Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 

How to Guide - Easy group/role mapping between SCP and AD-FS


There are quite a few blog articles that explain how to use AD-FS as an identity provider for Sap Cloud Platform.

A great example if this is the blog article by my colleague Michael Van Cutsem.

The topic I want to cover here is how you can re-use the groups/roles that are defined in AD-FS to map users to groups inside SCP.

Basic example

The basic case is also covered quite frequently already. If you have for example an SCP group for MANAGERS and one for EMPLOYEES, you can just create a claim rule in AD-FS that returns if a user is EMPLOYEE or MANAGER as a SAML2 attribute.

This has the disadvantage that each time you want to re-work the group structure you need to modify the claim rule inside AD-FS. Since AD-FS is most likely managed by a different team within your organisation, this is most often not a quick change.

Fetch all groups in one attribute

A more generic way to fetch all group/roles that a user is part of from AD-FS in one go. The filtering can then be performed on SCP side.

The claim rule to get this information is:

Assertion-based groups with Regular Expressions

Once this claim rule is configured, you can now implement the required groups and filters on SCP side.

For this go to your SCP sub-account, then go to Trust -> your AD-FS IDP.

Now select the Groups tab and go to assertion based groups to set up the required group mappings using regular expressions.

This technique might make your life in maintaining your SCP groups a bit easier.

Diether De Coninck

SAP Senior Mobile/UX consultant