Hello,
I need help understanding the authorization concept in HCP, especially using Fiori Launchpad Portal and HTML5 applications (and SAP Cloud identity for SAML authentification).
In this post, I explain all my configuration. The problem is that nothing works as expected, I did a lot of tests, for some users, applications appears, for others, it's not the case. But it doesn't match my configuration.
So let's start with SAP Cloud identity. I created a group :

and I have assigned users to this role. I except that only users assigned to this role to see the tile for my custom application.
Now let's go to HCP Cockpit. In portal service, I went to configuration and created a role :

Then I went to authorization, and created a new group (which I want to map with my Cloud Identity group, but we'll see that later) :

As you can see, the role I created is assigned to my group and there is a mapping with the identity provider.
Now let's go to the detail of this mapping. First of all, in the Cloud Identity administration, I specified that I want to send the attribute "groups" to my application :

Then in the cockpit, I mapped the group of my identity provider to my HCP cockpit group :

SAP cloud identity and HCP cockpit configuration is finished. Now I just need to configure my Fiori Launchpad. There I created my application, and I created a catalog just for this application :

This catalog is available only for the role we created before in the cockpit :

Just to check my configuration, if I go to a group where I assigned my catalog, I can see that the tile is only available with my custom role :

Without the role I don't see the tile :

Ok this is everything I did. And it doesn't work... I guess that there is something with the mapping with my identity provider ? The weird thing is that the app is available for some users, but it is not coherent with the configuration.
Thanks for your help...