1. Connect Identity Provisioning with IAG

2. Create Proxy System for Cloud Foundry In the IPS

3. Create an instance for Cloud Foundry in the IAG

4. Run the repository synch job to sync user data and provision access requests.

1.Connect Identity Provisioning with IAG

The following step is applicable for an Identity Provisioning bundle tenant was created or updated on the SAP Cloud Identity (SCI) platform for use with SAP Cloud Identity Access Governance.

The URL for Identity Provisioning is as follows:

https://UNIQUEID.accounts.ondemand.com/ips

1. Login to the IAS > User & Authorizations > Administrators > Add System user and provide the Access Proxy System API access. Note down the Client ID and Secret ( Once Secret is generated, you cannot retrieve or change it.)

2. Login to the IAG BTP Subaccount and create a destination with the name IPS_PROXY as shown in the table below.

3. Enter the Properties listed in the table below for the destination. All properties must be entered. Some properties must be added as Additional Properties. Copy the names of all properties as displayed. Property names and values are case sensitive.

4. Check the Use default JDK truststore checkbox.

5. Save your entries.You can test the destination in the BTP Cockpit. However, the URL does not point to a valid API for Identity Provisioning, and shows green status, but HTTP 301 or similar.

2.Create Proxy System for Cloud Foundry In the IPS

Need to create a proxy system to enable Cloud Foundry to connect with the IAG Subaccount. Before create a proxy system, please create the Service Key in the SAP BTP Subaccount.

2.1) How to create a service key in the SAP BTP Subaccount?

Login to the BTP Subaccount and make sure your id is added as Org Manager in the Org Managers of the BTP Subaccount.

Go to space and Click Create Space and assign Space Developer and Space Manager Role to you. If space is already created make sure you are assigned with Space Developer and Space Manager role.

Space Creation

Go to Instances and Subscriptions >Instances > Create

Service Key Creation

Please note down the apiurl, url, Client Id, Secret from the service key once it created.

2.2)Create a Proxy System

1. Open your Identity Provisioning Launchpad.

2. Copy the external system ID and use it to set up the Cloud Foundry instance in the Systems app.

3. Add a proxy system for Cloud Foundry and choose Save. The Type should be SAP BTP XS Advanced UAA.

   Type	SAP HANA XS Advanced UAA Server
   System Name	XSUAA
   Destination Name
   Description	XSUAA test system

4. Enter the Properties as shown in below table

   Type=HTTP Authentication=BasicAuthentication ProxyType=Internet URL=<<apiurl_FROM_STEP_2.1_ABOVE>> OAuth2TokenServiceURL=<<URL_FROM_STEP_2.1_ABOVE>>+/oauth/token User=<<CLIENT_ID_FROM_STEP_2.1_ABOVE>> Password=<< SECRET_FROM_STEP 2.1_ABOVE>> xsuaa.origin=Enter the location of your identity provider. To do this: Open your SAP BTP cockpit. Go to your Cloud Foundry global account and choose your subaccount. From the left-side navigation, choose Trust Configuration. Copy/paste the Origin Key value. xsuaa.origin.filter.enabled=true scim.support.patch.operation=true xsuaa.patch.response.with.resource=false

3.Create an instance for Cloud Foundry in the IAG

1. Log into the SAP Cloud Identity Access Governance launchpad and open the Application app.

2. Create a system for Cloud Foundry. For System Type, select Cloud Foundry.

3. Enter the external system ID mentioned in step 2.2 in the section Create Proxy system and Save.

4.Run the repository synch job to sync user data and provision access requests.

In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category dropdown list, schedule the following jobs:

• Repository Sync to synchronize the relevant data from Cloud Foundry to the access request service.

  In the System Type dropdown list, select Cloud Foundry.

  In the System dropdown list, select the configured Cloud Foundry System.