Skip to Content

SAP Cloud Platform + SAML Attributes + Role Mapping

We managed to configure SAML in our SAP Cloud Platform SAPUI5/Fiori + HANA Setup and we even managed to assign a default custom role, however we are having difficulties in figuring out how to (a) read-out SAML attributes and (b) configure/define the mapping from certain SAML attribute values to multiple roles.


We have a SAP Cloud Platform (a.k.a. old name HCP) + HANA + a SAPUI5/Fiori Application that is built in the WebIDE of HCP. We successfully configured the SAML protocol together with the customer so far and the default login is working via the customer SAML protocol.

Users are already automatically generated in HANA, however every time a user logs in with his name a new user gets generated which is wierd as by convention only one user for one SAML user should get generated. This is however not a show-stopper for the solution.

A demo_role is assigned as configured:

The indexserver.ini contains the following entries:

The customer transfers multiple SAML attributes with which we should distinguish between 3 different roles. Currently it seems however that in HANA we can only configure one default role.

In HCP we configured the attributes under “Security>Trust”:

And under the tab “Groups” the assignment between actual category values and the different groups are defined (e.g. group A, B, C based on category X, Y, Z). There is however nowhere a mapping yet between the created groups and the roles on HANA side (role A, B, C) – we don’t know where and how to define this.


The problems we urgently should be able to solve:

  • How do we need to perform the role setup in HCP/HANA so that we can assign the 3 different roles based on different category values?
  • How can we read out the attributes values from the session in XSJS or from the session?

We are using the productive HCP (paid version) with the HANA db version

Can you help us with tips or with good blogs that show how to proceed?

pic1.png (26.1 kB)
pic2.jpg (188.2 kB)
pic3.jpg (61.5 kB)
pic4.jpg (79.6 kB)
pic5.jpg (67.1 kB)
Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • Aug 31, 2017 at 07:43 PM


    did you find a solution for your query? We have the same requirement.



    Add comment
    10|10000 characters needed characters exceeded

  • Feb 13, 2018 at 09:07 AM

    in XS layer,

    you can use below code to access SAML attributes:

    var displayName = $.session.samlUserInfo.firstname+” “+ $.session.samlUserInfo.lastname;

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 23, 2018 at 07:32 AM

    Hi ..

    Actually if you need to access any custom attributes apart from logged in user name and email .. You need to add it in your metadata file of your saml configuration. So if you need the groups and roles from the cloud platform IDP you need to configure in your metdata file .. Check out this blog which did for few attributes apart from loggedinUsename .. Similarly you can add your roles information and access them in your xs app and assigned the user accordingly to the mapped Hana role ..

    Note : the blog is little old so it might be using the old hana please map it with the new hana changes ..



    Add comment
    10|10000 characters needed characters exceeded