“SAP Cloud Platform, mobile service for app and device management” is the new name for SAP Mobile Secure – this is the Mobile Device Management, Mobile Application Management solution on the cloud.
“SAP Cloud Platform Identity Authentication” is the new name for SAP Cloud Identity – this is an identity lifecycle management solution for SAP Cloud Platform. i.e it provides services for authentication, SSO etc. For example, if I am using an application or service on SAP Cloud Platform I could authenticate against SAP Cloud Platform Identity Authentication or to a corporate user store like LDAP or SAP NW through SAP Cloud Platform Identity Authentication.
It doesn’t mean that it is mandatory to use SAP Cloud Platform Identity Authentication, SAP Cloud Platform supports SAML 2.0 Identity Providers. So, if you are already using a SAML 2.0 IDP you could use it with SAP Cloud Platform.
SAP Cloud Platform mobile service for app and device management with SAP Cloud Platform Identity Authentication
Service for app and device management automatically identifies that Cloud Platform is configured with SAP Cloud Platform Identity Authentication. So, when an admin/user try to access app & device management admin console or mobile place it will be automatically redirected to the Identity Authentication login page as given below.
Note: https://pmdemo.accounts.ondemand.com is the Cloud Platform Identity Authentication page being redirected to. There are requests from customers to customize this URL but it is not possible right now, the product team might consider this in the future.
As an app & device management administrator, the first step is to give users with right roles. You could do it by going to “Configure app & device management” page as given below. Note that the User ID to be assigned depends on the Name ID Attribute configured on Identity Authentication.
In my case the Name ID attribute is User ID. So I assigned roles to P000042 in the above step.
When you are successfully logged into the admin console you might be missing some attributes like first name, last name and email.
In order to pass these attributes from Identity Authentication you need to define assertion attributes. To do that, from Cloud Platform cockpit > Security > Trust > Application Identity Provider > click on tenant URL. Then add the attributes as given below.
In the above process there is a one more step you need to do – you have to set SAML Assertion Attributes values in Identity Authentication Application as well. If you want to pass more values such as company or department to Cloud Platform you have to add it in Identity Authentication as well as in Cloud Platform.
So, to skip the additional step you can add a single attribute with value star as given below. In this case you need to add attributes only in Identity Authentication.
Note: if you are adding * instead of attribute values make sure that the SAML Assertion Attributes of your Identity Authentication Application are correct. In the case of app and device management it is expecting firstname, lastname, email as attributes. But the default value in Identity Authentication Application is first_name, last_name, mail it has to be edited as given below to work. You also have to make sure that the below step do not affect other applications on Cloud Platform. Ex. Web IDE might be expecting first_name instead of firstname.
Once you are able to see these values you can get started with User Enrollment.
If the values didn’t appear after the changes, logout and login.
Note: When you are missing the above configuration you might not be able to access the MDM admin console under Devices menu.
SAP Cloud Platform Customer Success Team