Using multiple Identity Providers for a Portal site in SAP Cloud Platform
A common requirement when building applications on SAP Cloud Platform is to enable access to various groups within different Identity Providers within your organization. You probably are aware of setting up the trust with your Identity Provider within SAP Cloud Platform. After configuring the trust with your Identity Provider, whenever a user tries to access an application deployed on this account, they will be challenged with the login screen from the configured Identity Provider. The same applies to Portal sites which are configured within the SAP Cloud Platform account.
In this blog, I am going to show how you can setup trust with multiple identity providers and dynamically select the Identity Provider to authenticate the user when accessing a Portal site on SAP Cloud Platform.
Below is the Solution Diagram which shows how each components connect to each other in the landscape. If you would like to create your own Solution Diagrams, please follow the instructions in this wiki.
The account which I am using for the demonstration here is “af2dae200”. I have already posted a blog “Setting up Authentication for Cloud Portal using Cloud Identity” where I have explained in detail all the steps required to setup trust between SAP Cloud Platform account and an Identity Provider. I have followed the same steps and configured the trust for this Cloud Platform account.
I have two Cloud Platform Identity Authentication tenants. I am going to use them as my Identity Providers. You could use any SAML2 based Identity Providers when configuring the trust.
The first one has the name “ias01” and I have configured a new application for account “af2dae200”. I have also used the “Branding and Layout” tab to provide a logo in the login page. To keep things simple, I have uploaded a picture of a flower.
Similarly, I have used another Identity Authentication tenant “hcpta” and configured a new application for account “af2dae200”. For the login page, I have uploaded a picture of a meerkat to differentiate from the other Identity Provider.
In the Cloud Platform account, I have both the identity providers configured and the one with the name “ias01” is set as default.
I have created a Portal site in this account and published it.
When I try to access the Portal site with the below URL, it would pick the default Identity Provider configured for the Cloud Platform account and show the login screen. Note that, it has picked up the Identity Provider with the name “ias01” which shows up in the URL and I get to see the picture of a flower which I have configured for this Identity Provider.
If I want to force this portal site to authenticate against the second identity provider, I need to use a URL parameter called saml2idp as shown below. You can find this documented in section “Using an IdP Different from the Default” of SAP Help.
As you can see, this now provides a different login screen coming from the second Identity Provider. You can try this out by clicking on the above URLs. Using this approach, you should be able to reuse apps/portal sites within a Cloud Platform account when providing access to multiple groups maintained across different identity providers. You do not need to copy individual apps/sites into separate sub-accounts and configure the trust settings in each of them.
Thanks Murali for the simple explanation. Will be used quite often I expect as many customers don't like adding 'externals' to their IdP
Thanks. I had to verify this myself as someone raised a message that this feature wasn't working 🙂
Great stuff, Murali - thanks for sharing.
A question - is there a configuration option to add auto-failover between IDP's*? I can see a use for this where users normally authenticate using on-premise AD for instance, that could failover to SAP Cloud IDP if on-premise systems/connectivity is down.
*HINT: This should REALLY be on SAP's backlog for a future release 😉
When a user sign in using IDP, it is validating users' passwords directly against the on-premise AD. So, what exactly is your question, may be you can provide more details.
Thanks, I haven't heard of such an auto-failover option. I will check if this is being planned.
I am also searching for the same Thank you so much. very useful info.
Glad it was helpful
Are you able to confirm SCP Mobile Service also supports multiple IdP's via the saml2idp parameter when launching mobile applications?
I don't think that might be a good approach. Can you please explain your use case? Would you have different set of users accessing the same mobile app but need to authenticate them differently?
We're exploring the option of having different IdP's for Internal users vs External contractors using the same mobile app hosted on SCPms. We could use the same IdP for both sets of users but there are some license implications so we're just trying to cover all possible options and validate the pro/cons of each.
Have you come across similar requirements at other clients and if so what would be the recommended approach?
I believe you should be able to use Conditional Authentication in Identity Authentication service to direct the user to the respective IdP (configured as corporate Identity provider) based on their email address.
Hi Murali Shanmugham,
Do you know if there is a URL parameter we can use to ‘force’ the Identity Authentication (IAS) tenant to use a particular Corporate Identity Provider that is configured in IAS, when using Conditional Authentication?
It is very annoying and confusing for our users to be prompted with an additional login screen once every 3 months to ask them to enter their email address for Conditional Authentication to then know which Corporate Identity Provider in IAS to use. We use integrated Windows authentication in our company so internal users get a 100% seamless SSO experience with our SAP Cloud applications, but when we turn on Conditional Authentication they are presented periodically with a confusing SAP logon screen to enter their email address.
In our scenario we have SAP Cloud UI5/Fiori Launchpad/Portal apps which are used by internal employees or external B2B partners. We have one SAP Cloud Identity Authentication Tenant as the IdP for the SubAccount where the above apps are all running. In that Identity Authentication Tenant we have 2 Corporate Identity Providers (ADFS) that point to different domains/user stores, one containing employees, one containing external B2B users.
We want to avoid the annoying periodic SAP logon screen generated by Conditional Authentication by giving internal users a URL which includes a parameter to instruct IAS to use the Corporate Identity Provider which contains employees and give our external B2B users a URL which includes a parameter to instruct IAS to use the Corporate Identity Provider which contains the external B2B users.
Basically we want to do the same as you have outlined in this blog at the SubAccount level with multiple IdP's, but at the Identity Authentication Tenant level instead.
Is this possible? I could not find anything in the SAP Help documentation.
Note that we dont want 2 Identity Authentication Tenants per SubAccount and note that we cannot use IP range filtering in Conditional Authentication (which wont prompt the user to enter their email) because our apps are world wide (we are a global company) and it would be just about impossible to accurately set all the IP range rules.
It is not clear to me how could you request a second SAP Cloud Platform Identity Authentication Tenant. Can you comment on that ? Thanks
Please reach out to the SAP Account Executive. You can request additional tenant for test purposes free of cost.
We need expert suggestion here.
We have one UI5 app already running in SAP Cloud Platform NEO subaccount. Which is used by S-Users, that is using default SAP Local Application Identity Provider (SAP ID Service).
Now we wanted to run another UI5 application in the same SCP Subaccount. But we wanted to use a custom Identity Provider there for new application.
Is it possible to keep the old application ruining in the same SCP subaccount with SAP Local Application Identity Provider. And new application with Custom Identity provider.
Will it be possible to keep both Default and Custom IdP in same SCP Subaccount?
If possible, can anyone please suggest the path forward. Thanks in advance!
This is what the blog covers. Using saml2idp parameter to pick any of the configured IdPs in the subaccount.
We have Integration services running in our sub-account and it uses the SAP ID Service for authentication. We now want to start using the SCP Mobile and Portal services where we want to authenticate against the backend MS ADFS.
How would we set this up within the same sub-account?
I dont think this is possible. Once you change the settings to custom IdP, you will no longer be able to use the SAP ID service.
Thank you Murali. So looks like we'll need to whip up a new sub-account for the Mobile Services.