Skip to Content
Technical Articles
Author's profile photo Phani Kumar Arava

KeyCloak Identity Provision and Authentication for SAP CloudFoundry – Part 2

In continuation of our previous blog post , we will be focusing on adding the attributes which are being used by SAP CloudFoundry. This will be helpful for you to focus on transferring the groups and their access rights into the applications, whether they are a Simple Ui5 App, or a REST/ODATA API or it could be a Fiori Launchpad with a set of UI5 Apps embedded in them

The following are the attributes that get transferred from SAML to your Application.

User Attribute Assertion Attribute
First Name first_name
Last Name last_name
E-Mail mail
Groups Groups

We will have to configure our keycloak instance to pass the same to SAP XSUAA which will transfer the same to our Application(s)

Lets go back to our Clients to the Realm we have created in the previous tutorial and to the client we have created in our previous section.

Please use the mappers tab, to map your SAML attributes.

The mappings are already created as you can see in the screenshot. I will go into detail on two types of attributes.

  • User Property Mapper -> email, firstName, lastName



  • Group Mapper -> groups


Now that SAML Attributes are mapped. Lets see how we can map the groups from KeyCloak -> Roles Assignment in SAP CF.

You can create the User Groups and assign the same to user.

Now mapping this roles in SAP Cloudfoundry..


Backt to my Trust Management and configuring the roles to SAML. User in portal_admin will be assigned the Role Collection of AGX_PORTAL_ADMIN and so on..


In the final post we will be discussing about some more features like enabling social logins like facebook / Google /Twitter for keycloak and impersonate user identities.

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo David Sooter
      David Sooter

      Hi Kumar,

      greate post. is there a part 3 comming?