on 04-24-2017 3:58 PM
We managed to configure SAML in our SAP Cloud Platform SAPUI5/Fiori + HANA Setup and we even managed to assign a default custom role, however we are having difficulties in figuring out how to (a) read-out SAML attributes and (b) configure/define the mapping from certain SAML attribute values to multiple roles.
Setup
We have a SAP Cloud Platform (a.k.a. old name HCP) + HANA + a SAPUI5/Fiori Application that is built in the WebIDE of HCP. We successfully configured the SAML protocol together with the customer so far and the default login is working via the customer SAML protocol.
Users are already automatically generated in HANA, however every time a user logs in with his name a new user gets generated which is wierd as by convention only one user for one SAML user should get generated. This is however not a show-stopper for the solution.
A demo_role is assigned as configured:
The indexserver.ini contains the following entries:
The customer transfers multiple SAML attributes with which we should distinguish between 3 different roles. Currently it seems however that in HANA we can only configure one default role.
In HCP we configured the attributes under “Security>Trust”:
And under the tab “Groups” the assignment between actual category values and the different groups are defined (e.g. group A, B, C based on category X, Y, Z). There is however nowhere a mapping yet between the created groups and the roles on HANA side (role A, B, C) – we don’t know where and how to define this.
Questions
The problems we urgently should be able to solve:
We are using the productive HCP (paid version) with the HANA db version 1.00.112.05.1469552341
Can you help us with tips or with good blogs that show how to proceed?
Hi ..
Actually if you need to access any custom attributes apart from logged in user name and email .. You need to add it in your metadata file of your saml configuration. So if you need the groups and roles from the cloud platform IDP you need to configure in your metdata file .. Check out this blog which did for few attributes apart from loggedinUsename .. Similarly you can add your roles information and access them in your xs app and assigned the user accordingly to the mapped Hana role ..
https://blogs.saphana.com/2013/12/20/use-saml-to-enable-sso-for-your-xs-app/
Note : the blog is little old so it might be using the old hana please map it with the new hana changes ..
Thanks
Viplove
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
in XS layer,
you can use below code to access SAML attributes:
var displayName = $.session.samlUserInfo.firstname+” “+ $.session.samlUserInfo.lastname;
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Andreas,
did you find a solution for your query? We have the same requirement.
Thanks,
Gustavo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
83 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.