Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Is there a way to specify the IdP an application uses when hosted on the SAP BTP in Cloud Foundry?

former_member583403
Explorer

on ‎2021 Aug 16 10:13 AM

4,571

Hi SAP Community,

We have a CAP application deployed in a cloud foundry subaccount on the SAP BTP. That subaccount has been configured to trust 3 identity providers so, when users go to the UI application URL, they get presented with the screen to choose which IdP to use.

Is there a way to specify which IdP the users should be directed to in the application code so that they don't see the IdP selection screen and just go straight to authenticating with the one we configure?

Thanks,

Johnnie.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (5)

Answers (5)

ravi_joseph
Active Contributor
‎2022 Sep 08 11:38 AM
0 Likes

sabaric No, we were not successful in achieving the functionality. Considering that this problem dates back a year, suggest to raise it with SAP and see whether anything new has been added?

Show replies
Show replies
Sab
Explorer
‎2022 Sep 15 1:47 PM

@Ravi Joseravi.joseph - Yes, we have raised it with SAP and I shall also update this thread if we have any positive response back from SAP. Thanks responding though!

ravi_joseph
Active Contributor
‎2021 Sep 08 6:41 PM
0 Likes

Thanks Ivan, I am looking to get this functionality working for a site created using BTP CF Launchpad service. Will there be a possibility to modify the Approuter config file for the standard launchpad service site?

Show replies
Show replies
former_member745303
Discoverer
‎2021 Dec 06 2:33 PM
0 Likes

HI Ravi,

I'm also working on the same functionality, were you able find any solution for this?

Sab
Explorer
‎2022 Sep 08 9:54 AM
0 Likes

Hi Ravi, Kritika,

We have achieved this on Neo using saml2idp=IdP URL, but we're struggling with the same on CF as you guys.

By any chance, were you able to solve this? If so, can you share some insights

Thanks

Sab

ravi_joseph
Active Contributor
‎2021 Sep 08 1:16 PM
0 Likes

ivan.mirisola Hi Ivan is the SAML2IDP applicable for CF based apps? we have been trying to access our the Launchpad site using this paremeter unsuccesfully.

https://xxx.launchpad.cfapps.xxxx.hana.ondemand.com/site/xxxx?saml2idp=sap.custom

Jo

Show replies
Show replies
Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2021 Sep 08 4:41 PM

Hi Ravi Joseph,

No, for CF apps you should use AppRouter's configuration file to redirect to different IdPs.

This is described here:

https://answers.sap.com/answers/12910551/view.html

Best regards,
Ivan

former_member583403
Explorer
‎2021 Aug 17 5:42 PM
0 Likes

Hi joachim.vanpraet ,

Apologies for reaching out directly but I saw that you provided an answer to a similar question here: Using multiple trust IDP (identity providers) in sap cloud foundry node.js application | SAP Communi.... You show a property in the xs-app.json file called "identityProvider" however it isn't clear from the documentation where the value of this property comes from. Could you let me know where to find the correct value please?

I've asked the development team to test it out using the Name as configured in the subaccount trust settings but it would be very helpful if you could let me know your thoughts on the above in the meantime.

Thanks,

Johnnie

Show replies
Show replies
Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2021 Aug 16 5:21 PM
0 Likes

Hi ,

Yes, there is. When you have two IdPs registered, one of them is set as default - whenever you enter your credentials and hit enter, it will be the IdP used.

If you wish to open an application on Neo directly specifying the IdP to be used on the URL, you could use this:

https://<app name>.hana.ondemand.com/index.jsp?saml2idp=<idp name>
or
https://<launchpad-instance>.cfapps.<btp-landscape>.hana.ondemand.com/portal.portal/site?
saml2idp=#Shell-home

If you wish to open an application in CF, then you must use the AppRouter's configuration file, like so:

https://help.sap.com/viewer/8c8e1958338140699bd4811b37b82ece/Cloud/en-US/c4deff7776b14c4695af3d7ccde...

Here you may find a complete example:

https://answers.sap.com/answers/12910551/view.html

If you don't want to use any of the above mentioned approaches, you can also think about IdP Initiated SSO - where you first logon into your IdP's URL and it will present you a list of Service Providers - one of them being your Application deployed on BTP. When clicked, the application will open without requesting any additional authentication.

Best regards,
Ivan

Show replies
Show replies
former_member583403
Explorer
‎2021 Aug 16 5:38 PM
0 Likes

Hi Ivan,

Thank you for the response - I've tried the solution you suggestions however I still get redirected to the /login page. The URL I'm using has the form shown below which has a few differences to the one you suggested:

https://<app name>.hana.ondemand.com/<app route>/index.html?saml2idp=<IdP name>

The application is hosted in the Cloud Foundry environment and is an HTML one - would any of this suggest your above solutions wouldn't work or do I need to continue trying different variations of the URL?

I'll look into IdP-initiated SSO but I think there would be a few challenges for using it in our scenario, although it's definitely worth looking into in case the alternatives don't work out.

Thanks again for your suggestions on this,

Johnnie.

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2021 Aug 16 5:57 PM
0 Likes

Hi hubbardj001,

Could you paste the URL again here as CODE instead of plain text? I cannot really review it in the way it is as the editor removes some of the special characters.

In addition to it, you are probably using an AppRouter application in front of it, correct?

If so, what is your xs-app.json configuration?

Best regards,
Ivan

former_member583403
Explorer
‎2021 Aug 17 5:02 PM
0 Likes

Hi Ivan,

Ah right, apologies I didn't see the URL had been mangled - here it is as code as requested:

https://<app name>.eu10.hana.ondemand.com/<app route>/index.html?saml2idp=<idp name>

That's right, we're using an app router. I'll request the xs-app.json file from the development team and will share the relevant section shortly.

Thanks,

Johnnie.

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2021 Aug 17 6:09 PM
0 Likes

Hi hubbardj001,

Please see the answer here on how to setup different routes in your app router to select a particular IdP:

https://help.sap.com/viewer/8c8e1958338140699bd4811b37b82ece/Cloud/en-US/c4deff7776b14c4695af3d7ccde...

Best regards,
Ivan

former_member583403
Explorer
‎2021 Aug 18 11:06 AM
0 Likes

Hi Ivan,

Thanks for the link, I've seen that page before and it certainly is helpful but it doesn't specify where to find the value of the identityProvider property - is it just the Name of the IdP as configured in the trust settings on the BTP subaccount?

Thanks,

Johnnie

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2021 Aug 18 1:37 PM

Hi ,

For the identityProvider property you should use the name entered on the "origin.key" field found in your Trust Configuration under your subaccount.

Best regards,
Ivan

JaySchwendemann
Active Contributor
‎2025 May 16 1:49 AM
0 Likes
I know this is an old one but I'll try my luck: I know about the significance of BTP's Origin Key when wanting to use multiple trusts / IdPs. One could then direct a user via url parameter to a specific trust / IdP. However, is there also some kind of fallback / default behaviour that specifically looks for "sap.custom" or is this just happending to be the pre-filled value and all documentation re-uses is for sakes of simplicity?
Ask a Question