Introduction

If a cloud platform account is setup to use Identity AuthenticationService (IAS) tenant account for SAML authentication and you desire to perform user role management in the IAS tenant, then both IAS tenant as well as the Cloud Platform account need to be configured to allow mobile service cockpit access for the users created in IAS tenant.  The following assumes that the Cloud Platform account has been configured to trust the IAS tenant account as a trusted IdP.

Identity Authentication Service Account Configuration

The following describes the step by step process to manage Mobile Services Administrator group membership for users in IAS tenant:

1. Create a group in IAS tenant for “Administrators” of Cloud Platform mobile services.
2. Assign group membership to the desired users
   • Navigate to “User Management” and click on the user to assign the group to. Then click on the “Assign Groups” button at the bottom of the screen.
   • Select the desired group from the list of available groups and click on save.
3. Configure the application to include the group membership in the SAML assertion generated by the IAS tenant during user authentication.
   1. Select the application that represents the Cloud Platform account of choice and Click on “Assertion Attributes”
   2. Then click on “Add” and select “Groups” from the drop down list and save.

Cloud Platform Account Configuration

Now, the Cloud Platform account needs to be configured to map the IAS_CPms_Admin group to a group that is granted the desired roles. Following are the steps to accomplish that.

1. Navigate to the “Authorization Management” screen in Cloud Platform cockpit. Go to the “Groups” tab and click on “New Group”. Create a new group called “MobileServiceAdmin”
2. Navigate to Trust Management screen, click on “Application Identity Provider” tab and click on the trusted IdP setting that represents the IAS tenant account.
3. Click on “Groups” tab and click on “Add Assertion-Based Group” and select the “MobileServiceAdmin” group from the drop down and fill the rest as shown so that the user is a member of the group “MobileServiceAdmin” if the value of SAML assertion attribute “groups” is equal to “IAS_CPms_Admin”.
4. Navigate to “Development & Operations” under mobile service
5. click on “Configure Development & Operations”.
6. Click on “Roles”. Select the “Administrator” role and click on “Assign”. Select the group “MobileServiceAdmin” from the drop down list.
7. Now, navigate to “Configure development & Operations Cockpit” (refer to the screen in step 5) and click on “Roles”. Create a new role “MobileServicesCockpitAdministrator” and assign it to the group “MobileServiceAdmin”.
8. Click on “Destinations & Permissions”. Edit the application permissions and select the role “MobileServicesCockpitAdministrator” and save.

The above steps allow the user “p000010” (and any other p* user in the IAS tenant account that is a member of  “IAS_CPms_Admin” group in IAS account) to access the mobile services cockpit.