3 Setup trust with SAP Cloud Identity Tenant

Choose which SAP Cloud Identity Tenant to be used. All business users will later authenticate against
this tenant. You need access as an administrator for application to this tenant for the following.

1. Login into the chosen SAP Cloud Identity Tenant.

2. At the SAP Cloud Identity Administration Console go to Application & Resources à Tenant Settings,
choose SAML 2.0 Configuration and click on “Download Metadata File” to download the SAP Cloud
Identity Tenant metadata

3. Go to Applications, choose Add to Add Custom Application (SCP Account), choose a name, for
example SAP Cloud for Real Estate, and click Save
 4. Go to SAML 2.0 Configuration for the newly created application, click on Browse next to the input
field for Metadata File and upload the SCP Account Identity Provider metadata downloaded previously
in Section 2 “Setup Local Service Provider Details in SAP Cloud Platform (SCP) Account”, step 11. Verify
that the Name matches the Local Provider Name from Section 2 and click Save.
5. Go to Name ID Attribute for the just created application and choose Login Name as Name ID
Attribute. Click Save.

The oAuth2-based communication between SCP and S/4 HANA Cloud Edition requires that the Logon
Alias of all involved users in your SAP Cloud Identity Tenant equals the Logon Alias of the corresponding
business users in the S/4 HANA Cloud Edition system.

6. If you are using the SAP Cloud Identity Tenant with a Corporate Identity Provider, go to Identity
Provider for the created application and choose the correct identity provider. Click Save.
7. Login into the SCP Cockpit

8. In the SCP Account overview navigate to Security àTrust

9. Select the Application Identity Provider tab and click on Add Trusted Identity Provider.
10. Upload the SAP Cloud Identity Tenant metadata from step 2 of this section.

11. Click Save.