search

Integration Environment Registration

To register the SAP Integration Environment, you must first register the CPI credential. Follow the link arrow-up-rightand complete the credential setup.

hashtag
CPI Environment Registration

Purpose :Enable communication with the CPI Environments.

  1. Navigate to Environments from the Administration menu.

  2. Select CPI environment and click on register CPI environment.

  3. Provide the following details:

Field

Description

Name

Enter a unique name for the SAP CPI Environment.

Auth Type

Select the authentication type: Basic Auth or OAuth2.

API URL

Provide the API URL for connecting to the SAP CPI Environment.

Enable Test Automation (Optional)

Toggle to enable or disable test automation capabilities.

IFLOW OAuth Credential

Select the OAuth credentials used for IFLOW authentication.

IFLOW URL

Enter the IFLOW URL from the service key.

SSO URL

Provide the Single Sign-On (SSO) URL for authentication. Note: The setup process is outlined in the section below.

IDP Auth Email Address / Group Name

The group name or email address configured in the 'Value' section under User Groups or Attribute Mappings should also match the corresponding group or email configuration in the IDP Auth Email Address/Group Name within the ReleaseOwl CPI environment registration page.

Integration Advisor

Enable Integration Advisor to provide the Host URL.

Host URL

The host URL is the base address of your SAP Integration Suite instance. (Example: https://<subdomain>.integrationsuite-<region>.cfapps.<domain>.hana.ondemand.com)

Enable Git (Optional)

Enable this option to integrate Git with the environment.

Git Credential

Select the credential for accessing the Git repository.

Repository URL

Provide the Git repository URL.

Branch

Specify the branch to be used for the integration.

Environment Type

Select the environment type (e.g., Dev, QA, Prod).

Web Authentication

There are three authentication types available for CPI Web Authentication in ReleaseOwl:

  1. None – No authentication is required.

  2. Custom Identity Provider (Custom IdP) – Authentication is performed using a customer-configured Identity Provider.

  3. SAP Cloud Identity Provider – Authentication is performed using SAP Cloud Identity Services (IAS).

  4. SAP Passport – Authentication is performed using browser-based SAP Passport certificates.

hashtag
Custom Identity Provider (IDP) Setup and Configuration

A Custom IDP (Identity Provider) must be configured to allow secure authentication and authorization for users who interact with the Integration Suite (CPI) instance through ReleaseOwl.

Use Case: This is particularly useful for executing test cases, simulation testing and updating value mappings as part of the pipeline.

hashtag
Steps to Configure a Custom Identity Provider (IDP)

A Custom Identity Provider (IDP) is required for deploying certain artifact types—such as Value Mapping, REST, SOAP, and OData APIs—as well as for executing test cases associated with these artifacts via ReleaseOwl.

  1. Download SAP BTP SAML Metadata

  • Navigate to the Security section of your SAP BTP Subaccount.

  • Go to Trust Configuration.

  • Click Download SAML Metadata to download the BTP metadata file.

  1. Extract the SAP BTP SSO URL

  • Open the downloaded SAML metadata XML file in a text editor (e.g., Notepad++, VS Code, or a browser).

  • Search for the <AssertionConsumerService> tag.

  • In this tag, locate the Location attribute. The value of this attribute is your SAP BTP SSO URL.

  • Copy the extracted SSO URL.

  • Paste it into the SSO URL field in the SAP CPI Environment.

  • For the IDP Auth Email Address/Group Name field, enter the exact value that your Identity Provider sends in the SAML/OIDC assertion for the user.

  • This value must match the group name or email address defined in the Value field of the User Groups or Attribute Mappings configuration in your IDP. ReleaseOwl (or SAP BTP) uses this returned attribute value to validate user authorization.

  • Refer to the Assign Role Collections section to ensure that the mapped group/attribute is correctly linked to the required role collections.

  • After entering all the required details, click Save. Once saved, a Test button will appear. Use this button to verify whether the provided credentials and configuration are correct. Click Test to validate the connection.

  • Upon successful validation, a Download option will be available to download the tenant-specific metadata and the SAP CPI environment descriptor file.

  1. Create Trust Configuration in SAP BTP

  • Return to Trust Configuration in the SAP BTP Cockpit.

  • Click New Trust Configuration and select New SAML Trust Configuration.

  • Upload the ReleaseOwl CPI Environment metadata XML file.

  • Uncheck the option "Available for User Logon" to prevent this IDP from appearing on the SAP login screen.

  • Click Save.

hashtag
4. Assign Role Collections (Choose One of the Methods Below)

  1. Navigate to Security → Role Collections.

  2. Click on the Create button.

  3. Enter a name for the role collection and create it.

  1. Search for the newly created role collection name.

  2. Click on the role collection name.

  1. Click on the Edit button.

Production Environment Role Collection

  1. Add the following roles to ensure proper access and deployment capabilities:

  • WorkspaceArtifactsDeploy

  • WorkspacePackagesConfigure

  • WorkspacePackagesRead

  • WorkspacePackagesEdit

  1. Click Save after adding the roles.

Non-Production Environment Role Collection

Similarly, create a role collection for the non-production environment to enable monitoring, tracing, and deployment activities.

