Credential Management

This section explains how to configure and manage credentials required for integrating ReleaseOwl with SAP Cloud Platform Integration (CPI). Credential management ensures secure communication between ReleaseOwl and SAP systems using both system-level and user-level authentication mechanisms.

CPI (Cloud Platform Integration)

The CPI domain manages credentials required for securing integration scenarios and internal SAP communications. It supports:

System-to-system authentication (Service Keys)
User-based authentication (Web Authentication)

Service Keys (System-to-System Authentication)

Service Keys are used for automated, system-level authentication. They allow ReleaseOwl to communicate securely with SAP Integration Suite without any user interaction.

ReleaseOwl requires a Process Integration Runtime (PIR) instance in SAP BTP to manage and deploy CPI artifacts. Two PIR service plans are required:

API Plan – for programmatic API access
IFLOW Plan – for managing and testing iFlows

1. API Plan – for programmatic API access

Purpose: This instance enables programmatic access via APIs for integration, automation, and artifact management tasks.

Steps:

Log in to your SAP BTP Cockpit.
Navigate to your Global Account > Subaccount.
Go to Instances and Subscriptions from the left menu.

Click on Create.
In the "New Instance or Subscription" wizard:

Service: SAP Process Integration Runtime
Plan: api
Runtime Environment: Cloud Foundry
Space: Select your development space (e.g., dev)
Instance Name: Choose a name like CPI_API_Instance

Click Next, then Create.

Note: The api plan provides programmatic access to the SAP Process Integration Runtime, allowing you to connect via APIs for integration tasks.

Assign Required Roles

In the Parameters step, assign the following roles to allow artifact management:

Role

Description

MessagePayloadsRead

Read message payloads in the integration runtime.

MonitoringDataRead

View monitoring data for integration flows.

TraceConfigurationEdit

Edit tracing configurations.

TraceConfigurationRead

View current tracing configuration.

WorkspaceArtifactsDeploy

Deploy artifacts from workspace to runtime.

WorkspacePackagesConfigure

Configure packages, parameters, and dependencies.

WorkspacePackagesRead

Read-only access to integration packages.

WorkspacePackagesEdit

Modify and configure integration packages.

Create Service Key (for `api` plan)

After instance creation:

Go to Instances and Subscriptions.
Expand your newly created api instance.
Click Create Service Key.
Enter a name (e.g., cpi-api-key) and leave parameters blank.
Click Create.

Click View Credentials to retrieve:

Client ID
Client Secret
Token URL

Register SAP CPI (API Access) Credential in ReleaseOwl

Credential registration enables secure communication between ReleaseOwl and SAP CPI environments.

✅ Steps:

Log in to the ReleaseOwl Platform.
Go to Administration > Credential Manager.

Click Register Credential.
Fill in the details:
- Credential Name: Any identifiable name for the credential.
- Authentication Type: Select OAuth2
- Client ID: Provide the details from the above created API service key.
- Client Secret: Provide the details from the above created API service key.
- Token URL: Provide the details from the above created API service key.
Click Save.

The credential will now appear in your list and can be used in pipelines and deployments.

2. IFLOW Plan – for managing and testing iFlows

This is used for managing and testing integration artifacts (iFlows).

✅ Steps:

Go to your SAP BTP Cockpit.
Select your subaccount that hosts SAP CPI.
Go to Services > Service Marketplace.
Select SAP Process Integration Runtime → Click Create.
Fill in the following:
- Service: SAP Process Integration Runtime
- Plan: IFLOW
- Runtime Environment: Cloud Foundry
- Space: Provide the appropriate space (e.g., dev)
- Instance Name: (e.g., CPI_IFLOW_Instance)

Click Next and then Create.

Create Service Key (for `IFLOW` plan)

The IFlow plan service key is required to execute test cases from ReleaseOwl

Navigate to Instances and Subscriptions.
Locate the IFLOW instance.
Click Actions > Create Service Key.
Enter a name for the key (e.g., cpi-iflow-key) → Click Create.

Click on the service key name to view the key details.
You will need these values when setting up ReleaseOwl credentials.

