Skip to Content

SAP Cloud Platform + SAML Attributes + Role Mapping

Apr 24, 2017 at 02:58 PM


avatar image

We managed to configure SAML in our SAP Cloud Platform SAPUI5/Fiori + HANA Setup and we even managed to assign a default custom role, however we are having difficulties in figuring out how to (a) read-out SAML attributes and (b) configure/define the mapping from certain SAML attribute values to multiple roles.


We have a SAP Cloud Platform (a.k.a. old name HCP) + HANA + a SAPUI5/Fiori Application that is built in the WebIDE of HCP. We successfully configured the SAML protocol together with the customer so far and the default login is working via the customer SAML protocol.

Users are already automatically generated in HANA, however every time a user logs in with his name a new user gets generated which is wierd as by convention only one user for one SAML user should get generated. This is however not a show-stopper for the solution.

A demo_role is assigned as configured:

The indexserver.ini contains the following entries:

The customer transfers multiple SAML attributes with which we should distinguish between 3 different roles. Currently it seems however that in HANA we can only configure one default role.

In HCP we configured the attributes under “Security>Trust”:

And under the tab “Groups” the assignment between actual category values and the different groups are defined (e.g. group A, B, C based on category X, Y, Z). There is however nowhere a mapping yet between the created groups and the roles on HANA side (role A, B, C) – we don’t know where and how to define this.


The problems we urgently should be able to solve:

  • How do we need to perform the role setup in HCP/HANA so that we can assign the 3 different roles based on different category values?
  • How can we read out the attributes values from the session in XSJS or from the session?

We are using the productive HCP (paid version) with the HANA db version

Can you help us with tips or with good blogs that show how to proceed?

pic1.png (26.1 kB)
pic2.jpg (188.2 kB)
pic3.jpg (61.5 kB)
pic4.jpg (79.6 kB)
pic5.jpg (67.1 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Gustavo Simil Aug 31, 2017 at 07:43 PM


did you find a solution for your query? We have the same requirement.



10 |10000 characters needed characters left characters exceeded
Vikas Madaan Feb 13 at 09:07 AM

in XS layer,

you can use below code to access SAML attributes:

var displayName = $.session.samlUserInfo.firstname+” “+ $.session.samlUserInfo.lastname;

10 |10000 characters needed characters left characters exceeded