In the blog How to Connect Your Cloud Applications with Your Corporate User Store you have seen, how to connect cloud applications with your Microsoft active directory corporate user store. In this blog we will showcase how you can leverage your existing NW Identity Management as a User Store to access your Cloud applications in HCP. By using the existing NW Identity Management you would not require another user store in the cloud but just plug in your existing User Store with the SAP Identity Service.
- You have an SAP HANA Cloud Platform account.
- You have requested your SAP Cloud Identity service tenant(SCI).
- You have requested this feature from an SAP Cloud Identity service operator by creating a ticket on SAP Support Portal under the component BC-IAM-IDS.
- Note: On SAP HANA Cloud Platform, your consumer account should be subscribed to a proxyapplication provided by an sci account.
- NW AS JAVA system 720 and above with IDMFEDERATION<release>.sca installed .For more details click here
Configure NW AS JAVA identity management:
- The on premise system is an AS Java with a deployed SCA from SAP Single Sign-On (SSO) 2.0. For the configuration of the on-premise AS Java system, proceed as follows,Open the Identity management in your netweaver Java system and create a scimuser with the SCIM_READONLY role assigned. More details Link
2. Create few users for accessing the cloud applications without any roles assigned.
Configure SAP Cloud Identity Service:
- If you have the SAP Cloud Identity service tenant activate first, then open the admin console [https://<scitenanthost>/admin].Now click on tenant settings tile –>Go to Tenant SAML2.0 configuration–>download the metadata file and keep it, because it is required to configure custom IDP in consumer account[HCP tenant].
- Now activate the corporate user store in your SCI tenant because by default it will be disabled. Go to the URL [https://<scitenanthost>/admin/ #togglz] and activate the corporate user store based on your requirement[productive or testing]This provides the option to configure the proxy application.
Note:The configuration for test mode in the SAP Cloud Identity Administration Console will not be available for customers (when you use the togglz option).
3. Trust enablement [sci to consumer account]Go to admin console for sci tenant àclick on applications tileàCreate an application using + button àClick on SAML 2.0 configuration –>Import the metadata file [Go to cockpit of HCP account–>trust–>local service provider–>download the metadata file and use in sci tenant]
4.Select the application tile–>select the created application –>NameID attribute –>You can define how you want authenticate whether with the profileid , display name, login name or email.
5.Again go back to tenant settings tile, Now you can see the corporate user store option in the lists. Click on corporate user store–>define as below screenshot.
Configure SAP HANA Cloud Platform(consumer):
- Go to subscriptions tab in cockpit, select the subscribed proxy java application and add the destination as below,
2.Configure custom IDP with your consumer account. Go to cockpit–>trust–>Select local service provider–>Click on Edit button –>select the configuration type to custom and save. Now switch to trusted identity provider –>Click on trusted identity provider and import the metadata file which was downloaded in SCI tenant for trust enablement [consumer to SCI tenant step1 –refer configure sap cloud identity service]. For more details link
3. Install the SAP HANA Cloud connector inside your corporate network. Follow the prerequisites and the procedure in Installing the Cloud Connector.Note: Make sure you have installed the right JVM that is referenced as a JAVA_HOME variable. Connect the Cloud connector with your SAP HANA Cloud Platform account. Follow the instructions described in Initial Configuration as you enter your consumer account data. Once cloud connector ready, Please add your NW AS JAVA system to it in access control tab.
4. Go to OAuth –> Clients and register a client for your consumer account.
Validating cloud application working with NW AS JAVA corporate user store users:
- Open the SCI tenant https://<scitenanthost>/ with available any of the users in NW Identity management and check authentication works[ First time authentication try with user name, then on you can use email id, Note: Make sure that this user does not exist in the user store of SAP Cloud Identity service.
2. Now go to cockpitàsubscriptions–>Open any of the applications, let say select any of subscribed HTML5 application ,try login with any of the users available in NW Identity management.