Setting up Authentication for Cloud Portal using Cloud Identity – I
The SAP Cloud Identity (SCI) is a cloud service for identity lifecycle management for SAP Cloud applications and on-premise applications. It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers.
In this blog, I am going to describe my journey on configuring SCI and how to enable authentication of applications and services in the cloud. I am going to keep it very simple for everyone to understand. I have a scenario where a company needs to host a Cloud Portal for all their vendor related communication. Vendors might need to access this Portal and transact with this company. In the HANA Cloud Platform (HCP), Cloud Portal is one of the services which offers this capability to host an enterprise grade portal providing access to various applications hosted in HCP. When a company exposes such a portal with all their applications, they obviously need to secure it. SAP Cloud Identity (SCI) is another service in HCP which offers authentication/Single Sign-On and User Management services. Hence, I am going to use these two services throughout this blog series and show how we can configure them for different scenarios.
|Setting up Authentication for Cloud Portal using Cloud Identity|
Part 1 – Setting up SCI as IdP for a vendor facing Cloud Portal
Part 2 – Using Social Identity Providers to access Cloud Portal
Part 3 – Setup Self-registration form
Part 4 – Manage Cloud Portal Catalogs and roles
Part 5 – Mapping of groups between SCI and Cloud Portal
- You have a subscription for SAP Cloud Identity (SCI)
- You have a subscription for Cloud Portal services in HANA Cloud Platform
- You have admin rights in both the services to make the configuration
Setup your user in Cloud Identity
In my scenario, I am dealing with external vendors. These vendors do not exist in my on-premise user store.Hence, I need to load these users into SCI (using import functionality) and this is going to be the user store for all vendors. As an admin, I can then manage all these users via administration console in SCI.
For now, I am going to create a user called Bill Maher in SCI. Login into SCI as an Administrator and click on “User Management”
Click on the Add User button to add a new user.
Bill will receive an email requesting to activate his account for Cloud Identity
The moment, he clicks on the link in my email, it will request him to provide a password and activate his account.
This completes the setup of one vendor in SCI. Obviously, if there are 100’s of vendors, we would need to use the Import option within SCI to load all the vendors directly rather than manually registering each of them one by one.
As an SCI admin, I can check that the user has been successfully created in SCI and has been assigned a User ID – P000032
Configure Trust in HANA Cloud Platform
In this step, we are going to configure HCP as a service Provider and use SCI as an Identity Provider. When a user tries to access a service or application in HCP, they will be challenged with the login screen from SCI. Navigate to the Trust menu and notice that the configuration type is “Default”. Change this to Custom and click on the “Generate Key Pair”
Change the value of Principal propagation to “Enabled” and click on “Save”.
Navigate to the “Trusted Identity Provider” tab and add the Cloud Identity Tenant which would be provisioned and assigned to your HCP account.
Under Applications, you will now see a new entry for your HCP account which has been automatically created.
Feel free to explore the values which have been populated for SAML 2.0 properties. This completes setting up SCI as the IdP for this HCP account. It is important to note that the entire HCP account is registered as a service provider in SCI. Hence, if you turn on any settings like two-factor authentication for this application in SCI, it will apply to all the services and Applications in HCP.
Creation of Cloud Portal
From the HCP Cockpit, I have enabled the Portal service.
When I launch the Cloud Portal Service, I will be challenged with a login screen from SCI as I am accessing a service in HCP after setup of the trust.
After providing my login credentials, I noticed that I still couldn’t get to the Administration page of Cloud Portal.
The reason being, SCI has authenticated me using my User ID stored in SCI – “P000029” and propagated this user to HCP.
From the site settings, publish the app to get the full site URL
In the next blog Part 2 – Using Social Identity Providers to access Cloud Portal, we shall see how to setup and use Social identity providers like facebook, LinkedIn to authenticate a user.
Great blog series!!
How to link the SCI tenant to the HCP in your case pmdemo?
Can you check this documentation. You would need to manually import the metadata file. If you have issues, please raise a discussion in the Forum. Thanks.
Is there a trial subscription for SAP Cloud Identity Authentication that i could use for demo? I am setting up demo SAP cloud portal site which requires user registration. I am using a trial SAP Cloud Platform account.
Unfortunately, there is no trial offered for SAP Cloud Identity Authentication 🙁
If you are a customer of SAP Cloud Identity and HCP, trust configuration is very easy, you just need to click a button as described here. https://help.hana.ondemand.com/help/frameset.htm?d3df5b457d0c43fca117da0dc14e2f0d.html the trust wil be set up and a new application will be created.
Please find the basic onboarding steps here
You can use the manual trust configuration, too.
Public / Anonymous Access to HCP-FLP
How can I enable public (Anonymous or for Everyone ) access to my Apps on HCP-Portal Fiori Service without having the need to login via SAP ID .
when I try to access the above launchpad, it asks for a SAP Id which I want to avoid and have users seamless access to apps hosted on this launchpad.
I think it’s not possible if you are using Trail account. Trial account comes with SAP IDP and identity provider and there is no way you could change that.
However, if you have a productive account with subscription for SAP IDP then you can go set you SAP IDP tenant to allow anyone to access the Fiori launchpad.
Then you would also have option of using your own Identity provider wherein you could bypass authentication.
Hello Murali, your post is very useful.
My question is,can i get admin accounts wich can add and modify only yours dependent users? Ej, in your case, one vendor account (admin) have somes sub vendors accounts (real users).
Is it possible to have a dynamic sync from the Azure Active directory to the IAS so the users can be managed when they are updated from AD?
You need to purchase "SAP Identity Provisioning Service" or IPS to sync accounts dynamically between AAD and IAS.
Really fantastic blog. Thank you for sharing knowledge. I have question for you.
Let's say there are 2 vendors P000031 and P000032. And when the vendor P000031 logs in the app, he would want to see only information relevant to his account (or orders or product etc). How does the app would know who which vendor has logged in. Can you please provide some insight on how we can model solution to show even the data specific to the logged user (Vendor). Thank you for your advise.
PS: if there are experts who want to take the question please feel free