Skip to Content
1

HCP : HTML5 Applications, groups, roles, and Cloud Identity

Dec 02, 2016 at 11:45 AM

434

avatar image

Hello,

I need help understanding the authorization concept in HCP, especially using Fiori Launchpad Portal and HTML5 applications (and SAP Cloud identity for SAML authentification).

In this post, I explain all my configuration. The problem is that nothing works as expected, I did a lot of tests, for some users, applications appears, for others, it's not the case. But it doesn't match my configuration.

So let's start with SAP Cloud identity. I created a group :

and I have assigned users to this role. I except that only users assigned to this role to see the tile for my custom application.

Now let's go to HCP Cockpit. In portal service, I went to configuration and created a role :

Then I went to authorization, and created a new group (which I want to map with my Cloud Identity group, but we'll see that later) :

As you can see, the role I created is assigned to my group and there is a mapping with the identity provider.

Now let's go to the detail of this mapping. First of all, in the Cloud Identity administration, I specified that I want to send the attribute "groups" to my application :

Then in the cockpit, I mapped the group of my identity provider to my HCP cockpit group :

SAP cloud identity and HCP cockpit configuration is finished. Now I just need to configure my Fiori Launchpad. There I created my application, and I created a catalog just for this application :

This catalog is available only for the role we created before in the cockpit :

Just to check my configuration, if I go to a group where I assigned my catalog, I can see that the tile is only available with my custom role :

Without the role I don't see the tile :

Ok this is everything I did. And it doesn't work... I guess that there is something with the mapping with my identity provider ? The weird thing is that the app is available for some users, but it is not coherent with the configuration.

Thanks for your help...

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Jeremy Good
Dec 06, 2016 at 01:44 PM
1

Good questions by Moya concerning landscape and also the UI5 version - helpful elements to attempt to recreate the situation (either by fellow community member or support ticket processing).

One thought concerning the inconsistent app showing for some users but not other users, have you looked at the possible odata authorizations? Perhaps an easy way to test would be to get the direct URL to the app itself and look for corresponding error messages on the screen or in the F12 developer tool traces (or equivalent for your browser). Perhaps the role / group for catalog and tile constraints are in fact setup correctly, and the app in question is the issue?

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Thanks for your answer.

I work on productive environnement, I tried with SAPUI5 1.38 and the innovation (which is right now 1.42).

I didn't manage authorization on the app itself, I tried that way but that is not my need because I just want to allow access to an entire application or not. If the user doesn't have the authorization to access an application, I want him to not see the corresponding tile.

When I look at the catalog, I can see what I should see with rôle "Prix par client" and that is exactly what I want.

I tried to debug, but I don't think that is a possibility. I don't have any error message, I just think that there is something that I don't understand in the way I try to do what I want.

For example, I'm not sure that my groups from cloud identity are correctly mapped to my groups in the HCP cockpit. I can't confirm this because I don't know how to get access to these groups with debug (I can get Name, email, ... from cloud identity but not groups).

I hope that if someone already did this, he could help me... But i don't think that there is a lot of persons who have done this (because there is nothing on the web about that), and there is few chance that he found my question as this new SCN is a mess. Even for me it's hard to find my question...

1
Moya Watson
Dec 05, 2016 at 10:31 PM
0

Hi Louis-Arnaud -- just one quick question - I'm guessing from your screenshots that you have a productive instance of HCP instead of the free trial version? If that is the case, you are entitled to get support via reporting via the usual channels for productive users -- check out this link for more info:

http://bit.ly/saphcp_support

nevertheless, hope someone in the community here recognizes what is going on and can help

best

-m

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hello Moya, thank you for your answer.

Yes I work on a productive instance. I didn't know I could ask question from sap support as it is not an incident or a bug. I'll try to ask my question using this channel because I have no other response here...

Anyway my opinion is that public forum is more appropriate as everyone can take benefits of the discussion :)

1
Radostina Kasova
Dec 09, 2016 at 08:49 PM
0

Hi Louis-Arnaud,

The configurations seem fine. I just don't see the configuration of the assertion attributes, have you done this?

I am not sure if there is anything else on FLP, as I have not tried this out.

Best regards,

Radostina


Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Radostina,

Yes I did it already... :(

Maybe the probem is in the groups assertion ? As the user may have multiple groups, the equal assertion is not the right one ? How does the attribute groups sent to HCP if there are many groups ?

0