cancel
Showing results for 
Search instead for 
Did you mean: 

Configure SSO for WEB IDE

0 Kudos

Hi everyone, I'm looking for documentation on how to setup SSO for WEB IDE. We do have SSO configured for HANA Studio already. Currently we are running our SAP in Azure. TIA!

fatviking
Member
0 Kudos

Hello Ali

You say that you have SSO in place for Studio - may I ask how you did this?

Thank you

Kristian

Accepted Solutions (0)

Answers (5)

Answers (5)

Colt
Active Contributor

Hi, in your SCP Sub-account configure your Azure Active Directory as an application Identity Provider. This way, users accessing resources from SCP are authenticated via Azure (SAML). Authentication to Azure can be done using SSO or MFA based on Azure capabilities. You can also use SAP Identity Authentication as IdP and configure Cloud User Store and SPNEGO on IAS. Authentication and dynamic group assignment and authorization control for SCP applications happen through SAML representing the vehicle containing the required attributes and group (claims) as part of the SAML assertion. In SAP Cloud Platform, the relevant information is the SAML group assignment for the user in question. Here you maintain the mapping of SAML groups to SCP roles. During the evaluation of access decisions to specific SCP services, the SAML group assignment and mapping of SAML groups to SAP Cloud Platform roles are combined and evaluated. This way, in the end, you control access to WebIDE ultimately by assigning users to AD groups that you sync through AD Connect to Azure and use those as claims as part of your Azure enterprise application SAML configuration.

Resources:

#1: https://developers.sap.com/tutorials/abap-custom-ui-trust-settings.html

#2: https://www.xiting.us/sap-identity-authentication-service-overview/

#3: https://www.xiting.us/sap-ias-in-proxy-mode-and-its-coexistence-with-azure-active-directory/

#4: https://blogs.sap.com/2020/04/03/automated-security-group-role-assignment-between-sap-cloud-platform...

asifarif_syniti
Explorer
0 Kudos

Hi Syed Ali,

Did you manage to find any resources? I'm currently doing something similar in setting up SAML authentication for my on-premise HANA2/XSA/Webide and really struggling with documentation and resources. There seems to be nothing out there.

There are tutorials showing how to set up SAML authentication & authorization between XSA and IDP's such as Azure, but there is nothing specific for WebIDE.

I have managed to access the WebIDE (role collection-> AD Groups) using SAML based authentication, but it seems that building a HDB module is useless because you cannot grant any permissions/privileges (since you are logged in as AD user). The WebIDE user itself cannot access the container it has built and supposedly owns!

Asif.

0 Kudos

Hi SAP Experts, I find it hard to believe that no one has worked on Hana On Premise single sign-on configuration before or has knowledge about it. Carsten, can you raise this internally to other resources?? This is a pretty straight forward request. All I'm looking for is documentation from SAP.

0 Kudos

From what I gather, there can be two main setups; SCP and HANA On Premise. I did see a lot of information regarding SCP setup but not for HANA on-premise. Thanks!

0 Kudos

Hi Carsten, take a look at this: capture.jpg

We have the "HANA On-Premise" setup. Hope this helps. Any ideas? Again, thanks for your help.

0 Kudos

Hi Carsten, thank you for the quick response. I need to verify about SCP setup. What are the options for non-SCP environment?

Colt
Active Contributor
0 Kudos

Web IDE is part of SAP Cloud Platform. What do you mean?