Skip to Content

How to Guide – Easy group/role mapping between SCP and AD-FS


There are quite a few blog articles that explain how to use AD-FS as an identity provider for Sap Cloud Platform.

A great example if this is the blog article by my colleague Michael Van Cutsem.

The topic I want to cover here is how you can re-use the groups/roles that are defined in AD-FS to map users to groups inside SCP.

Basic example

The basic case is also covered quite frequently already. If you have for example an SCP group for MANAGERS and one for EMPLOYEES, you can just create a claim rule in AD-FS that returns if a user is EMPLOYEE or MANAGER as a SAML2 attribute.

This has the disadvantage that each time you want to re-work the group structure you need to modify the claim rule inside AD-FS. Since AD-FS is most likely managed by a different team within your organisation, this is most often not a quick change.

Fetch all groups in one attribute

A more generic way to fetch all group/roles that a user is part of from AD-FS in one go. The filtering can then be performed on SCP side.

The claim rule to get this information is:

Assertion-based groups with Regular Expressions

Once this claim rule is configured, you can now implement the required groups and filters on SCP side.

For this go to your SCP sub-account, then go to Trust -> your AD-FS IDP.

Now select the Groups tab and go to assertion based groups to set up the required group mappings using regular expressions.

This technique might make your life in maintaining your SCP groups a bit easier.

Diether De Coninck

SAP Senior Mobile/UX consultant

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Phil Cooley

    Thanks Diether De Coninck appreciate that. The Mapping rules though are cutoff in your screenshot. Are you able to update with the mapping rule values you have there.

    Assuming it would be something like ….2008/06/identity/claims/role ?

    Would also be good to understand if you need to include the Windowsaccountname attribute in the overall set up and also a reference to where the Issuer value would be.

    In the past I’ve actually passed through the group claim but not clear on what the settings should be when the user is assigned to 20 groups but we are only interested in one of them. From the documentation it looks like ‘/’ as well as ‘*’ can be used but use of them is not explained anywhere I have seen. Any more info on this would be great as well.


Leave a Reply