cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Cloud Platform + SAML Attributes + Role Mapping

andreas_morf2
Explorer
0 Kudos

We managed to configure SAML in our SAP Cloud Platform SAPUI5/Fiori + HANA Setup and we even managed to assign a default custom role, however we are having difficulties in figuring out how to (a) read-out SAML attributes and (b) configure/define the mapping from certain SAML attribute values to multiple roles.

Setup

We have a SAP Cloud Platform (a.k.a. old name HCP) + HANA + a SAPUI5/Fiori Application that is built in the WebIDE of HCP. We successfully configured the SAML protocol together with the customer so far and the default login is working via the customer SAML protocol.

Users are already automatically generated in HANA, however every time a user logs in with his name a new user gets generated which is wierd as by convention only one user for one SAML user should get generated. This is however not a show-stopper for the solution.

A demo_role is assigned as configured:

The indexserver.ini contains the following entries:

The customer transfers multiple SAML attributes with which we should distinguish between 3 different roles. Currently it seems however that in HANA we can only configure one default role.

In HCP we configured the attributes under “Security>Trust”:

And under the tab “Groups” the assignment between actual category values and the different groups are defined (e.g. group A, B, C based on category X, Y, Z). There is however nowhere a mapping yet between the created groups and the roles on HANA side (role A, B, C) – we don’t know where and how to define this.

Questions

The problems we urgently should be able to solve:

  • How do we need to perform the role setup in HCP/HANA so that we can assign the 3 different roles based on different category values?
  • How can we read out the attributes values from the session in XSJS or from the session?

We are using the productive HCP (paid version) with the HANA db version 1.00.112.05.1469552341

Can you help us with tips or with good blogs that show how to proceed?

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member340030
Contributor
0 Kudos

Hi ..

Actually if you need to access any custom attributes apart from logged in user name and email .. You need to add it in your metadata file of your saml configuration. So if you need the groups and roles from the cloud platform IDP you need to configure in your metdata file .. Check out this blog which did for few attributes apart from loggedinUsename .. Similarly you can add your roles information and access them in your xs app and assigned the user accordingly to the mapped Hana role ..

https://blogs.saphana.com/2013/12/20/use-saml-to-enable-sso-for-your-xs-app/

Note : the blog is little old so it might be using the old hana please map it with the new hana changes ..

Thanks

Viplove

vimadaan
Explorer
0 Kudos

in XS layer,

you can use below code to access SAML attributes:

var displayName = $.session.samlUserInfo.firstname+” “+ $.session.samlUserInfo.lastname;

WRoeckelein
Active Participant
0 Kudos

Hi Vikas,

but this does not help with roles and authorizations!

Regards,

Wolfgang Röckelein

gustavo_simil
Explorer
0 Kudos

Andreas,

did you find a solution for your query? We have the same requirement.

Thanks,

Gustavo