Skip to Content
0

SAP Cloud Identity: Authentication using ADFS - LDAP connection required?

Feb 13, 2017 at 08:17 PM

336

avatar image

Hello SAP Cloud Identity Experts,

let me first describe the scenario I help to implement:

The users of a SAPUI5 based Hybrid App that is using the SAP HCP mobile service for development & operations (HCPms) should be authenticated using the also provisioned SAP Cloud Identity (SCI) tenant.

The SCI tenant is configured based on the documentation Corporate Identity Providers with the corporate Microsoft ADFS. Also the configuration for Integration with SAP HANA Cloud Platform was setup. But as soon as soon as in the HCP Console -> Security -> Trust the Custom configuration is activated where the SCI tenant is the trusted Identity Provider we can't login to the HCPms console anymore. The login into a HTML5 applications is possible. By activating the User API in this app I get this result for /services/userapi/currentUser:

{
"name":"firstname.lastname@test.com",
"displayName":"firstname.lastname@test.com"
}

So to get access back to the HCPms console I've tried adding firstname.lastname@test.com to the Administrator user group. Even after a logout or using the Incognito Window the error message is still "Access denied".

I currently think that it might be required to add in addition to the authentication with ADFS also to configure a Corporate User Store that provides additional information about the authenticated user like Group Assignment or the sAMAccountname. As the steps in the SAP documentation are very distributed it's great that there is this blog post which brings all the steps together: How to Connect Your Cloud Applications with Your Corporate User Store.

What do you think would configuring the connection to the MS AD (LDAP) help?

Best regards
Gregor

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Gregor Wolf
Mar 20, 2017 at 08:59 PM
0

Thanks to SAP support who pointed us to the standard documentation at:

Setting Up Customer Accounts

We followed the procedure in step 5. and assigned our ADFS users to a newly created Role that was then assigned to the HanaMobileAdmin authorization. Also we where able to adjust the ADFS configuration to get the samAccountName instead of the E-Mail address.

Share
10 |10000 characters needed characters left characters exceeded
Jason Moors Mar 20, 2017 at 04:09 PM
0

Have you enabled Risk-Based authentication, I had a issue in the past where the Admin console was not included in the list of applications.

https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/enUS/bc52fbf3d59447bbb6aa22f80d8b6056.html#loiobc52fbf3d59447bbb6aa22f80d8b6056

Jason

Share
10 |10000 characters needed characters left characters exceeded