Skip to Content
Technical Articles
Author's profile photo Murali Shanmugham

Building Portal Sites on SAP Cloud Platform Cloud Foundry – Configuring Identity Provider and Authentication setup

In this previous blog post, I walked through the steps required to setup role collections and assign them manually to end users. In this blog post, I will focus on how to map group of users from an Identity Provider with Role Collections. This would involve setup of trust between the Identity Provider and Portal site on SAP Cloud Platform Cloud Foundry environment. This is essential when you plan to rollout your portal site to end user and would have to assign the relevant apps to them based on their roles. For this blog, the Identity Provider which I have used is SAP Cloud Platform Identity Authentication service.

Below are the steps which you would need to follow to setup the trust between Identity Authentication service and SAP Cloud Platform Cloud Foundry

1) Download the SAML Metadata file from Identity Authentication service (IAS)

Navigate to IAS tenant and under “Applications & Resources”, access the Tenant Settings to download the Metadata File.

2) Download the SAML Metadata file from SAP Cloud Platform subaccount

To obtain the metadata file, we would need to query the SAML metadata endpoint of the UAA (User Account and Authentication Server) in a separate browser tab using the below URL

https://<tenant_name>.authentication.<region>.hana.ondemand.com/saml/metadata

Tenant_Name = subdomain value obtained from the Overview menu of your subaccount

Region = API Endpoint (Remove api.cf)

3) Create a new Trust Configuration in Cloud Foundry Subaccount

In your subaccount, create a new Trust Configuration.

Upload the Metadata file which you downloaded earlier and provide a name.

4) Create a new Application for the Subaccount in IAS

Navigate to the Application menu in IAS and create a new application. In the “SAML 2.0 Configuration” upload the SAML metadata file obtained from Cloud Platform subaccount. In the “Subject Name Identifier” ensure that you the value set as “E-Mail”

In the “Assertion Attributes”, ensure that you add “Groups” (case-sensitive). This is required to map Role Collections which is explained further in SAP Help.

 

5) Create IAS Groups and map them to users

In IAS, I have created two groups. “CI_Portal” for Admin users and “mysales” for business users. I have assigned these groups to respective users in IAS as shown below.

6) Mapping of groups to Role Collections

Navigate to the “Trust Configuration” menu in Cloud Foundry subaccount and select the custom IdP configuration for IAS. In the “Role Collection Mapping” menu, you can create new entries to map existing Role Collections to IAS Groups (As shown below). Notice that there is no manual assignment of Role Collection to users. It could also be done using the next menu in this screen.

Finally disable the SAP ID Service as we will be using IAS as the IdP going forward

Its now time to test the Portal site. When I try to access the Portal site, it will now prompt me with a login screen from IAS

When I login as a business user, my corresponding IAS group (mysales) gets mapped to the Role Collection (Sales) during the authentication process and I get to see the Sales Order app.

When you turn on the SAML trace plugin of the browser, you would be able to see the Attribute values which are being passed from IAS to the Portal site. Notice that the attribute “Groups” is being passed with the IAS Group which eventually gets mapped to the role collection.

If you would like to know more about configuring IAS as a proxy for authenticating users against Azure AD, you can refer to my blog post “Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy & Conditional Authentication scenarios – Part 3

For configuring trust directly between Azure AD and Cloud Foundry subaccount, you can follow this blog post by Lucas VaccaroHow to integrate Azure AD with SAP Cloud Platform Cloud Foundry

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Phil Cooley
      Phil Cooley

      Thanks Murali Shanmugham for sharing the steps!

      Author's profile photo Alejandro Sensejl
      Alejandro Sensejl

      Hi Murali,

      thanks for your blog series. Great read!

      I am currently tring to figure out Authentication Setup with Backend system.

      Do I understand correctly, that the setup described in this blog is specificly for login at portal with credentials from IdP? If so, how can I also login with IdP credentials at SAP backend to fetch data?

      Thanks for your help!!

      Best regards,

      Alej

      Author's profile photo Prashant Patil
      Prashant Patil

      Hi Murali Shanmugham

      Nice blog!

      I have one query on User Groups in IAS,

      Is there any possibility to add some default group in IAS, which should assigned to all existing users including new registering users as well?

       

      As I have specific role collection created in CF, and that role collection should assign to all users in my IAS.

       

      Please suggest any other approach if you have to achieve this.

       

      Thanks!

      Prashant.

      Author's profile photo Prashant Patil
      Prashant Patil

      Hi Murali,

      I figure out the resolution for this, I set Group Name in Default Attributes, and its works.

       

      Thanks.

      Prashant