Keep in mind that if you configure SSO for the cockpit, your Cloud Connector will not work as SAP has not migrated the Cloud connector so that the customer can use the IAS service (or any external IDP) to authenticate. It's a known issue. The current work around is to create an SAP ID (S-ID) and use it as the cloud connector ID but that puts control of the password and complexity and expiration in the hands of SAP instead of you controlling it yourself. (not a good solution long term)
On another note, we only allow actual cockpit admins access to the cockpit. Average every day users don't need access to the cockpit. 99% will want or need access to the services which can be controlled by the Application IDP (or IAS).
You can point the Platform Authentication to an external IDP by adding an IDP in the Security->Trust area. Get the cert from the IDP and paste it in and map the group and attributes and you are good. We decided to use the IAS as the go between between all cloud apps and the external IDP because we can control all the users into all the services (and other cloud applications like IBP, SAC, SuccessFactors, etc.) in IAS (including Test users) instead of having to create test users in the external IDP or corporate AD. IAS gives you local control where pointing directly to an external IDP moves that control to the IDP. And because IAS proxies SSO to the IDP, you can map attributes between the IAS and the Corporate IDP for SSO from the desktop to all SCP applications via IAS. You can then use the REST API development to connect all this to an external IdM system to provision users and access.
All in a nice nutshell 🙂
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.