  1. Navigate to Security → Role Collections.

  2. Click on the Create button.

  3. Enter a name for the non-production role collection.

  4. Search for the created role collection and open it.

  5. Click on the Edit button.

Assign the following roles:

  • MessagePayloadsRead

  • MonitoringDataRead

  • TraceConfigurationEdit

  • TraceConfigurationRead

  • WorkspaceArtifactsDeploy

  • WorkspacePackagesConfigure

  • WorkspacePackagesRead

  • WorkspacePackagesEdit

  1. Click Save to complete the setup.

Steps to Configure User Groups

  1. Navigate to Security → Role Collections.

  2. Select the required Role Collection (e.g., Production or Non-Production).

  3. Open the User Groups tab.

  4. Click on the “+” button to add a new user group.

Field
Description

Identity Provider

Select the configured Identity Provider (e.g., Custom IDP).

Name

Enter an appropriate user group name.

hashtag
Role Collection Assignment Methods

You can assign role collections using one of the following methods:

Method 1: Assign Role Collections using User Groups

  1. Open the newly created Custom Identity Provider (IDP) for Applications and click Edit.

  2. Navigate to the User Groups section.

  3. Click the “+” button to add a new mapping.

  4. Configure the mappings as required.

  1. Go to the User Groups section and Click the "+" button to add a new mapping.

  2. Create a custom role collection with the following roles for assignment in non-production/ production environments:

Field
Description

Role Collection

Choose the role collection that was created earlier. ( Like production, non-production)

User Group Name

Enter the name that was created earlier.

Method 2: Assign Role Collections using Attribute Mapping (Email-Based)

  1. In the same Trust Configuration screen, scroll to Attribute Mappings.

  2. Click the "+" button to add a new mapping.

  3. Define mappings like this:

Role Collection
Attribute
Operator
Value

  • Enter the role collection that was created earlier.

emailAddress

equals

The email ID of the service user

circle-info

Note : If you want to use the Integration Advisor, you must assign the following roles to the user:

  • iadv-content-administrator

  • iadv-content-read

  • iadv-content-developer

  1. The group name or email address configured in the 'Value' section under User Groups or Attribute Mappings should match the corresponding group or email configuration in the IDP Auth Email Address/Group Name on the ReleaseOwl CPI Environment registration page.

hashtag
SAP Cloud Identity Provider

ReleaseOwl seamlessly integrates with SAP Cloud Identity Services to support secure authentication and identity management across deployment pipelines. To register the SAP Cloud Identity environment, you must first register the Cloud Identity credential. Follow the linkarrow-up-right and complete the credential setup.

hashtag
Trust Configuration in SAP BTP

  1. Go to Trust Configuration in your SAP BTP subaccount.

  2. Click on Establish Trust.

hashtag
Configure Trust

  1. Select your Cloud Identity Service tenant → click Next.

  1. Select your Cloud Identity Service domain → click Next.

  1. Under Configuration Parameters:

    • Set Origin Key = sap.custom

    • Click Next and then Finish.

hashtag
OpenID Connect Settings

  1. A new trust configuration will be created using the origin key sap.custom with the OpenID Connect (OIDC) protocol.

  1. In the Parameters section, enable Available for User Logon.

  1. Navigate to Attribute Mappings and fill in the required mappings:

Related Role

Attribute Name

Value

Operator

  • Trail-content-adminstrator

  • PI_Integration_Developer

  • PI_Administrator

email

Your Cloud Identity Service email

equals

  1. Click Save to update the configuration.

hashtag
Access Applications

  1. Log in to your Cloud Identity Service tenant.

  2. Navigate to Applications & Resources → Applications.

  1. A new bundled application will be automatically created and associated with the trust configuration and linked to the corresponding SAP BTP subaccount.

hashtag
Configure Single Sign-On

  1. Open the newly created application.

  2. Go to Single Sign-On → Subject Name Identifier.

  1. Configure as follows:

  • Source (Primary): Identity Directory

  • Attribute (Primary): Email

  • Source (Fallback): Identity Directory

  • Attribute (Fallback): Email

  1. Click on the Save button.

hashtag
Configure Conditional Authentication

  1. Go to TrustConditional Authentication.

  1. Set Default Identity Provider = Identity Authentication.

hashtag
Environment Registration

  1. Go to the SAP CPI Environment and click on the Register SAP CPI Environment.

  1. Web Authentication: Select SAP Cloud Identity Provider.

  2. Credential: Choose the SAP Cloud Identity Credential that you registered earlier.

  3. Click on the Create button.

hashtag
SAP Passport

ReleaseOwl seamlessly integrates with SAP Passport to enable secure certificate-based authentication for SAP CPI environments. To register the SAP Passport–based authentication, you must first generate your SAP Passport and register it as a credential in ReleaseOwl. Follow the linkarrow-up-right and complete the credential setup.

hashtag
Environment Registration

  1. Go to the SAP CPI Environment and click on the Register SAP CPI Environment.

  2. Click on Register SAP CPI Environment.

  1. Under Web Authentication, select SAP Passport.

  2. Under Credential, select the SAP Passport Credential you created earlier.

  3. Click on the Create button to complete the configuration.

hashtag
Adding Environments to Project

circle-info

Note : On clicking Permissions in the above screen, one can know the actions that the user role can perform each for the available features such as Transport Management, Change Management, Pipelines, Release Management.

PreviousCredential ManagementNextCPI Governance Rules

Last updated