XSUAA Provider
Overview of XSUAA
The SAP BTP XSUAA service (Extended Service for User Authentication and Authorization) is an OAuth 2.0 authorization server that lets you manage user authorizations and trust to identity providers. Identity providers are the user base for applications.
Key capabilities of XSUAA include:
- Integration with identity providers like Azure AD, Okta, Ping Identity to support single sign-on
- Issuing OAuth 2.0 access tokens for authentication and authorization
- User management features like creating and managing users, groups, role collections
- Fine-grained authorization by assigning roles and scopes
By configuring Salesforce and the BTP XSUAA service to use the same identity provider (like Azure AD), seamless SSO can be achieved from Salesforce to SAP backends via validate OAuth tokens.
Question:
If we have connected Salesforce to an Identity Provider (Azure AD, Ping Identity, Okta) why do we need to configure another identity provider (XSUAA)?
Answer:
To enable the Salesforce users to authenticate to the SAP ERP backend server without managing passwords, usage of the SAP Cloud Connector Principal Propagation is required. In order to use Principal Propagation, Salesforce will need to authenticate using OAuth bearer tokens issued by BTP XSUAA. Configuration of the XSUAA identity provider that relays authentication to the same authentication provider Salesforce is configured for SSO, allows for seamless authentication to BTP and in turn the back-end SAP system.