Skip to Content

SAP Cloud Identity: Authentication using ADFS - LDAP connection required?

Hello SAP Cloud Identity Experts,

let me first describe the scenario I help to implement:

The users of a SAPUI5 based Hybrid App that is using the SAP HCP mobile service for development & operations (HCPms) should be authenticated using the also provisioned SAP Cloud Identity (SCI) tenant.

The SCI tenant is configured based on the documentation Corporate Identity Providers with the corporate Microsoft ADFS. Also the configuration for Integration with SAP HANA Cloud Platform was setup. But as soon as soon as in the HCP Console -> Security -> Trust the Custom configuration is activated where the SCI tenant is the trusted Identity Provider we can't login to the HCPms console anymore. The login into a HTML5 applications is possible. By activating the User API in this app I get this result for /services/userapi/currentUser:


So to get access back to the HCPms console I've tried adding to the Administrator user group. Even after a logout or using the Incognito Window the error message is still "Access denied".

I currently think that it might be required to add in addition to the authentication with ADFS also to configure a Corporate User Store that provides additional information about the authenticated user like Group Assignment or the sAMAccountname. As the steps in the SAP documentation are very distributed it's great that there is this blog post which brings all the steps together: How to Connect Your Cloud Applications with Your Corporate User Store.

What do you think would configuring the connection to the MS AD (LDAP) help?

Best regards

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Mar 20, 2017 at 08:59 PM

    Thanks to SAP support who pointed us to the standard documentation at:

    Setting Up Customer Accounts

    We followed the procedure in step 5. and assigned our ADFS users to a newly created Role that was then assigned to the HanaMobileAdmin authorization. Also we where able to adjust the ADFS configuration to get the samAccountName instead of the E-Mail address.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 20, 2017 at 04:09 PM

    Have you enabled Risk-Based authentication, I had a issue in the past where the Admin console was not included in the list of applications.


    Add comment
    10|10000 characters needed characters exceeded