cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using customer Microsoft ADFS as Identity Provider for subaccount in SAP BTP Cloud Foundry ?

Go to solution
nelis
Active Contributor

on ‎02-15-2022 2:08 PM

0 Kudos

Hi,

Has anyone configured Microsoft ADFS as an Identity Provider in Cloud Foundry for a subaccount ? We have a Cloud Integration SF edition plan and I am trying to configure this to give external consultants access to the applications without having to use SAP specific user ID's.

The documentation for the above is scarce or maybe I just can't find it with all the name changes from SAP and changing of environments, feature sets etc which is making learning all the more difficult.

I have got the basics working by doing it manually in the Trust Configuration and importing our ADFS server metadata file, configuring Relying Party Trust etc. The issue I am seeing is the user account information for First Name, Last Name and email address in BTP is being populated with "this default was not configured invalid". I want to know how to get this information specifically or whether there is very specific documentation to make my life easier. I've trying mapping the attributes in the claim rules but then this appears to break SAML.

If someone has this specific information or if they can point me in the right direction I would very much appreciate it.

Thank you kindly.

Regards, Nelis

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

istvanbokor
Advisor
Advisor
‎02-15-2022 5:02 PM
0 Kudos

Hello,

Please check KBA ##3014151 - First Name, Last Name and E-mail are not correctly displayed in BTP Cockpit or populated in JWTs for the resolution.

https://launchpad.support.sap.com/#/notes/3014151

Best regards,
István

Show replies
Show replies
nelis
Active Contributor
‎02-16-2022 12:45 PM
0 Kudos

Hi Istvan,

Thanks for the reply and information.

I have mapped the attributes in the note as below screenshot yet the issue persists. I have also completely removed the Trust Configuration and added it again, also deleted and re-adding the user account yet the issue persists.

Any idea why this is still not working ? Note, we login with our staff numbers, not email. There is a transformation rule to transform incoming "Given Name" to "Name ID" for outgoing. Authentication works fine, it is just there is no way to identify the accounts unless a person knows our staff numbers which is why I need this information.

Regards, Nelis

Answers (1)

Answers (1)

nelis
Active Contributor
‎02-17-2022 1:37 PM

I'm marking Istvan's answer as correct.

For those who find this post please note that the Outgoing claim type attributes need to be very specific i.e. E-Mail-Addresses -> email, Surname -> family_name and Given-Name -> given_name as per note 3014151 and not as per my screenshot. There were other blogs here regarding ADFS in HCP that I read where this didn't seem to matter but obviously it does in current CF.

Show replies
Show replies
Ask a Question