cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Is there a way to specify the IdP an application uses when hosted on the SAP BTP in Cloud Foundry?

former_member583403
Explorer

on ‎2021 Aug 16 10:13 AM

2,582

Hi SAP Community,

We have a CAP application deployed in a cloud foundry subaccount on the SAP BTP. That subaccount has been configured to trust 3 identity providers so, when users go to the UI application URL, they get presented with the screen to choose which IdP to use.

Is there a way to specify which IdP the users should be directed to in the application code so that they don't see the IdP selection screen and just go straight to authenticating with the one we configure?

Thanks,

Johnnie.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2021 Aug 16 5:21 PM
0 Kudos

Hi ,

Yes, there is. When you have two IdPs registered, one of them is set as default - whenever you enter your credentials and hit enter, it will be the IdP used.

If you wish to open an application on Neo directly specifying the IdP to be used on the URL, you could use this:

https://<app name>.hana.ondemand.com/index.jsp?saml2idp=<idp name>
or
https://<launchpad-instance>.cfapps.<btp-landscape>.hana.ondemand.com/portal.portal/site?
saml2idp=#Shell-home

If you wish to open an application in CF, then you must use the AppRouter's configuration file, like so:

https://help.sap.com/viewer/8c8e1958338140699bd4811b37b82ece/Cloud/en-US/c4deff7776b14c4695af3d7ccde...

Here you may find a complete example:

https://answers.sap.com/answers/12910551/view.html

If you don't want to use any of the above mentioned approaches, you can also think about IdP Initiated SSO - where you first logon into your IdP's URL and it will present you a list of Service Providers - one of them being your Application deployed on BTP. When clicked, the application will open without requesting any additional authentication.

Best regards,
Ivan

Show replies
Show replies
former_member583403
Explorer
‎2021 Aug 16 5:38 PM
0 Kudos

Hi Ivan,

Thank you for the response - I've tried the solution you suggestions however I still get redirected to the /login page. The URL I'm using has the form shown below which has a few differences to the one you suggested:

https://<app name>.hana.ondemand.com/<app route>/index.html?saml2idp=<IdP name>

The application is hosted in the Cloud Foundry environment and is an HTML one - would any of this suggest your above solutions wouldn't work or do I need to continue trying different variations of the URL?

I'll look into IdP-initiated SSO but I think there would be a few challenges for using it in our scenario, although it's definitely worth looking into in case the alternatives don't work out.

Thanks again for your suggestions on this,

Johnnie.

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2021 Aug 16 5:57 PM
0 Kudos

Hi hubbardj001,

Could you paste the URL again here as CODE instead of plain text? I cannot really review it in the way it is as the editor removes some of the special characters.

In addition to it, you are probably using an AppRouter application in front of it, correct?

If so, what is your xs-app.json configuration?

Best regards,
Ivan

former_member583403
Explorer
‎2021 Aug 17 5:02 PM
0 Kudos

Hi Ivan,

Ah right, apologies I didn't see the URL had been mangled - here it is as code as requested:

https://<app name>.eu10.hana.ondemand.com/<app route>/index.html?saml2idp=<idp name>

That's right, we're using an app router. I'll request the xs-app.json file from the development team and will share the relevant section shortly.

Thanks,

Johnnie.

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2021 Aug 17 6:09 PM
0 Kudos

Hi hubbardj001,

Please see the answer here on how to setup different routes in your app router to select a particular IdP:

https://help.sap.com/viewer/8c8e1958338140699bd4811b37b82ece/Cloud/en-US/c4deff7776b14c4695af3d7ccde...

Best regards,
Ivan

former_member583403
Explorer
‎2021 Aug 18 11:06 AM
0 Kudos

Hi Ivan,

Thanks for the link, I've seen that page before and it certainly is helpful but it doesn't specify where to find the value of the identityProvider property - is it just the Name of the IdP as configured in the trust settings on the BTP subaccount?

Thanks,

Johnnie

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎2021 Aug 18 1:37 PM

Hi ,

For the identityProvider property you should use the name entered on the "origin.key" field found in your Trust Configuration under your subaccount.

Best regards,
Ivan

JaySchwendemann
Active Contributor
a month ago
0 Kudos
I know this is an old one but I'll try my luck: I know about the significance of BTP's Origin Key when wanting to use multiple trusts / IdPs. One could then direct a user via url parameter to a specific trust / IdP. However, is there also some kind of fallback / default behaviour that specifically looks for "sap.custom" or is this just happending to be the pre-filled value and all documentation re-uses is for sakes of simplicity?
Ask a Question