on 03-10-2016 1:56 PM
Hi,
On our productive HCP account, we've made a custom Trust relation with our ADFS system.
This works great, and our users are now able to logon with their domain user id, into our HCP apps.
The problem is a bit with the administration.
Now that ADFS is the trusted IDP, we have authorization issues with:
- WebIDE
- HCPms cockpit
These two expect an S-user.
In our HCP, we've also defined a couple of S-users in the members section, as administrators and developers.
One of the ideas I had, was to define a secondary IdP (as you can see in the first screenshot) to Accounts.sap.com, so that I could navigate to the webide and HCPms cockpit with the addition of "?saml2idp=accounts.sap.com" to the url.
Unfortunately, I didn't get that to work because:
A) I don't know the exact settings for Accounts.sap.com
B) I'm not sure that this will work with our custom Trust provider.
Bear in mind that I know very little of SSO and IdP, and most of the above setup is done by trial and error. I'm already very happy that I got the ADFS connection working for the end-users.
Any suggestions how to get the WebIde and HCPms cockpit working again?
Have you tried Permissions Everyone in subscriptions->webide->application permissions?
And for the cockpit, i think it should work, it does basically sound like an extension scenario with e.g. SFSF, there you have your "normal account" with sap id service and an other account with a custom idp which is successfactors, have you maybe tried that?
Regards
Mathias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mathias,
By granting Webide Permissions to everyone, it works, but it doesn't seem like the way to go...
Not everyone should have access to the webide.
I had actually defined my ADFS user as a member, with developer role, so I assumed that after logging in with my ADFS user, I would be authenticated to HCP as developer.
But that doesn't seem to be the case...
As for the second part: please elaborate.
Well everyone was just for testing please check SAP HANA Cloud Platform
There it says:
AccountDeveloper and AccountAdministrator require SAP IdP to be configured as identity provider. If you want to use the AccountDeveloper or AccountAdministrator role together with a custom IDP, create those roles as custom roles and assign the corresponding user manually.
As for the second part:
You can create as much subaccount that you wish for. I am no IDP specialist either, but for extension accounts it does work like this.
You have an acount with SAP ID accountA and a subaccount accountB with custom IDP if you don't need resources on accountA just assign them to accountB.
Don't know if it does help but maybe give it a try
Regards
Mathias
Will give both options a try.
I guess that when the IDP returns the groups Developer, Administrator, Helpdesk, Notification, etc... it should work.
But then again, I don't know the first bit about IDPs
The initial setup was just: use S-users and SAML in the backend translating the S-user to the SAP userid.
try this but instead the P-ID for the SAP Cloud Identity user, assign the ADFS user to AccountDeveloper or AccountAdministrator.
The approach of have 2 accounts will work,too - one for WEBIde(with SAP ID) and one with ADFS, for the custom IDP you need to do role assignment as above described.
User | Count |
---|---|
81 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.