Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feedback for "Setting Up Authentication" #19

Closed
ncktz-cbs opened this issue Mar 7, 2023 · 16 comments
Closed

Feedback for "Setting Up Authentication" #19

ncktz-cbs opened this issue Mar 7, 2023 · 16 comments
Assignees
@ValAta
Labels
contribution Valuable Contribution follow-up-with/dev Clarification with development needed. follow-up-with/pm Clarification with product management needed. in-discussion This item is being discussed internally needs-more-info We need more info from the contributor to proceed type/content-gaps Something essential is missing in the documentation. ua-review Under review by the UA team.

Comments

@ncktz-cbs
Copy link

https://help.sap.com/docs/btp/best-practices/setting-up-authentication

According to slide 20 of the SAP S/4HANA Cloud 3-system landscape - Onboarding Guide, SAP recommends to connect the non-productive IAS to the non-productive S/4HANA Cloud environments and the productive IAS to the productive S/4HANA Cloud environment and CALM.

Unfortunately, we cannot find any clear recommendation for the IAS setup for BTP. Do you recommend the same setup here (non-productive IAS for non-productive subaccounts, productive IAS for productive accounts)? Even for dev or test environments, we work with ‘productive’ identities. For this reason and from our point of view, these subaccounts should be connected to a productive IAS or at least the productive Azure AD. According to our experience, the non-productive AD is usually just used for internal testing purposes and never connected to any enterprise applications.

If this is SAP’s recommendation, this also means that the configuration effort for groups and groups assignments doubles compared to the setup of just using the productive IAS for all subaccounts that we usually see. Or is there any transport mechanism for delta changes planned from one IAS to another that could reduce these efforts? Alternatively, the groups could be assigned in AD, but as of our understanding SAP’s strategic recommendation is to assign the groups in the IAS and not in AD, is this correct?
@annawenger20
Copy link
Contributor

Thanks a lot for the feedback. Our colleague @ValAta will look into this.

@annawenger20 annawenger20 added the ua-review Under review by the UA team. label Mar 8, 2023
@ncktz-cbs
Copy link
Author

Hi Anna,

any updates on this topic?
As we are currently having the discussion how to use the provided IAS tenants in our BTP introduction project, it would be great if an official SAP recommendation could be added to the best practice guide as soon as possible.

Thanks a lot,
Nico

@ValAta ValAta removed their assignment Mar 20, 2023
@ValAta
Copy link

ValAta commented Mar 20, 2023

Hi @ncktz-cbs,
Sorry for the delay. I forwarded this question to the dev team. I'll update you ASAP.
BR,
Valentin

@annawenger20 annawenger20 added the follow-up-with/dev Clarification with development needed. label Mar 20, 2023
@ValAta ValAta added the in-discussion This item is being discussed internally label Mar 21, 2023
@ValAta
Copy link

ValAta commented Mar 22, 2023

Hi Nico,
Thank you for your patience. Unlike the recommendation for the setup Identity Authentication - S4/HANA Cloud, there is no recommendation for the Identity Authentication - SAP BTP setup. So these trust settings: test subaccount - test or productive tenant, and productive subaccount - test or productive tenant should be fine.
BR,
Valentin

@ncktz-cbs
Copy link
Author

Hi Valentin,

during the DSAG technology days, we had various discussions with SAP colleagues. They also see the sense of more granular recommendation of the future IAS setup: this includes not only the landscape but also topics such as when user provisioning is required.
One of them will reach out to you and explain our expectations in more details, so you could work out these recommendations internally. Please feel free to keep us in the loop if you require any feedback loops.

Thanks a lot
Nico

@ValAta
Copy link

ValAta commented Mar 24, 2023

Hi Nico,
That will be very helpful.
BR,
Valentin

@ValAta ValAta closed this as completed Mar 24, 2023
@ncktz-cbs
Copy link
Author

Hi Valentin,

Can you plesae reopen this ticket until the described discussion is completed and IAS-specific best practices have been added to the best practice guide?

Thanks a lot
Nico

@ValAta ValAta reopened this Mar 24, 2023
@ValAta
Copy link

ValAta commented Mar 24, 2023

Hi Nico,
I misunderstood you. I thought that your colleague was going to reach me through the mail.
I reopened the issue again.
BR,
Valentin

@ValAta ValAta added the needs-more-info We need more info from the contributor to proceed label Mar 24, 2023
@ValAta
Copy link

ValAta commented Apr 24, 2023

Hi Nico,
I hope you are doing well. Do you have any information about the feedback from the DSAG community? No one has contacted me so far.
Thanks in advance!
Best regards,
Valentin

@ncktz-cbs
Copy link
Author

Hi Valentin,

feel free to reach out to your colleague Regine Schimmer. So far, we are still waiting for any suggestions from SAP.

Best regards
Nico

@je-hal
Copy link

je-hal commented Jun 12, 2023

@ValAta : This issue has been open for 96 days - do you have any update? Thanks!

@ValAta
Copy link

ValAta commented Jun 12, 2023

Hi @je-hal,
I got in touch with the colleagues. They expect to receive a statement from the DSAG BTP / Security workgroup members within a week. After they study the statement, they'll reach me to figure out how to implement it in the documentation.
BR,
Valentin

@ValAta ValAta added the follow-up-with/pm Clarification with product management needed. label Jun 12, 2023
@ValAta
Copy link

ValAta commented Jul 10, 2023

Hi Nico,
Thanks for feedback document from the DSAG community. These are the action items that we are taking on:

  • Publish the Integration Guide on Open Doc
  • Preview with the integrated feedback by the end of July
  • Official release – end August
    Best regards,
    Valentin

@ValAta
Copy link

ValAta commented Aug 21, 2023

Hi @ncktz-cbs,
Just a quick update - you can now provide feedback for the System Integration Guide for SAP Cloud Identity Services on GitHub.
BR,
Valentin

@ncktz-cbs
Copy link
Author

Thanks, Valentin! As communicated directly to your colleagues, I think it's a great first step into the right direction. Looking forward to additional updates to the best practice guide that adress the remaining open points.

@annawenger20 annawenger20 added type/content-gaps Something essential is missing in the documentation. contribution Valuable Contribution labels Nov 27, 2023
@annawenger20
Copy link
Contributor

Hi @ncktz-cbs
I'll close this issue as we've added a recommendation for SAP Cloud Identity Services as well as a link to the respective onboarding guide. Thanks a lot for your valuable contribution.
Anna

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ValAta ValAta

Labels
contribution Valuable Contribution follow-up-with/dev Clarification with development needed. follow-up-with/pm Clarification with product management needed. in-discussion This item is being discussed internally needs-more-info We need more info from the contributor to proceed type/content-gaps Something essential is missing in the documentation. ua-review Under review by the UA team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@je-hal @ValAta @annawenger20 @ncktz-cbs