SAP BTP Security & Identity Management

1. Home /
2. Trainings /
3. SAP BTP /
4. SAP BTP Security & Identity Management

Master SAP BTP security in this 2-day hands-on training. Learn to configure Identity Authentication Service (IAS), implement fine-grained authorization with XSUAA, set up principal propagation across landscapes, and apply security best practices for production SAP BTP applications.

Training Details

Duration	2 days (16 hours)
Level	Advanced
Delivery	In-person, Live online, Hybrid

Who Is This For?

• Security engineers managing SAP BTP application security
• Developers implementing authentication and authorization
• Architects designing identity and access management strategies
• Administrators configuring SSO and identity federation
• Teams preparing for production security audits

Learning Outcomes

After completing this training, you’ll be able to:

• Configure SAP Identity Authentication Service (IAS) tenants
• Implement XSUAA-based authorization with scopes and role collections
• Set up SSO with SAML 2.0 and OpenID Connect
• Configure principal propagation for on-premise connectivity
• Apply security best practices for BTP applications
• Audit and monitor security events

Detailed Agenda

Day 1: Identity and Authentication

Module 1: SAP BTP Security Architecture

• Trust configuration in BTP subaccounts
• Identity providers and trust relationships
• Authentication flow overview
• Security services landscape on BTP
• Hands-on: Configure trust between BTP and IAS

Module 2: Identity Authentication Service (IAS)

• IAS tenant setup and administration
• User management and group assignments
• Social and corporate identity provider integration
• Multi-factor authentication (MFA)
• Hands-on: Set up IAS with corporate IdP federation

Module 3: Single Sign-On

• SAML 2.0 configuration and assertions
• OpenID Connect (OIDC) integration
• Token exchange and federation
• Session management and logout
• Hands-on: Configure SAML SSO for BTP applications

Module 4: Identity Provisioning Service (IPS)

• User provisioning and deprovisioning
• Source and target system configuration
• Transformation mappings
• Provisioning job scheduling
• Hands-on: Set up identity provisioning between systems

Day 2: Authorization, Propagation, and Best Practices

Module 5: XSUAA Authorization

• xs-security.json configuration
• Scopes, attributes, and role templates
• Role collections and user assignments
• Instance-based authorization patterns
• Hands-on: Implement role-based access control in an application

Module 6: Token Management

• JWT token structure and validation
• Token exchange flows (user, client credentials, SAML bearer)
• Token caching and refresh strategies
• Service-to-service authentication
• Hands-on: Implement token exchange between services

Module 7: Principal Propagation

• Cloud Connector principal propagation setup
• On-premise system trust configuration
• X.509 certificate-based propagation
• End-to-end identity flow
• Hands-on: Configure principal propagation to on-premise SAP

Module 8: Security Operations and Best Practices

• Security audit logging
• SAP Cloud Identity Services monitoring
• Vulnerability assessment and compliance
• Security hardening checklist
• Hands-on: Set up security monitoring and audit trails

Prerequisites

• SAP BTP development experience (Cloud Foundry or Kyma)
• Understanding of OAuth 2.0 and token-based authentication
• Basic knowledge of SAML 2.0 and identity federation
• Familiarity with X.509 certificates and TLS

Delivery Formats

Format	Description
In-Person	On-site at your company’s location, hands-on with direct interaction
Live Online	Interactive virtual sessions with screen sharing and real-time labs
Hybrid	Combination of on-site and remote sessions, flexible scheduling

All formats include hands-on labs, course materials, and post-training support.