cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Custom IDP on HCP breaks my WebIDE

Go to solution
TomVanDoo
Active Contributor

on ‎03-10-2016 1:56 PM

0 Kudos

Hi,

On our productive HCP account, we've made a custom Trust relation with our ADFS system.

This works great, and our users are now able to logon with their domain user id, into our HCP apps.

The problem is a bit with the administration.

Now that ADFS is the trusted IDP, we have authorization issues with:

- WebIDE

- HCPms cockpit

These two expect an S-user.

In our HCP, we've also defined a couple of S-users in the members section, as administrators and developers.

One of the ideas I had, was to define a secondary IdP (as you can see in the first screenshot) to Accounts.sap.com, so that I could navigate to the webide and HCPms cockpit with the addition of "?saml2idp=accounts.sap.com" to the url.

Unfortunately, I didn't get that to work because:

A) I don't know the exact settings for Accounts.sap.com

B) I'm not sure that this will work with our custom Trust provider.

Bear in mind that I know very little of SSO and IdP, and most of the above setup is done by trial and error. I'm already very happy that I got the ADFS connection working for the end-users.

Any suggestions how to get the WebIde and HCPms cockpit working again?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-13-2016 8:03 PM
0 Kudos

Have you tried Permissions Everyone in subscriptions->webide->application permissions?

And for the cockpit, i think it should work, it does basically sound like an extension scenario with e.g. SFSF, there you have your "normal account" with sap id service and an other account with a custom idp which is successfactors, have you maybe tried that?

Regards

Mathias

Show replies
Show replies
TomVanDoo
Active Contributor
‎03-14-2016 8:05 PM
0 Kudos

Hi Mathias,

By granting Webide Permissions to everyone, it works, but it doesn't seem like the way to go...

Not everyone should have access to the webide.

I had actually defined my ADFS user as a member, with developer role, so I assumed that after logging in with my ADFS user, I would be authenticated to HCP as developer.

But that doesn't seem to be the case...

As for the second part: please elaborate.

Former Member
‎03-15-2016 7:16 AM
0 Kudos

Well everyone was just for testing please check SAP HANA Cloud Platform

There it says:

AccountDeveloper and AccountAdministrator require SAP IdP to be configured as identity provider. If you want to use the AccountDeveloper or AccountAdministrator role together with a custom IDP, create those roles as custom roles and assign the corresponding user manually.

As for the second part:

You can create as much subaccount that you wish for. I am no IDP specialist either, but for extension accounts it does work like this.

You have an acount with SAP ID accountA and a subaccount accountB with custom IDP if you don't need resources on accountA just assign them to accountB.

Don't know if it does help but maybe give it a try

Regards

Mathias

sascha_scholz
Explorer
‎03-16-2016 2:49 PM
0 Kudos

Hi Tom,

you can also create a different shared HTML5 role and assign it to the Web IDE permission.

Sascha

TomVanDoo
Active Contributor
‎03-16-2016 2:57 PM
0 Kudos

Will give both options a try.

I guess that when the IDP returns the groups Developer, Administrator, Helpdesk, Notification, etc... it should work.

But then again, I don't know the first bit about IDPs

The initial setup was just: use S-users and SAML in the backend translating the S-user to the SAP userid.

Former Member
‎03-16-2016 9:00 PM
0 Kudos

SAP Cloud Identity Service

try this but instead the P-ID for the SAP Cloud Identity user, assign the ADFS user to AccountDeveloper or AccountAdministrator.

The approach of have 2 accounts will work,too - one for WEBIde(with SAP ID) and one with ADFS, for the custom IDP you need to do role assignment as above described.

Answers (0)

Ask a Question