From past few days, I was exploring LDAP authentication (Microsoft Active Directory as an On-Premise User Store) for our mobile applications with HCPms alias Mobile Application and Development. HCP provides us an option known as System for Cross-domain Identity Management(SCIM) to achieve this process.
HCP documentation was leading to multiple options and it was quite confusing, my thanks to Martin Grasshoff jumped in to get this working.
Some of the quick points & Pr-requisites:
- There are no neo code deployments necessary for HCPms for our requirement
- SCIM Destination, connectivity test is not necessary
- HCPms access and Cloud Connector access
- Working experience on Cloud Connector setup
- Active Directory Host details along with User Name, Password, User Path and Group Path. You can refer to SAP HANA Cloud Platform
- Configure Cloud Connector with Cloud User Settings
- Create SCIM Destination in HCP
- Configure Account Security in HCPms
- Create Application ID in HCPms
- Testing Registration and Read operation
1. Configure Cloud Connector with Cloud User Settings
Note: Before we proceed to this step, ensure you have the Cloud Connector virtual host and ports are working as this document does not explain the Cloud Connector setup process.
a. Login to Cloud Connector Admin Portal, Click on Settings on the top Right and select Cloud User Store
b. Save the Settings and Close the window
2. Create SCIM Destination in HCP
Login to HANA Cloud Platform, Navigate to Connectivity -> Destinations and Create a new Destination and add the following details:
Note: These are the standard details for Microsoft Active Directory and there is no need to ping the service.
You can refer to this for details if you need more information, SAP HANA Cloud Platform
3. Configure Account Security in HCPms
Login to HCP, Navigate to Services -> Mobile -> Development and Operations -> Go to Service -> Once the HCPms page is launched, Click on Settings from Toggle Menu -> Click on Account Settings
In this window, you will see Basic Authentication and this allows you to configure SCIM Destination.
There are multiple options like
- Default Identity Provider: This works with S-User ID from SAP Cloud Identity and requires same users to be created in Gateways systems
- HCP SCIM: This is used a default Authentication mechanism for all of the applications which are created in HCPms.
- Mobile Service SCIM: This is used when we opt for multiple authentication mechanism, like few of the applications may require X509, SAML or Basic Authentication. In such scenarios Application backend process allows us to override the standard process and define the required processes.
In this blog, we are testing the second approach HCP SCIM.
Configure the following settings as shown below:
Note: The URL is standard for MS Active Directory, and leave the Username and Password window blank.
Save the settings.
4. Create Application ID in HCPms
Follow the standard Application ID creation process, but ensure you use the Virtual Host and Port number of the Cloud Connector and ping the service. You may refer to below screens for reference.
Click on Back end Tab and enter the details as below:
Select SSO Mechanism as Basic Authentication and leave the Username and password blank.
Ping the Application ID and ensure its working.
5. Testing Registration and Read operation
Important Note: Before you test, please ensure your Active Directory and Gateway Username and Password are identical, only then you may continue to test as below.
Open Postman client and enter the following details and you have the Authorization:
Click on Send and you should be registered successfully with 201 Created message as shown above. Now, copy the X-SMP-APPCID and do a get operation as shown below.
This completes the configuration. Hope this helps.