cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Identity Authentication: SSO from SCP Portal to On Premise

former_member604708
Explorer

on ‎10-17-2019 11:46 AM

0 Kudos

Hello!

  • I've got a Cloud Platform Portal Website.
  • Currently you have to LogIn using an S-User.
  • If you open an On-Premise App, you have to login a second time, with your On-Premise Credentials.

My Goal is this: I want the Customers to be able to register themselfes, without having to use an S-User. Also that the Customer just has to Login ONCE, using the newly registered Credentials.

I've seen the "SAP Cloud Platform Identity Authentication" Service, but I'm not sure if this is 100% what I need.

Thank you!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎10-18-2019 12:31 AM

Hi Dominik Spitzl,

There are some options here.

But first, you need to understand how authentication works on SCP. In the context of SAML 2.0 authentication (which is what's supported by SCP), SAP Cloud Platform delegates the authentication process to what's called IdP (Identity Provider). Therefore, SCP doesn't have a user persistence store. SCP by default is pre-configured with an IdP called SAP ID Service. This service contains all SAP S-Users and P-Users - so this is the reason why you are authenticating with an S-User right now.

1) You can switch the IdP to a corporate IdP service like Microsoft ADFS - which is an IdP solution that connects to your Microsoft AD system to perform the authentication.

2) You can switch the IdP to SCP-IAS the same way and maintain the users in that system.

3) You can switch the IdP to SCP-IAS the same way but make it connect to your Microsoft AD system (if you don't have ADFS installed). IAS will connect to your AD via SAP Cloud Connector - a system that is installed on-prem that establishes a secure tunnel between your corporate network and SCP services.

4) You can keep the SAP ID Service as your IdP and maintain the users there.

Regardless of the option you choose, you must configure the SSO between SCP and your backend system. That can be achieved by using SAP Cloud Connector (SCC). Since users from an AD or SAP ID service usually differ from the user in an ABAP system, you have to configure Principal Propagation to achieve SSO between the systems. SCC can be configured to retransmit the SAML token to your backend or you could make it issue an X.509 certificate that can be read by the ABAP system.

Self-registration is an IdP feature. SAP ID Service already provides the means to achieve it, but you need to make the user a member of your account to allow access to your applications. IAS has its own means to make a custom self registration screen (and I suspect ADFS also has it). What you need to make sure is to setup the automatic group mapping (in order to automatically assign a role to the users). This can be done as a configuration on the IdP via Cloud Cockpit. You could map parts of the LDAP's attributes to an SCP group that has been assigned your application's role.

Hope this information helps you to make your decision.

Best regards,
Ivan

Show replies
Show replies
Ask a Question