Trust Configuration between SAP Cloud Platform Neo Account and SAP IoT Application Enablement
This blog is outdated. Please use the official documentation.
If you want to use the SAP WebIDE to access data from SAP IoT Application Enablement and you have not configured the destinations yet or you have already configured them, but you don’t see any data and you’re just receiving 500 – Internal Server errors, then you should check, if the trust between your SAP Cloud Platform Neo Account and SAP IoT Application Enablement is already configured.
There are three steps you should do to create the trust.
I. Trust configuration in subaccount
- Open the SAP Cloud Platform cockpit: https://account.hana.ondemand.com/cockpit
- Select the global account and subaccount for which you want to set up the trust.
- In the navigation area on the left side expand Security and click on Trust.
- Within the Local Service Provider tab, click Edit and change the Configuration Type to Custom.
- Download the SCI tenant metadata using the following link:
You can find the SCI-Tenant name in your Welcome to SAP IoT Application Enablement! Mail.
- Go back to your Cloud Platform Cockpit and switch to the tab Application Identity Provider.
- Click Add Trusted Identity Provider.
- Click on Browse… and select the downloaded metadata file.
- Switch to the tab Attributes and Add Assertion-Based Attribute.
- Insert Groups in both text boxes.
- Click Save.
- Go back to the Local Service Provider tab and click Get Metadata.
II. Trust configuration in SCI tenant
- Open the administration console of your SCI tenant using the following link:
- In the navigation area on the left side expand Applications & Resources and click on Applications.
- Click on +Add enter the name of your Cloud Platform Neo account and click Save.
- Select your new application in the left and then SAML 2.0 Configuration on the right.
- Click on Browse… and select the metadata you downloaded in step 12 of the first part.
- Now got to Name ID Attribute and select E-Mail. Save your changes.
- Go to Assertion Attributes and +Add Groups. The value in the text box should be Groups Furthermore, change the value of E-Mail to mail.
III. Trust configuration in the XSA admin UI
- Open the XSA admin UI.
You can find the SAAS-Tenant name in your Welcome to SAP IoT Application Enablement! Mail.
- Click at the + button at the lower left side of the page to add a new identity provider.
- Copy the XML code you downloaded in step 12 of the first section and paste it inside the field Metadata on the right side of the page.
- Click on Parse.
- Switch to the Role Collections tab and create two new entries:
- <SAAS-TENANT>-userdamin Groups equals <SAAS-TENANT>-userdamin
- <SAAS-TENANT>-thingsuperuser Groups equals <SAAS-TENANT>-thingsuperuser
After you have configured the trust, you can now create the destinations in SAP Cloud Platform to really access the data and use SAP WebIDE. The destination configuration can be found in the official SAP Application Enablement documentation.