Skip to Content

SAP Identity Authentication: SSO from SCP Portal to On Premise


  • I've got a Cloud Platform Portal Website.
  • Currently you have to LogIn using an S-User.
  • If you open an On-Premise App, you have to login a second time, with your On-Premise Credentials.

My Goal is this: I want the Customers to be able to register themselfes, without having to use an S-User. Also that the Customer just has to Login ONCE, using the newly registered Credentials.

I've seen the "SAP Cloud Platform Identity Authentication" Service, but I'm not sure if this is 100% what I need.

Thank you!

Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • Posted on Oct 17, 2019 at 11:31 PM

    Hi Dominik Spitzl,

    There are some options here.

    But first, you need to understand how authentication works on SCP. In the context of SAML 2.0 authentication (which is what's supported by SCP), SAP Cloud Platform delegates the authentication process to what's called IdP (Identity Provider). Therefore, SCP doesn't have a user persistence store. SCP by default is pre-configured with an IdP called SAP ID Service. This service contains all SAP S-Users and P-Users - so this is the reason why you are authenticating with an S-User right now.

    1) You can switch the IdP to a corporate IdP service like Microsoft ADFS - which is an IdP solution that connects to your Microsoft AD system to perform the authentication.

    2) You can switch the IdP to SCP-IAS the same way and maintain the users in that system.

    3) You can switch the IdP to SCP-IAS the same way but make it connect to your Microsoft AD system (if you don't have ADFS installed). IAS will connect to your AD via SAP Cloud Connector - a system that is installed on-prem that establishes a secure tunnel between your corporate network and SCP services.

    4) You can keep the SAP ID Service as your IdP and maintain the users there.

    Regardless of the option you choose, you must configure the SSO between SCP and your backend system. That can be achieved by using SAP Cloud Connector (SCC). Since users from an AD or SAP ID service usually differ from the user in an ABAP system, you have to configure Principal Propagation to achieve SSO between the systems. SCC can be configured to retransmit the SAML token to your backend or you could make it issue an X.509 certificate that can be read by the ABAP system.

    Self-registration is an IdP feature. SAP ID Service already provides the means to achieve it, but you need to make the user a member of your account to allow access to your applications. IAS has its own means to make a custom self registration screen (and I suspect ADFS also has it). What you need to make sure is to setup the automatic group mapping (in order to automatically assign a role to the users). This can be done as a configuration on the IdP via Cloud Cockpit. You could map parts of the LDAP's attributes to an SCP group that has been assigned your application's role.

    Hope this information helps you to make your decision.

    Best regards,

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.