Skip to Content
Author's profile photo Murali Shanmugham

Setting up Authentication for Cloud Portal using Cloud Identity – I

The SAP Cloud Identity (SCI) is a cloud service for identity lifecycle management for SAP Cloud applications and on-premise applications. It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers.

                             

In this blog, I am going to describe my journey on configuring SCI and how to enable authentication of applications and services in the cloud. I am going to keep it very simple for everyone to understand. I have a scenario where a company needs to host a Cloud Portal for all their vendor related communication. Vendors might need to access this Portal and transact with this company. In the HANA Cloud Platform (HCP), Cloud Portal is one of the services which offers this capability to host an enterprise grade portal providing access to various applications hosted in HCP. When a company exposes such a portal with all their applications, they obviously need to secure it. SAP Cloud Identity (SCI) is another service in HCP which offers authentication/Single Sign-On and User Management services. Hence, I am going to use these two services throughout this blog series and show how we can configure them for different scenarios.

Setting up Authentication for Cloud Portal using Cloud Identity

Part 1 – Setting up SCI as IdP for a vendor facing Cloud Portal

Part 2 – Using Social Identity Providers to access Cloud Portal

Part 3 – Setup Self-registration form

Part 4 – Manage Cloud Portal Catalogs and roles

Part 5 – Mapping of groups between SCI and Cloud Portal

Part 6 – Setup 2FA for Cloud Portal access



Prerequisites

  1. You have a subscription for SAP Cloud Identity (SCI)
  2. You have a subscription for Cloud Portal services in HANA Cloud Platform
  3. You have admin rights in both the services to make the configuration

Setup your user in Cloud Identity

In my scenario, I am dealing with external vendors. These vendors do not exist in my on-premise user store.Hence, I need to load these users into SCI (using import functionality) and this is going to be the user store for all vendors. As an admin, I can then manage all these users via administration console in SCI.

For now, I am going to create a user called Bill Maher in SCI. Login into SCI as an Administrator and click on “User Management”

    

                               

Click on the Add User button to add a new user.

                               

Bill will receive an email requesting to activate his account for Cloud Identity

                        

The moment, he clicks on the link in my email, it will request him to provide a password and activate his account.

                        

This completes the setup of one vendor in SCI. Obviously, if there are 100’s of vendors, we would need to use the Import option within SCI to load all the vendors directly rather than manually registering each of them one by one.

As an SCI admin, I can check that the user has been successfully created in SCI and has been assigned a User ID – P000032

                        

Configure Trust in HANA Cloud Platform

In this step, we are going to configure HCP as a service Provider and use SCI as an Identity Provider. When a user tries to access a service or application in HCP, they will be challenged with the login screen from SCI. Navigate to the Trust menu and notice that the configuration type is “Default”. Change this to Custom and click on the “Generate Key Pair”

                             

Change the value of Principal propagation to “Enabled” and click on “Save”.

Navigate to the “Trusted Identity Provider” tab and add the Cloud Identity Tenant which would be provisioned and assigned to your HCP account.

                        

                        

Under Applications, you will now see a new entry for your HCP account which has been automatically created.

                        

Feel free to explore the values which have been populated for SAML 2.0 properties. This completes setting up SCI as the IdP for this HCP account. It is important to note that the entire HCP account is registered as a service provider in SCI. Hence, if you turn on any settings like two-factor authentication for this application in SCI, it will apply to all the services and Applications in HCP.

Creation of Cloud Portal

From the HCP Cockpit, I have enabled the Portal service.

                            

When I launch the Cloud Portal Service, I will be challenged with a login screen from SCI as I am accessing a service in HCP after setup of the trust.

              

After providing my login credentials, I noticed that I still couldn’t get to the Administration page of Cloud Portal.

                   

The reason being, SCI has authenticated me using my User ID stored in SCI – “P000029” and propagated this user to HCP.

               

From the site settings, publish the app to get the full site URL

              

In the next blog Part 2 – Using Social Identity Providers to access Cloud Portal, we shall see how to setup and use Social identity providers like facebook, LinkedIn to authenticate a user.

Assigned tags

      14 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Nice Blog

      Author's profile photo Guy Soffer
      Guy Soffer

      Great blog series!!

      Author's profile photo Former Member
      Former Member

      Good article.

      Author's profile photo Former Member
      Former Member

      How to link the SCI tenant to the HCP in your case pmdemo?

      Thanks

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Anshul,

      Can you check this documentation. You would need to manually import the metadata file. If you have issues, please raise a discussion in the Forum. Thanks.

      Cheers,

      Murali

      Author's profile photo Former Member
      Former Member

      Hello Murali,

      Is there a trial subscription for SAP Cloud Identity Authentication that i could use for demo? I am setting up demo SAP cloud portal site which requires user registration. I am using a trial SAP Cloud Platform account.

      Thanks

      Costa

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Costa,

       

      Unfortunately, there is no trial offered for SAP Cloud Identity Authentication ๐Ÿ™

      Author's profile photo Former Member
      Former Member

      If you are a customer of SAP Cloud Identity and HCP, trust configuration is very easy, you just need to click a button as described here. https://help.hana.ondemand.com/help/frameset.htm?d3df5b457d0c43fca117da0dc14e2f0d.html the trust wil be set up and a new application will be created.

      Please find the basic onboarding steps here

      http://scn.sap.com/docs/DOC-69941

      You can use the manual trust configuration, too.

      Author's profile photo Test User
      Test User

       

      Public / Anonymous Access to HCP-FLP

       

      How can I enable public (Anonymous or for Everyone ) access to my Apps on HCP-Portal Fiori Service without having the need to login via SAP ID .

      https://flpportal-s0011161711trial.dispatcher.hanatrial.ondemand.com/sites?siteId=e531c5e5-9fb6-4428-9893-1cc15c159091#Shell-home

      when I try to access the above launchpad, it asks for a SAP Id which I want to avoid and have users seamless access to apps hosted on this launchpad.

      Author's profile photo Amit Agrawal
      Amit Agrawal

      I think itโ€™s not possible if you are using Trail account. Trial account comes with SAP IDP and identity provider and there is no way you could change that.
      However, if you have a productive account with subscription for SAP IDP then you can go set you SAP IDP tenant to allow anyone to access the Fiori launchpad.
      Then you would also have option of using your own Identity provider wherein you could bypass authentication.

      Author's profile photo Former Member
      Former Member

      Hello Murali, your post is very useful.

      My question is,can i get admin accounts wich can add and modify only yours dependent users? Ej, in your case, one vendor account (admin) have somes sub vendors accounts (real users).

      Author's profile photo Michael Healy
      Michael Healy

      Is it possible to have a dynamic sync from the Azure Active directory to the IAS so the users can be managed when they are updated from AD?

      Author's profile photo KUMARAN PARTHIBAN
      KUMARAN PARTHIBAN

      Hi Michael,

      You need to purchase "SAP Identity Provisioning Service" or IPS to sync accounts dynamically between AAD and IAS.

       

      Author's profile photo Ransome Mathias
      Ransome Mathias

      Hi Murali,

      Really fantastic blog. Thank you for sharing knowledge. I have question for you.
      Let's say there are 2 vendors P000031 and P000032. And when the vendor P000031 logs in the app, he would want to see only information relevant to his account (or orders or product etc). How does the app would know who which vendor has logged in. Can you please provide some insight on how we can model solution to show even the data specific to the logged user (Vendor). Thank you for your advise.

      PS: if there are experts who want to take the question please feel free

      Cheers,

      Ransome