on 02-13-2017 8:17 PM
Hello SAP Cloud Identity Experts,
let me first describe the scenario I help to implement:
The users of a SAPUI5 based Hybrid App that is using the SAP HCP mobile service for development & operations (HCPms) should be authenticated using the also provisioned SAP Cloud Identity (SCI) tenant.
The SCI tenant is configured based on the documentation Corporate Identity Providers with the corporate Microsoft ADFS. Also the configuration for Integration with SAP HANA Cloud Platform was setup. But as soon as soon as in the HCP Console -> Security -> Trust the Custom configuration is activated where the SCI tenant is the trusted Identity Provider we can't login to the HCPms console anymore. The login into a HTML5 applications is possible. By activating the User API in this app I get this result for /services/userapi/currentUser:
{
"name":"firstname.lastname@test.com",
"displayName":"firstname.lastname@test.com"
}
So to get access back to the HCPms console I've tried adding firstname.lastname@test.com to the Administrator user group. Even after a logout or using the Incognito Window the error message is still "Access denied".
I currently think that it might be required to add in addition to the authentication with ADFS also to configure a Corporate User Store that provides additional information about the authenticated user like Group Assignment or the sAMAccountname. As the steps in the SAP documentation are very distributed it's great that there is this blog post which brings all the steps together: How to Connect Your Cloud Applications with Your Corporate User Store.
What do you think would configuring the connection to the MS AD (LDAP) help?
Best regards
Gregor
Thanks to SAP support who pointed us to the standard documentation at:
We followed the procedure in step 5. and assigned our ADFS users to a newly created Role that was then assigned to the HanaMobileAdmin authorization. Also we where able to adjust the ADFS configuration to get the samAccountName instead of the E-Mail address.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Have you enabled Risk-Based authentication, I had a issue in the past where the Admin console was not included in the list of applications.
Jason
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.