How to verify that the correct username is granted roles to access Mobile Services Admin cockpit
To set up access to Mobile Service for Development and Operations cockpit from a SAP Cloud Platform account, please refer to the product documentation on “Setting Up Customer Accounts”.
When the SAP Cloud Platform account is switched from the use of Default SAP IdP to a custom Identity provider, access to the Mobile Service for Development and Operations cockpit results in a 403 error. The 403 error indicates that the authenticated user is not granted the required roles to access the cockpit.
Typically, following the steps outlined in “Setting Up Customer Accounts” resolves the issue. However, sometimes the root cause is that the username to which the roles are granted does not match the authenticated username based on the SAML assertion. In order to figure out the values included in the SAMLAssertion returned by the IdP to the Cloud Platform, one can use “SAML tracer” plugin in firefox or the equivalent “SAML Chrome Panel” for Chrome browser to look at the SAML Response in the network traffic to figure out the authenticated username in the SAMLAssertion to make sure the correct username is specified when granting the required roles.
After installing the plugin, lauch the SAML tracer plugin in Firefox or launch developer tools in chrome (by pressing F12) before accessing the Mobile Services Cockpit.
Now, navigate to the Mobile Services Cockpit url and when you get redirected to the IdP login page, enter valid user credentials to authenticate to the IdP. The SAML trace will contain the decoded SAML request from Mobile Services Cockpit to IdP.
When redirected to the IdP login page, enter valid user credentials to authenticate to the IdP. Upon successful authentication, you will be redirected to Mobile Services Cockpit. At this point the SAML tracer will have captured the SAMLResponse posted from the IdP to the SAP Cloud Platform.
You can now examine the SAMLResponse to verify
- The authentication status reported by the IdP
- The intended recipient/audience of the response
- The username in the NameID field (If the IdP is configured to include other user details such as email address, firstname, lastname etc, they will be added as AssertionAttributes in the SAMLResponse. If you have configured any of those attributes to be the source of the authenticated username in the trusted IdP configuration in Cloud Platform account, then you can verify the value of those attributes.
Make sure that the username specified in the response matches the value you used to grant the required roles as specified in Setting Up Customer Accounts.
Thanks for the detailed explanation and its really helpful. Please explain how do you see the email address, firstname, lastname attributes in the SAML response as I couldn't find from the browser tool.
As i mentioned in the blog, If the IdP is configured to include other user details such as email address, firstname, lastname etc, they will be added as AssertionAttributes in the SAMLResponse.