[FEATURE] Managing SAP Cloud Identity (IAS) via Terraform

[lechnerc77]

What area do you want to see improved?

other

Is your feature request related to a problem? Please describe.

Currently the Terraform Provider supports all resources and configurations exposed via the BTP CLI.
In order to enable an end2end flow especially from the perspective auf security setup and IAS perspective it would be great to have a dedicated provider for the SAP IAS i.e. its configuration.

Describe the solution you would like

A dedicated provider for IAS configuration exists and can be combined with the existing providers like the one for SAP BTP to enable end2end provisioning flows.

Describe alternatives you have considered

Usage of APIs for IAS, which is a workaround but breaks the IaC/Terraform flow

Additional context

n/a

[github-actions]

Thanks for the feature request. We evaluate it and update the issue accordingly.

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[CHERIANS]

SAP Cloud Identity Service API's https://api.sap.com/package/SCPIdentityServices/rest

[lechnerc77]

Example for a scenario that we heard from customers is the combination of Microsoft Entra ID and IAS to secure their system landscape. The setup procedure they follow is described in the Microsoft documentation: https://learn.microsoft.com/en-us/entra/fundamentals/scenario-azure-first-sap-identity-integration. This configuration should be rolled out in a stable and repeatable manner.

According to the customer feedback the configuration is done leveraging a two stage approach for IAS. The setup reflects the organizational structure of the customers. Consequently, the configuration might differ per legal entity and/or org unit.

[lechnerc77]

To the supporters of this request @olfolfolf, @Kaefermade, @jumu75, @BerndReichel, @sebastianesch, @ChristianAicher, @SeanKilleen, and @rothandreas: Would be great if you could add the scenarios you would like to see the provider in your setup and challenges you are currently facing because you are not having this provider.

[jumu75]

Hi @lechnerc77,

we are a company with a lot of Auxiliary workers which have no Active Directory account and they should leverage the IAS for external Authentication to use SAP BTP applications.
The manager and supervisors of newly employed Auxiliary workers should use a tool like e.g. Microsoft Forms to input all necessary account information like surname, last name, login, privat E-Mail address.
With this information we want to use Terraform to automatically create IAS User for authentication.

It would be great if such a solution could be possible.

Thanks in
Best regards
Jürgen

[rothandreas]

Hi @lechnerc77,
Focus for me would be the IAS Tasks to be done to finalize the Setup of a new Subaccount. Means Config of IAS Applications - nothing else.
Benefit: One Tool (Terraform) who could handle End to End Setup of an Subaccount (Avoiding using Cli´s were possible)

A Provider who would be capable of setting the following Values:

1. IAS Application Name/Settings
2. Set Values in Subject Name Identifier
3. Apply Function to Subject Name Identifier
4. Conditional Authentication -> "Default Authenticating Identity Provider"

Would be good enough for us
Andreas

[SeanKilleen]

@lechnerc77 I'll do my best to give a quick summary, happy to go deeper.

We provide two subaccounts to our customers for the 05-Deliver and 06-Consume scenarios in which they consume our application from the marketplace. We allow customers to bring whatever IdP is supported by CIS. Automating as much of that setup as possible would be great. My goal is to be able to add the requisite information to a terraform config for an incoming client and have the 05 and 06 environment be provisioned according to their needs.

[lechnerc77]

@SeanKilleen @rothandreas @jumu75 Thanks a lot for your fast responses and the sceanrios!

[sebastianesch]

Hi @lechnerc77,

I would like to extend the scenario from Andreas and also additionally configure the Attributes sent to the Application and create Authorization Policies for Applications / create Groups in Cloud Identity Service.

This would allow to automate the complete Subaccount / Application onboarding process.

Kind regards,
Sebastian

[ChristianAicher]

Hi Christian, more or less same as Andreas Roth with a little extension: 1. IAS Application Name/Settings 2. Set Values in Subject Name Identifier 3. Apply Function to Subject Name Identifier 4. Conditional Authentication -> "Default Authenticating Identity Provider" 5. Single Sign-On -> Attributes 6. Configure Requests to Corporate Identity Providers -> Configure Issuer Name -> Suffix Later may be housekeeping tasks: * cleanup of unused applications * certificate lifecycle management for custom domain certificates * enforce Multi-Factor Authentication for Administrators? * renewal of password of technical useres (IAS and Destination Subaccount) Best regards, Christian Christian Aicher Platform Operations | IT +49 6181 59 15825 | ***@***.******@***.***> Evonik Industries AG Visitors: Clara-Immerwahr-Str. 3 | 63457 Hanau- Wolfgang | Germany Postal: Rodenbacher Chaussee 4 | 63457 Hanau-Wolfgang | Germany www.evonik.com<https://www.evonik.com/> LinkedIn<https://www.linkedin.com/company/evonik> | Twitter<https://twitter.com/evonik> | Instagram<https://www.instagram.com/evonikofficial> | Facebook<https://www.facebook.com/evonik> Supervisory Board: Bernd Tönjes, Chairman Executive Board: Christian Kullmann, Chairman | Dr. Harald Schwager, Deputy Chairman | Maike Schuh | Thomas Wessel Registered Office: Essen | Register Court: Local Court Essen | Commercial Registry B 19474

…

________________________________ Von: Christian Lechner ***@***.***> Gesendet: Dienstag, 23. April 2024 08:02 An: SAP/terraform-provider-btp ***@***.***> Cc: Aicher, Christian ***@***.***>; Mention ***@***.***> Betreff: Re: [SAP/terraform-provider-btp] [FEATURE] Managing IAS via Terraform (Issue #749) [ EXTERNAL MAIL - Don't open unknown links or attachments<https://evonik.com/phishing> ] To the supporters of this request @olfolfolf<https://github.com/olfolfolf>, @Kaefermade<https://github.com/Kaefermade>, @jumu75<https://github.com/jumu75>, @BerndReichel<https://github.com/BerndReichel>, @sebastianesch<https://github.com/sebastianesch>, @ChristianAicher<https://github.com/ChristianAicher>, @SeanKilleen<https://github.com/SeanKilleen>, and @rothandreas<https://github.com/rothandreas>: Would be great if you could add the scenarios you would like to see the provider in your setup and challenges you are currently facing because you are not having this provider. — Reply to this email directly, view it on GitHub<#749 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BHES5355I3IK4MLDWL7TRVLY6X2RDAVCNFSM6AAAAABFBCEYEKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZRGQ3TENJUGE>. You are receiving this because you were mentioned.Message ID: ***@***.***>