proxy system types with configurable transformations and scheduling.

### Key Concepts

- **Source systems** — read users/groups from (e.g., SAP SuccessFactors, Azure AD, SAP S/4HANA Cloud)
- **Target systems** — write users/groups to (e.g., IAS tenant, SAP BTP XSUAA, SAP Analytics Cloud)
- **Proxy systems** — hybrid scenarios where IPS reads from one system and writes through another
- **Transformations** — JSON-based attribute mappings between source and target schemas
- **Jobs** — scheduled or on-demand provisioning runs (full or delta read)
- **Real-time provisioning** — immediate entity propagation from source to target

For details, see `references/identity-provisioning.md`.

## Authorization Management (AMS)

AMS enables policy-based, instance-level authorization for BTP applications. Developers define authorization policies in **Data Control Language (DCL)** — an SQL-like language — and deploy them with the application. Administrators refine policies in the IAS admin console.

### Policy Lifecycle

1. **Developer** defines policies in DCL and deploys with the application
2. **Base policies** appear in the IAS admin console under **Authorization Policies**
3. **Administrator** creates custom policies (copies of base) with refined restrictions
4. **Administrator** assigns policies to users via groups

### DCL Example

```sql
DEFINE POLICY SalesOrderAccess
  AS (SELECT FROM SalesOrder
      WHERE buyer = CONTEXT('userIdentityLogonName')
      OR region = CONTEXT('userAttributes.region'));
```

For details, see `references/authorization-management.md`.

## XSUAA to IAS Migration

SAP is migrating BTP authentication from XSUAA (SAP Authorization and Trust Management Service) to Cloud Identity Services. The recommended posture:

- **New BTP applications**: Use the **Identity service** (BTP service) + IAS. The Identity service automates OIDC application creation in IAS.
- **Existing XSUAA applications**: Coexistence is