Customer Relationship Management Blogs by SAP
Stay up-to-date on the latest developments and product news about intelligent customer experience and CRM technologies through blog posts from SAP experts.
Showing results for 
Search instead for 
Did you mean: 
On Wednesday 6th March we presented the latest Customer Data Cloud Webinar with the focus on how to use bring your own identity (BYOI). The presenters of the session were:

  • Ratul Shah – Senior Product Marketing Manager, SAP Customer Data Cloud

  • Ed Knight – Technical Architect, SAP Customer Data Cloud

  • Ibrahim Ga'al - Lead Technical Consultant, SAP Customer Data Cloud

In this webinar we described how you can bring your own identity provider to allow your users to connect to the Customer Data Cloud console via federated login. The link to the recording is here.

This blog post focuses on the steps required to connect my identity provider, SimpleSAML, with the Customer Data Cloud admin console. Customer Data Cloud uses its own technology to power access to it's admin console. What this means is that the configuration for enabling SAML on an end-user website and the admin console is virtually the same, so what was discussed in this webinar can be re-purposed to any SAML based login.

The end goal is to be able to login to the console without requiring a separate console password for my user.

SimpleSAML Identity Provider

SimpleSAML is a developer friendly tool for supporting multiple federation scenarios, including acting as both an IDP or an SP. This blog will not focus on the finer details of SimpleSAML, but we will reference some of the setup that is required as part of the integration. Full details of how to setup SimpleSAML as an IDP can be found here.

As part of the configuration, a simple username and password user database was created, with a single user, shown below:

The configuration contains the username (benjones) and the password (Password1), along with various user attributes including uid, email address, first name and last name. This is the user we will login to the admin console with.

Admin Console Configuration

Once you have your IDP ready to go, the next step is to start the configuration in the Customer Data Cloud console. All of the configuration is added in the Console SAML Login menu in the Admin section:

First, you must choose a domain by which the console will be accessed on. Customers who are accessing the admin console via SAML do not use the normal URL, but instead use a custom one based on the domain value entered. In this example, I used webinartest as the domain, meaning users would access the following URL to enter the console:

The domain value is a form of IDP discovery, which allows Customer Data Cloud to identity which identity provider should be used as part of the federated login.

Next we must complete all of the standard SAML field configuration, including Issuer, SSO URL, SLO URL, bindings, name format, certificate algorithm and x509 certificate.

Next we must provide attribute names for specific user details fields which are required for console users:

These map to the attribute names that we saw in the previous screenshot of the SimpleSAML user configuration.

Finally, we must decide how access will be managed. In this example I am assigning all users into the _admins group, which provides full access to the environment, but you can choose to have the IDP manage group assignment and create a mapping between the IDP groups and the Customer Data Cloud console permission groups:

Once the permissions mapping has been defined, this completes the configuration in the Customer Data Cloud console.

Configuring the SP in SimpleSAML

The final step before we can test the configuration, is to setup Customer Data Cloud as an SP in SimpleSAML, by exchanging an SP metadata file. This completes the trust loop between the two platforms.

In SimpleSAML, the SP metadata is written to a file, like below:

This includes the ACS URL, SLO URL and the nameID format.

Testing the integration

Now that the configuration is completed, we're ready to test the connection. If you remember, users accessing the console via SAML, must use the unique URL, which in our case is:

By opening this URL in an incognito browser (to avoid session clashes in my main browser) you can see that we are automatically redirected to the SimpleSAML login page as part of a SAML redirection flow:

Here I can enter the credentials (benjones/Password1) of the user and on successful login, the SAML flow continues and I'm logged into the console. If this was the first time I was logging in via SAML, I would be required to setup two factor authentication, as this is mandatory for all Customer Data Cloud admin console accounts.


This ends our blog post which discusses how we can bring our own identity provider to connect to the SAP Customer Data Cloud platform.

To learn more about Customer Data Cloud, please sign up for our next webinar on the 28th of May.