Register SAP CPI Credential (Iflow) in ReleaseOwl

This step allows ReleaseOwl to securely interact with CPI for artifact deployment and management via the IFLOW plan.

Steps:

Navigate to Credential Manager from the Administration menu in the ReleaseOwl Platform.
Click Register Credential.
Set the Credential Type to SAP Cloud Environment.
Fill in the following details:
- Credential Name: Enter a meaningful name (e.g., CPI IFLOW Credential)
- Authentication Type: Select OAuth2
- Client ID: Provide the details from the above created IFLOW service key.
- Client Secret: Provide the details from the above created IFLOW service key.
- Token URL: Provide the details from the above created IFLOW service key.
Click Save.
The new credential will now appear in the List of Credentials and can be used in Release Pipelines for IFLOW deployments.

Web Authentication

Web Authentication is used for interactive and user-based access to SAP services and applications.

1. SAP Cloud Identity Services – Identity Authentication (IAS)

It acts as the Identity Provider (IdP) for SAP Integration Suite and is used to authenticate users accessing the platform. It provides browser-based authentication and Single Sign-On (SSO) using the OpenID Connect (OIDC) protocol.

SAP Cloud Identity Service: Create IAS Instance

Navigate to Instances & Subscriptions in your SAP BTP subaccount.
Click on the Create button.
In the Service field, select Cloud Identity Services.
In the Plan field, choose Default under Subscriptions, then click Next.
Click Create to provision the instance.

Activate Administrator Account

An activation email will be sent to the registered email address.
Open the email and click Activate Account.
Set your password and click on Continue.

Register SAP Cloud Identity Service Credential in Releaseowl

Log in to ReleaseOwl.
Go to Administration → Credential Manager.
Click on Register Credential.

Enter the following information:
- Credential Type: SAP IS Web Authentication
- User Name: Cloud Identity Service Username
- Password: Cloud Identity Service Password
Idp Metadata URL: To obtain the IdP Metadata URL, follow these steps:

Log in to SAP Cloud Identity Services.
Go to Applications & Resources.
Select Tenant Settings.

Open the OpenID Connect Configuration section.
Click on Show Discovery Endpoint.
You will be redirected to a new page.
Copy the URL from the browser address bar — this is your IdP Metadata URL.

Paste the copied URL into the IdP Metadata URL field in ReleaseOwl.
Click Save.

2. SAP Passport

It enables secure authentication and establishes trusted communication between SAP internal systems and SAP Integration Suite. It ensures system-to-system trust and protects data exchanged across integrated SAP landscapes.

Steps to Create SAP Passport

Go to SAP for Me.
Navigate to the SAP Passport page (reference link: SAP Passport).
Enter your S-User password when prompted.
Click on the Apply for SAP Passport.

Give your SAP Passport Password in that box, then click on Apply button your SAP Passport will created.

After successful creation, click Download the SAP Passport.
The passport will be downloaded in .pfx format to your system.

Register SAP Passport Credential in ReleaseOwl

Go to Credential Manager in ReleaseOwl.
Click Register Credential.

Fill in the following details:

Credential Type: SAP Passport
Password: Enter the SAP Passport Password you provided during the apply process
Certificate: Upload your downloaded SAP Passport (.pfx)

Note: You must keep using the PFX if the server requires client certificate authentication.

Save the credential.

3. Ping Identity

Ping Identity enables secure authentication and establishes trusted communication between applications and identity providers using industry-standard protocols such as OAuth 2.0 and OpenID Connect (OIDC). It ensures secure user and system authentication, supports single sign-on (SSO), and protects access to applications by issuing tokens that contain verified user identity and authorization claims.

Prerequisites

Before configuring the integration, ensure that the following prerequisites are completed:

Subscribe to Cloud Identity Services Ensure that the Cloud Identity Services subscription is active in your SAP BTP subaccount.
Establish Trust Configuration To establish trust between the subaccount and the Identity Provider:
- Navigate to the Security section in your SAP BTP subaccount.
- Select Trust Configuration.
- Click on Establish Trust.

Select the Tenant

Choose the subscribed tenant from the list.
Click Next to create the trust configuration.

Assign Roles

After the trust configuration is created, open the configuration.
Click Edit.

