The SAP Cloud Identity (SCI) is a cloud service for identity lifecycle management for SAP Cloud applications and on-premise applications. It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers.

                             

In this blog, I am going to describe my journey on configuring SCI and how to enable authentication of applications and services in the cloud. I am going to keep it very simple for everyone to understand. I have a scenario where a company needs to host a Cloud Portal for all their vendor related communication. Vendors might need to access this Portal and transact with this company. In the HANA Cloud Platform (HCP), Cloud Portal is one of the services which offers this capability to host an enterprise grade portal providing access to various applications hosted in HCP. When a company exposes such a portal with all their applications, they obviously need to secure it. SAP Cloud Identity (SCI) is another service in HCP which offers authentication/Single Sign-On and User Management services. Hence, I am going to use these two services throughout this blog series and show how we can configure them for different scenarios.

Setting up Authentication for Cloud Portal using Cloud Identity

Part 1 – Setting up SCI as IdP for a vendor facing Cloud Portal

Part 2 – Using Social Identity Providers to access Cloud Portal

Part 3 – Setup Self-registration form

Part 4 – Manage Cloud Portal Catalogs and roles

Part 5 – Mapping of groups between SCI and Cloud Portal

Part 6 – Setup 2FA for Cloud Portal access



Prerequisites

  1. You have a subscription for SAP Cloud Identity (SCI)
  2. You have a subscription for Cloud Portal services in HANA Cloud Platform
  3. You have admin rights in both the services to make the configuration

Setup your user in Cloud Identity

In my scenario, I am dealing with external vendors. These vendors do not exist in my on-premise user store.Hence, I need to load these users into SCI (using import functionality) and this is going to be the user store for all vendors. As an admin, I can then manage all these users via administration console in SCI.

For now, I am going to create a user called Bill Maher in SCI. Login into SCI as an Administrator and click on “User Management”

    

                               

Click on the Add User button to add a new user.

                               

Bill will receive an email requesting to activate his account for Cloud Identity

                        

The moment, he clicks on the link in my email, it will request him to provide a password and activate his account.

                        

This completes the setup of one vendor in SCI. Obviously, if there are 100’s of vendors, we would need to use the Import option within SCI to load all the vendors directly rather than manually registering each of them one by one.

As an SCI admin, I can check that the user has been successfully created in SCI and has been assigned a User ID – P000032

                        

Configure Trust in HANA Cloud Platform

In this step, we are going to configure HCP as a service Provider and use SCI as an Identity Provider. When a user tries to access a service or application in HCP, they will be challenged with the login screen from SCI. Navigate to the Trust menu and notice that the configuration type is “Default”. Change this to Custom and click on the “Generate Key Pair”

                             

Change the value of Principal propagation to “Enabled” and click on “Save”.

Navigate to the “Trusted Identity Provider” tab and add the Cloud Identity Tenant which would be provisioned and assigned to your HCP account.

                        

                        

In my example, I have an SCI tenant called pmdemo which has been linked to my HCP account.

                        

Click on the “SAP Cloud Identity Admin Console” to explore what has happened in the background

                        

Under Applications, you will now see a new entry for your HCP account which has been automatically created.

                        

Feel free to explore the values which have been populated for SAML 2.0 properties. This completes setting up SCI as the IdP for this HCP account. It is important to note that the entire HCP account is registered as a service provider in SCI. Hence, if you turn on any settings like two-factor authentication for this application in SCI, it will apply to all the services and Applications in HCP.

Creation of Cloud Portal

From the HCP Cockpit, I have enabled the Portal service.

                  

I have assigned TENANT_ADMIN role to my user ID in order to create a new site

                          

When I launch the Cloud Portal Service, I will be challenged with a login screen from SCI as I am accessing a service in HCP after setup of the trust.

              

After providing my login credentials, I noticed that I still couldn’t get to the Administration page of Cloud Portal.

                   

The reason being, SCI has authenticated me using my User ID stored in SCI – “P000029” and propagated this user to HCP.

               

Hence, I had to add P000029 with TENANT_ADMIN role. After adding the role and refreshing the screen, I can then see the Cloud Portal Administration.

I created a simple Portal (based on Fiori Launchpad) which has only one tile. There are lot of good articles which shows you how to create beautiful portal sites.  Ensure that you have created at least a catalog/group which contains a sample application/tile. Assign everyone role to the catalog/group.

              

From the site settings, publish the app to get the full site URL

              

Now I am going to launch this portal as a Bill Maher (the external vendor). I will be challenged with a login screen from SCI.

Note: Clear the cache before launching the site

              

I have been successfully authenticated and would be able to see the Cloud Portal as a vendor (User ID – P000032)

              

In the next blog Part 2 – Using Social Identity Providers to access Cloud Portal, we shall see how to setup and use Social identity providers like facebook, LinkedIn to authenticate a user.

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

  1. Test User

     

    Public / Anonymous Access to HCP-FLP

     

    How can I enable public (Anonymous or for Everyone ) access to my Apps on HCP-Portal Fiori Service without having the need to login via SAP ID .

    https://flpportal-s0011161711trial.dispatcher.hanatrial.ondemand.com/sites?siteId=e531c5e5-9fb6-4428-9893-1cc15c159091#Shell-home

    when I try to access the above launchpad, it asks for a SAP Id which I want to avoid and have users seamless access to apps hosted on this launchpad.

    (0) 
    1. Amit Agrawal

      I think it’s not possible if you are using Trail account. Trial account comes with SAP IDP and identity provider and there is no way you could change that.
      However, if you have a productive account with subscription for SAP IDP then you can go set you SAP IDP tenant to allow anyone to access the Fiori launchpad.
      Then you would also have option of using your own Identity provider wherein you could bypass authentication.

      (0) 

Leave a Reply