[FEATURE] Managing IAS via Terraform #749
Comments
lechnerc77
added
enhancement
|
Thanks for the feature request. We evaluate it and update the issue accordingly. Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
|
SAP Cloud Identity Service API's https://api.sap.com/package/SCPIdentityServices/rest |
|
Example for a scenario that we heard from customers is the combination of Microsoft Entra ID and IAS to secure their system landscape. The setup procedure they follow is described in the Microsoft documentation: https://learn.microsoft.com/en-us/entra/fundamentals/scenario-azure-first-sap-identity-integration. This configuration should be rolled out in a stable and repeatable manner. According to the customer feedback the configuration is done leveraging a two stage approach for IAS. The setup reflects the organizational structure of the customers. Consequently, the configuration might differ per legal entity and/or org unit. |
|
To the supporters of this request @olfolfolf, @Kaefermade, @jumu75, @BerndReichel, @sebastianesch, @ChristianAicher, @SeanKilleen, and @rothandreas: Would be great if you could add the scenarios you would like to see the provider in your setup and challenges you are currently facing because you are not having this provider. |
|
Hi @lechnerc77, we are a company with a lot of Auxiliary workers which have no Active Directory account and they should leverage the IAS for external Authentication to use SAP BTP applications. It would be great if such a solution could be possible. Thanks in |
|
Hi @lechnerc77, A Provider who would be capable of setting the following Values:
Would be good enough for us |
|
@lechnerc77 I'll do my best to give a quick summary, happy to go deeper. We provide two subaccounts to our customers for the 05-Deliver and 06-Consume scenarios in which they consume our application from the marketplace. We allow customers to bring whatever IdP is supported by CIS. Automating as much of that setup as possible would be great. My goal is to be able to add the requisite information to a terraform config for an incoming client and have the 05 and 06 environment be provisioned according to their needs. |
|
@SeanKilleen @rothandreas @jumu75 Thanks a lot for your fast responses and the sceanrios! |
|
Hi @lechnerc77, I would like to extend the scenario from Andreas and also additionally configure the Attributes sent to the Application and create Authorization Policies for Applications / create Groups in Cloud Identity Service. This would allow to automate the complete Subaccount / Application onboarding process. Kind regards, |
|
Hi Christian,
more or less same as Andreas Roth with a little extension:
1.
IAS Application Name/Settings
2.
Set Values in Subject Name Identifier
3.
Apply Function to Subject Name Identifier
4.
Conditional Authentication -> "Default Authenticating Identity Provider"
5.
Single Sign-On -> Attributes
6.
Configure Requests to Corporate Identity Providers -> Configure Issuer Name -> Suffix
Later may be housekeeping tasks:
*
cleanup of unused applications
*
certificate lifecycle management for custom domain certificates
*
enforce Multi-Factor Authentication for Administrators?
*
renewal of password of technical useres (IAS and Destination Subaccount)
Best regards,
Christian
Christian Aicher
Platform Operations | IT
+49 6181 59 15825 | ***@***.******@***.***>
Evonik Industries AG
Visitors: Clara-Immerwahr-Str. 3 | 63457 Hanau- Wolfgang | Germany
Postal: Rodenbacher Chaussee 4 | 63457 Hanau-Wolfgang | Germany
www.evonik.com<https://www.evonik.com/>
LinkedIn<https://www.linkedin.com/company/evonik> | Twitter<https://twitter.com/evonik> | Instagram<https://www.instagram.com/evonikofficial> | Facebook<https://www.facebook.com/evonik>
Supervisory Board: Bernd Tönjes, Chairman
Executive Board: Christian Kullmann, Chairman | Dr. Harald Schwager, Deputy Chairman | Maike Schuh | Thomas Wessel
Registered Office: Essen | Register Court: Local Court Essen | Commercial Registry B 19474
…________________________________
Von: Christian Lechner ***@***.***>
Gesendet: Dienstag, 23. April 2024 08:02
An: SAP/terraform-provider-btp ***@***.***>
Cc: Aicher, Christian ***@***.***>; Mention ***@***.***>
Betreff: Re: [SAP/terraform-provider-btp] [FEATURE] Managing IAS via Terraform (Issue #749)
[ EXTERNAL MAIL - Don't open unknown links or attachments<https://evonik.com/phishing> ]
To the supporters of this request @olfolfolf<https://github.com/olfolfolf>, @Kaefermade<https://github.com/Kaefermade>, @jumu75<https://github.com/jumu75>, @BerndReichel<https://github.com/BerndReichel>, @sebastianesch<https://github.com/sebastianesch>, @ChristianAicher<https://github.com/ChristianAicher>, @SeanKilleen<https://github.com/SeanKilleen>, and @rothandreas<https://github.com/rothandreas>: Would be great if you could add the scenarios you would like to see the provider in your setup and challenges you are currently facing because you are not having this provider.
—
Reply to this email directly, view it on GitHub<#749 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BHES5355I3IK4MLDWL7TRVLY6X2RDAVCNFSM6AAAAABFBCEYEKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZRGQ3TENJUGE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
What area do you want to see improved?
other
Is your feature request related to a problem? Please describe.
Currently the Terraform Provider supports all resources and configurations exposed via the BTP CLI.
In order to enable an end2end flow especially from the perspective auf security setup and IAS perspective it would be great to have a dedicated provider for the SAP IAS i.e. its configuration.
Describe the solution you would like
A dedicated provider for IAS configuration exists and can be combined with the existing providers like the one for SAP BTP to enable end2end provisioning flows.
Describe alternatives you have considered
Usage of APIs for IAS, which is a workaround but breaks the IaC/Terraform flow
Additional context
n/a
The text was updated successfully, but these errors were encountered: