This post contains step-by-step guide, how-to configure Active Directory Federation Services (AD FS) 2.0 with SAP HANA Cloud Platform (HCP).
The following steps are required to enable AD FS as SAML Identity Provider for an HCP account:
Note: When adding the metadata of Identity/Service Provider, you need to select SHA-1 as Signature Algorithm (Secure hash algorithm).
We need to get the ADFS 2.0 federation metadata which is accessible on the following URL:
https://<ADFS2.0 Server Host>/FederationMetadata/2007-06/FederationMetadata.xml
(In some cases, you need to be on the ADFS 2.0 Server Host, to access the federation metadata).
This page will list the content of the xml file.
Download the file (ctrl + S or File -> Save) as xml.
Open it from https://account.hana.ondemand.com/, then
4. Here we upload Federation Metadata by clicking Browse, and navigate to the FederationMetadata.xml file on our host (as downloaded in Step 1).
Once we select the file, it will automatically fill in all required fields.
5. Then go to Groups tab on the top, where we add default group, which will be assigned for each and every user (we use this, to make sure, ADFS users can access the applications).
As the predefined HCP group “Everyone” holds the basic permissions to be assigned for the applications we would like to access, we assign it as default group to the users authenticated via AD FS:
6. Click Add Default Group to add a default group.
7. From the dropdown, select the default group “Everyone”
8. Press Save in the bottom right corner, to finally save the Trusted Identity Provider.
The “Add Relying Party Trust” Wizard will guide through the process:
Begin with the Start button and on the second screen (Select Data Source),
4. On the next dialog “Specify Display Name”, select the name of the Relying Party Trust, it will be just a list name, then Next.
5. On the Choose Issuance Authorization Rules, we select Permit all users to access this relying party and then Next -> Next -> Close.
When closing the “Add Relying Party Trust” wizard, the “Edit claim rules” wizard will be opened.
If not, you can right click on Relying Party Trust -> Edit claim rules to start it.
To define the rule type in the “Add Transform Claim Rule” Wizard, from the dropdown Claim rule template, select Send LDAP Attributes as Claims, then Next.
Then, to specify the rule:
To change Secure hash algorithm, you have to right click on Relying Party Trust -> Properties and then:
Now you should be able to login, using your AD FS users.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
36 | |
25 | |
17 | |
13 | |
8 | |
7 | |
6 | |
6 | |
6 | |
6 |