Skip to Content
0

How to Connect Your Cloud Applications with Your Corporate User Store?

Sep 15, 2017 at 05:10 PM

125

avatar image
Former Member

Hi.. I want to connect my Cloud Applications With My Corporate User Store (Active Directory).

I've already tried this blog below:

https://blogs.sap.com/2015/07/02/how-to-connect-your-cloud-applications-with-your-corporate-user-store/comment-page-1/#comment-391309

I've done all the steps, but it isn't work for me.

Thank you!

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
avatar image
Former Member Nov 06, 2017 at 01:13 PM
0

Hi,

Our issue is because of the new host us3 (Sterling).

Thank you!

Share
10 |10000 characters needed characters left characters exceeded
Ivan Mirisola
Sep 18, 2017 at 01:19 PM
0

Hi Arlei,

Check this blog post. The following might also help if you are still facing any issues:

The field “User ID Source” as “Subject” at the IdP maintenance screen means SCP will try to retrieve the User ID information from the Subject Assertion contained on the SAML v2.0 during authentication. In order to have the authentication go through correctly your IdP MUST provide a XML tag with name = “NameID” inside the “Subject” tag. This is default behavior for Subject and cannot be changed or customized on SCP (as far as I know). If you do not use the Subject and NameID information on the SAML Assertion, you may use the Custom Attribute Name, just as long as the your user's ID is contained within (i.e.: email address). The rule is that NameID or whatever attribute you use identifies *uniquely* all users on SCP.

Another prerequisite most people forget is that you must have your IdP exposed on the internet. That is, your user base MUST have access to your IdP via internet. It doesn't matter if you have Cloud Connector in place - because part of the communication will take place between browser and IdP anyway. In other words, SCP will delegate the authentication to a 3rd party system and only after it takes place it will check if it is a trusted principal or not. If your IdP isn't exposed, than your users will not be able to reach the authentication service (be is a FORM authentication or SSO).

Try troubleshooting the issue using Firefox with an extension called SAML tracer. Once you have this extension inspect the XML assertion during the authentication and check the requirements above are met correctly.

Try using the Network Tracing via Developer Tools on the browser to inspect if you have all requests being executed correctly and users actually have access to the resources. The console screen might also be used to inspect any JavaScript errors if you are experiencing any issues with FORM authentication using UI5 or other JS Framework.

If everything else fails, try posting error messages or other relevant information you find - otherwise it is too difficult for us to assist you.

Regards,
Ivan

Show 2 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hello Ivan,


Thanks for answer for me, but that don't work for us, I want to control customers ID + workers(ActiveDirectory) by IdP

0

You mean you need to have a hybrid solution in which User IDs from your customers are maintained separately from your Workers that have access to applications via AD IdP?

In such case, there are still valid options:

  1. You could have your own proprietary user persistence store for applications targeted to customers whereas the other applications targeted to workers will use the IdP configured on your account. The customer apps would require you to disable the integrated authentication and then you control the authentication and authorization yourself.
  2. You could create two separate sub-accounts: one for customers and another for workers. Each sub-account would have its own configuration for IdP. Thus the IDs would not conflict.
  3. You could create user IDs on your IdP that would represent your customers. I know it could potentially violate the corporate policies, but think about integrating more than one LDAP server on your IdP. One sure would be your corporate AD whereas the other could be an license free LDAP server where you would create your users. The IdP would present a page where you could select on which domain the user wants to logon.

Regards,
Ivan

0