In this previous blog post, I walked through the steps required to setup role collections and assign them manually to end users. In this blog post, I will focus on how to map group of users from an Identity Provider with Role Collections. This would involve setup of trust between the Identity Provider and Portal site on SAP Cloud Platform Cloud Foundry environment. This is essential when you plan to rollout your portal site to end user and would have to assign the relevant apps to them based on their roles. For this blog, the Identity Provider which I have used is SAP Cloud Platform Identity Authentication service.

Below are the steps which you would need to follow to setup the trust between Identity Authentication service and SAP Cloud Platform Cloud Foundry

1) Download the SAML Metadata file from Identity Authentication service (IAS)

Navigate to IAS tenant and under “Applications & Resources”, access the Tenant Settings to download the Metadata File.

2) Download the SAML Metadata file from SAP Cloud Platform subaccount

To obtain the metadata file, we would need to query the SAML metadata endpoint of the UAA (User Account and Authentication Server) in a separate browser tab using the below URL

https://<tenant_name>.authentication.<region>.hana.ondemand.com/saml/metadata

Tenant_Name = subdomain value obtained from the Overview menu of your subaccount

Region = API Endpoint (Remove api.cf)

3) Create a new Trust Configuration in Cloud Foundry Subaccount

In your subaccount, create a new Trust Configuration.

Upload the Metadata file which you downloaded earlier and provide a name.

4) Create a new Application for the Subaccount in IAS

Navigate to the Application menu in IAS and create a new application. In the “SAML 2.0 Configuration” upload the SAML metadata file obtained from Cloud Platform subaccount. In the “Subject Name Identifier” ensure that you the value set as “E-Mail”

In the “Assertion Attributes”, ensure that you add “Groups” (case-sensitive). This is required to map Role Collections which is explained further in SAP Help.



 

5) Create IAS Groups and map them to users

In IAS, I have created two groups. “CI_Portal” for Admin users and “mysales” for business users. I have assigned these groups to respective users in IAS as shown below.

6) Mapping of groups to Role Collections

Navigate to the “Trust Configuration” menu in Cloud Foundry subaccount and select the custom IdP configuration for IAS. In the “Role Collection Mapping” menu, you can create new entries to map existing Role Collections to IAS Groups (As shown below). Notice that there is no manual assignment of Role Collection to users. It could also be done using the next menu in this screen.

Finally disable the SAP ID Service as we will be using IAS as the IdP going forward

Its now time to test the Portal site. When I try to access the Portal site, it will now prompt me with a login screen from IAS

When I login as a business user, my corresponding IAS group (mysales) gets mapped to the Role Collection (Sales) during the authentication process and I get to see the Sales Order app.

When you turn on the SAML trace plugin of the browser, you would be able to see the Attribute values which are being passed from IAS to the Portal site. Notice that the attribute "Groups" is being passed with the IAS Group which eventually gets mapped to the role collection.



If you would like to know more about configuring IAS as a proxy for authenticating users against Azure AD, you can refer to my blog post "Integrating Identity Authentication service & Azure Active Directory in SAP Cloud Platform – Proxy &..."

For configuring trust directly between Azure AD and Cloud Foundry subaccount, you can follow this blog post by lucasvaccaro "How to integrate Azure AD with SAP Cloud Platform Cloud Foundry"