Skip to Content

A common requirement when building applications on SAP Cloud Platform is to enable access to various groups within different Identity Providers within your organization. You probably are aware of setting up the trust with your Identity Provider within SAP Cloud Platform. After configuring the trust with your Identity Provider, whenever a user tries to access an application deployed on this account, they will be challenged with the login screen from the configured Identity Provider. The same applies to Portal sites which are configured within the SAP Cloud Platform account.

In this blog, I am going to show how you can setup trust with multiple identity providers and dynamically select the Identity Provider to authenticate the user when accessing a Portal site on SAP Cloud Platform.

Below is the Solution Diagram which shows how each components connect to each other in the landscape. If you would like to create your own Solution Diagrams, please follow the instructions in this wiki.

 

The account which I am using for the demonstration here is “af2dae200”. I have already posted a blog “Setting up Authentication for Cloud Portal using Cloud Identity” where I have explained in detail all the steps required to setup trust between SAP Cloud Platform account and an Identity Provider. I have followed the same steps and configured the trust for this Cloud Platform account.

I have two Cloud Platform Identity Authentication tenants. I am going to use them as my Identity Providers. You could use any SAML2 based Identity Providers when configuring the trust.

The first one has the name “ias01” and I have configured a new application for account “af2dae200”. I have also used the “Branding and Layout” tab to provide a logo in the login page. To keep things simple, I have uploaded a picture of a flower.

Similarly, I have used another Identity Authentication tenant “hcpta” and configured a new application for account “af2dae200”. For the login page, I have uploaded a picture of a meerkat to differentiate from the other Identity Provider.

In the Cloud Platform account, I have both the identity providers configured and the one with the name “ias01” is set as default.

I have created a Portal site in this account and published it.

When I try to access the Portal site with the below URL, it would pick the default Identity Provider configured for the Cloud Platform account and show the login screen. Note that, it has picked up the Identity Provider with the name “ias01” which shows up in the URL and I get to see the picture of a flower which I have configured for this Identity Provider.

URL: https://flpnwc-af2dae200.dispatcher.hana.ondemand.com/sites/ess

If I want to force this portal site to authenticate against the second identity provider, I need to use a URL parameter called saml2idp as shown below. You can find this documented in section “Using an IdP Different from the Default” of SAP Help.

URL: https://flpnwc-af2dae200.dispatcher.hana.ondemand.com/sites/ess?saml2idp=hcpta.accounts.ondemand.com

As you can see, this now provides a different login screen coming from the second Identity Provider. You can try this out by clicking on the above URLs. Using this approach, you should be able to reuse apps/portal sites within a Cloud Platform account when providing access to multiple groups maintained across different identity providers. You do not need to copy individual apps/sites into separate sub-accounts and configure the trust settings in each of them.

 

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Mike Doyle

    Thanks Murali for the simple explanation. Will be used quite often I expect as many customers don’t like adding ‘externals’ to their IdP

    (0) 
  2. Gareth Ryan

    Great stuff, Murali – thanks for sharing.

     

    A question – is there a configuration option to add auto-failover between IDP’s*?  I can see a use for this where users normally authenticate using on-premise AD for instance, that could failover to SAP Cloud IDP if on-premise systems/connectivity is down.

    G.

    *HINT: This should REALLY be on SAP’s backlog for a future release 😉

    (0) 
    1. Midhun VP

      When a user sign in using IDP, it is validating users’ passwords directly against the on-premise AD. So, what exactly is your question, may be you can provide more details.

       

      (0) 

Leave a Reply