SAP Cloud Platform Authentication – SAML Assertion & Principal Attribute Mappings
This blog is build on top of series of blog published back in late 2018. When dealing with more than one user store (on-prem AD & Azure ADFS) to authenticate users in SAP Cloud platform, make sure SAML attributes mapping are done correctly. I will show you a scenario what would happen with incorrect mapping and how to fix it.
Architecture diagram depicts all the key elements involved to support multiple user store for user authentication in SAP Cloud Platform Portal service.
- Trust is established between SAP SCP & IAS (Identity Authentication Service)
- Application in IAS configured to connect to Corporate LDAP via Cloud Connector
- Trust established between IAS & Microsoft Azure to support ADFS login
- Conditional authentication is setup in IAS to route authentication based on user email address
Lets compare the SAML response of corporate AD & Azure ADFS.
Azure SAML response contains the schema as part of attributes when compared on on-prem AD as depict in above diagram. Maintain the attribute mappings accordingly in SAP Cloud Platform to show up first name and last name of logged in user in Cloud Portal.
Mapping can be done under Security > Trust > Application Identity Provider > Select IAS tenant > Attributes. Cloud Platform Principal attributes are correctly mapped to SAML assertion based attributes.
When Azure user logged-in, user firstname and last name is displayed under user profile as shown below.