Configure Role Attributes

In the same Trust Configuration screen, scroll to Attribute Mappings.
Click the "+" button to add a new mappings.
Define mappings like this:
Role Collection
Attribute
Operator
Value
PI_Integration_Developer
email
equals
Email ID of the service user
PI_Administrator
email
equals
Email ID of the service user
Integration_Provisioner
email
equals
Email ID of the service user

Create Application in PingOne

Create your Ping Identity account using the provided URL and log in to PingOne.
From the left-hand menu, navigate to Applications. In the Applications section, click on the + (Add Application) button.

Enter a name of your choice for the application and select the application type based on your requirement, such as SAML Application or OIDC Web App. For this setup, select OIDC Web App and click Save.

Toggle the application ON and navigate to the Attribute Mappings tab.

Click on Add Mapping. For the PingOne attribute, select Email Address, then click Save.

Configure Identity Provider in SAP Cloud Identity Services

Follow the steps below to configure an Identity Provider using Ping Identity (OIDC) in SAP Cloud Identity Services (IAS).

Log in to SAP Cloud Identity Services.
Navigate to Applications & Resources.
Open the SAP BTP application associated with your tenant.

Configure Conditional Authentication

Go to the Trust section.
Navigate to Conditional Authentication.

In the Default Authenticating Identity Provider field, select Ping OIDC.
Click Save to apply the configuration.

Create a Corporate Identity Provider

Navigate to Identity Providers and select Corporate Identity Providers.

Click on the + Create button.

Enter a name of your choice and select the Identity Provider Type as OpenID Connect compliant.
Click Create to complete the setup.

Open the newly created Identity Provider.
Go to the Trust section.
Select OpenID Connect Configuration.

To configure the Discovery URL:

Log in to Ping Identity and open the application you created earlier.
Navigate to the Overview section.
Copy the OIDC Discovery Endpoint.

Paste the copied endpoint into the Discovery URL field in OpenID Connect Configuration.

Configure authentication details:

Under Client Authentication, select Client Secret in Authorization Header.

Log in to Ping Identity and open the application you created earlier.
Navigate to the Configuration section.
Copy the Client ID and Client Secret.

Paste the Client ID and Client Secret obtained from the Ping Identity application.

Click the Load button. Once the configuration details are loaded successfully, the Validate button will be enabled.

Copy the OIDC Callback URL. Then navigate to the application you created and open it. Go to the Configuration section and click Edit.

Paste the OIDC Callback URL into the Redirect URL field, and then click Save to apply the changes.

Validate the Configuration

Click on the Validate button.

If the configuration is correct, validation will succeed and you will see the confirmation screen (as shown in the image below)

Configure Identity Provider using Ping Identity (SAML) in SAP Cloud Identity Services

Follow the steps below to configure Ping Identity as a SAML Identity Provider in SAP Cloud Identity Services.

Log in to SAP Cloud Identity Services

Log in to SAP Cloud Identity Services.
Navigate to Applications & Resources.
Open the SAP BTP application associated with your tenant.

Configure Conditional Authentication

Go to the Trust section.
Navigate to Conditional Authentication.

In the Default Authenticating Identity Provider field, select Oping Saml.
Click Save to apply the configuration.

Download Metadata from SAP Cloud Identity Services

Navigate to Applications & Resources.
Select Tenant Settings.

Go to Authentication.
Navigate to Single Sign-On.
Click Download Metadata File.
This metadata file will be used to configure the application in Ping Identity.

Create Application in Ping Identity

Log in to Ping Identity.
From the left-hand menu, navigate to Applications.

Click the + (Add Application) button.
Enter a Name for the application.
Select Application Type based on your requirement.
For this setup: Select SAML Application
Click Configure

Configure SAML Settings in Ping Identity

During SAML configuration, choose one of the following options.

Option 1: Import Metadata File

Select Import Metadata.
Click Select File.
Upload the metadata file downloaded from SAP Cloud Identity Services.

Click Save.

Option 2: Import Metadata from URL

In SAP Cloud Identity Services, navigate to:
- Authentication
- Single Sign-On
Open OpenID Connect Configuration.
Click Show Discovery Endpoint.
Copy the metadata URL.