A common requirement when building applications on SAP Cloud Platform is to enable access to various groups within different Identity Providers within your organization. You probably are aware of setting up the trust with your Identity Provider within SAP Cloud Platform. After configuring the trust with your Identity Provider, whenever a user tries to access an application deployed on this account, they will be challenged with the login screen from the configured Identity Provider. The same applies to Portal sites which are configured within the SAP Cloud Platform account.
In this blog, I am going to show how you can setup trust with multiple identity providers and dynamically select the Identity Provider to authenticate the user when accessing a Portal site on SAP Cloud Platform.
Below is the Solution Diagram which shows how each components connect to each other in the landscape. If you would like to create your own Solution Diagrams, please follow the instructions in this wiki.
The account which I am using for the demonstration here is “af2dae200”. I have already posted a blog “Setting up Authentication for Cloud Portal using Cloud Identity” where I have explained in detail all the steps required to setup trust between SAP Cloud Platform account and an Identity Provider. I have followed the same steps and configured the trust for this Cloud Platform account.
I have two Cloud Platform Identity Authentication tenants. I am going to use them as my Identity Providers. You could use any SAML2 based Identity Providers when configuring the trust.
The first one has the name “ias01” and I have configured a new application for account “af2dae200”. I have also used the “Branding and Layout” tab to provide a logo in the login page. To keep things simple, I have uploaded a picture of a flower.
Similarly, I have used another Identity Authentication tenant “hcpta” and configured a new application for account “af2dae200”. For the login page, I have uploaded a picture of a meerkat to differentiate from the other Identity Provider.
In the Cloud Platform account, I have both the identity providers configured and the one with the name “ias01” is set as default.
I have created a Portal site in this account and published it.
When I try to access the Portal site with the below URL, it would pick the default Identity Provider configured for the Cloud Platform account and show the login screen. Note that, it has picked up the Identity Provider with the name “ias01” which shows up in the URL and I get to see the picture of a flower which I have configured for this Identity Provider.
If I want to force this portal site to authenticate against the second identity provider, I need to use a URL parameter called saml2idp as shown below. You can find this documented in section “Using an IdP Different from the Default” of SAP Help.
As you can see, this now provides a different login screen coming from the second Identity Provider. You can try this out by clicking on the above URLs. Using this approach, you should be able to reuse apps/portal sites within a Cloud Platform account when providing access to multiple groups maintained across different identity providers. You do not need to copy individual apps/sites into separate sub-accounts and configure the trust settings in each of them.