Skip to Content

SAP Cockpit SSO

Hello Experts,

I'm familiar with the SSO setup to allow application users to access SCP services via SSO.

We've configured SSO for our CPI developers using ADFS as the IDP.

However, in this case, we are still using SUser ID's to login to the SCP Cockpit.

How do I configure SSO for platform users logging into SAP Cloud Cockpit itself?

I found the following link: https://help.sap.com/viewer/6b94445c94ae495c83a19646e7c3fd56/2.0.04/en-US/eb89d22492ab48bea3f3ff9b79d599cb.html

1) Is this the right link? If not, can you please point me to the right documentation for Cockpit SSO.

2) The link seems to indicate that I must use SAP Identity Authentication Service for SSO to the Cockpit. Is that true? Is there a way to do this without using SAP's IDP?

Thanks for your help with this.

Add comment
10|10000 characters needed characters exceeded

3 Answers

  • Posted on Feb 14 at 03:17 AM

    Keep in mind that if you configure SSO for the cockpit, your Cloud Connector will not work as SAP has not migrated the Cloud connector so that the customer can use the IAS service (or any external IDP) to authenticate. It's a known issue. The current work around is to create an SAP ID (S-ID) and use it as the cloud connector ID but that puts control of the password and complexity and expiration in the hands of SAP instead of you controlling it yourself. (not a good solution long term)

    On another note, we only allow actual cockpit admins access to the cockpit. Average every day users don't need access to the cockpit. 99% will want or need access to the services which can be controlled by the Application IDP (or IAS).

    You can point the Platform Authentication to an external IDP by adding an IDP in the Security->Trust area. Get the cert from the IDP and paste it in and map the group and attributes and you are good. We decided to use the IAS as the go between between all cloud apps and the external IDP because we can control all the users into all the services (and other cloud applications like IBP, SAC, SuccessFactors, etc.) in IAS (including Test users) instead of having to create test users in the external IDP or corporate AD. IAS gives you local control where pointing directly to an external IDP moves that control to the IDP. And because IAS proxies SSO to the IDP, you can map attributes between the IAS and the Corporate IDP for SSO from the desktop to all SCP applications via IAS. You can then use the REST API development to connect all this to an external IdM system to provision users and access.

    All in a nice nutshell :-)

    Add comment
    10|10000 characters needed characters exceeded

  • Posted on Feb 13 at 11:15 PM

    Hi Harsh,

    If you are referring to the SAP Cloud Platform Cockpit, then the link is this:
    https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/80edbe70b8f3478d8a59c21a91a47aa6.html

    However, it still requires the Identity Authentication Service (IAS), but you can configure IAS as a proxy to ADFS (meaning that the authentication requests will be forwarded to ADFS):
    https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/19f3eca47db643b6aad448b5dc1075ad.html

    Best Regards,
    Lucas

    Add comment
    10|10000 characters needed characters exceeded

  • Posted on Feb 14 at 08:14 AM

    Hi Harsh,

    follow documentation and advice given by Andrew Jennings and Lucas Vaccaro .

    But also be aware that there are more pitfalls than the Cloud Connector:

    The concept of a Platform Identity Provider is only available on the Neo side of the SCP. It is missing completely on the Cloud Foundry side.

    In case you decide to use an IAS as a Platform Identity Provider and dare to configure that IAS to proxy your central IDP, then you will run into trouble with several more services. E.g. Java deployments will be broken as well as the access to console client. So proxying your IDP (and therefore SSO) might not be possible at all.

    So the Platform Identity Provider concept is half-baked on the Neo side and not available at all on the Cloud Foundry side. Try carefully and don't expect too much.

    Cheers, Lutz

    Add comment
    10|10000 characters needed characters exceeded

    • Correct. Operations that use basic authentication (such as Cloud Connector and Neo console client) will only work with IAS users (P-user IDs). The platform won't perform basic authentication against third-party entities.