HCP Mobile Development & Operation(HCPms) with LDAP/SCIM Authentication
From past few days, I was exploring LDAP authentication (Microsoft Active Directory as an On-Premise User Store) for our mobile applications with HCPms alias Mobile Application and Development. HCP provides us an option known as System for Cross-domain Identity Management(SCIM) to achieve this process.
HCP documentation was leading to multiple options and it was quite confusing, my thanks to Martin Grasshoff jumped in to get this working.
Some of the quick points & Pr-requisites:
- There are no neo code deployments necessary for HCPms for our requirement
- SCIM Destination, connectivity test is not necessary
- HCPms access and Cloud Connector access
- Working experience on Cloud Connector setup
- Active Directory Host details along with User Name, Password, User Path and Group Path. You can refer to SAP HANA Cloud Platform
- Configure Cloud Connector with Cloud User Settings
- Create SCIM Destination in HCP
- Configure Account Security in HCPms
- Create Application ID in HCPms
- Testing Registration and Read operation
1. Configure Cloud Connector with Cloud User Settings
Note: Before we proceed to this step, ensure you have the Cloud Connector virtual host and ports are working as this document does not explain the Cloud Connector setup process.
a. Login to Cloud Connector Admin Portal, Click on Settings on the top Right and select Cloud User Store
b. Save the Settings and Close the window
2. Create SCIM Destination in HCP
Login to HANA Cloud Platform, Navigate to Connectivity -> Destinations and Create a new Destination and add the following details:
Note: These are the standard details for Microsoft Active Directory and there is no need to ping the service.
You can refer to this for details if you need more information, SAP HANA Cloud Platform
3. Configure Account Security in HCPms
Login to HCP, Navigate to Services -> Mobile -> Development and Operations -> Go to Service -> Once the HCPms page is launched, Click on Settings from Toggle Menu -> Click on Account Settings
In this window, you will see Basic Authentication and this allows you to configure SCIM Destination.
There are multiple options like
- Default Identity Provider: This works with S-User ID from SAP Cloud Identity and requires same users to be created in Gateways systems
- HCP SCIM: This is used a default Authentication mechanism for all of the applications which are created in HCPms.
- Mobile Service SCIM: This is used when we opt for multiple authentication mechanism, like few of the applications may require X509, SAML or Basic Authentication. In such scenarios Application backend process allows us to override the standard process and define the required processes.
In this blog, we are testing the second approach HCP SCIM.
Configure the following settings as shown below:
Note: The URL is standard for MS Active Directory, and leave the Username and Password window blank.
Save the settings.
4. Create Application ID in HCPms
Follow the standard Application ID creation process, but ensure you use the Virtual Host and Port number of the Cloud Connector and ping the service. You may refer to below screens for reference.
Click on Back end Tab and enter the details as below:
Select SSO Mechanism as Basic Authentication and leave the Username and password blank.
Ping the Application ID and ensure its working.
5. Testing Registration and Read operation
Important Note: Before you test, please ensure your Active Directory and Gateway Username and Password are identical, only then you may continue to test as below.
Open Postman client and enter the following details and you have the Authorization:
Click on Send and you should be registered successfully with 201 Created message as shown above. Now, copy the X-SMP-APPCID and do a get operation as shown below.
This completes the configuration. Hope this helps.
great write-up, thanks for sharing !
Hi Nagesh, Thanks for posting on this topic. Someone asked me the setup of this scenario last week and this post will be helpful.
I am glad it helped.
Thanks for your sharing. It's really helpful to our project.
After all these steps, how we are going to use it to call the backend service(.../sap/opu/odata/xxx) on mobile devices? It still appears connection data error when I finish the steps above on my iphone.
Please raise your question in the Forum so that it will be helpful to the community to find the answers. Please share any screenshot and error details in the query.
Please post your question in the forum and also include the error message detials and any screen shot of the error. I hope you have got this working in the RESTClient for testing.
After 6 years also this blog is helpful. Few of the naming conventions and UI tiles are changed in SAP Mobile services cockpit.
I have question, In the same way as above, can we achieve this setup with SAP IAS(Identity Authentication Services)?, What we need to define as URL for SAP IAS, as IAS is cloud based SAP IDP and we don't need to configure anything in cloud connector, only destination we need to define.
I am not sure, what URL pattern will be there for using SAP IAS as IDP for Application authentication in SAP CPMS.
Could you please help me with this.
Thanks and Regards