cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Secure Login Service for SAP GUI "Error - forbidden resource"

Sieds
Discoverer
0 Kudos

Hi all,

I'm getting a forbidden resource error message when trying to access the subscriber tab in SLS.

I've followed the setup from SAP Help, using Cloud Identity Services as proxy to Azure, also I'm subaccount admin.

Someone familiar with this? Thanks in advance.

 

Sieds_0-1707995528310.png

 

View Entire Topic
Sieds
Discoverer
0 Kudos

Well, I'll answer my own question for posterity sake...

Answer from SAP:

Technically speaking, we need the group values like SecureLoginServiceAdministrator at the user token issued by SAP Cloud Identity Services - Identity Authentication (IAS). This works with the respective user group assignment at IAS while IAS is your IdP / user store.

As soon as you use IAS in "proxy-mode" with a different corporate IdP / user store connected, you can enable Identity Federation like you did to enhance the user data coming from your corporate IdP with the user group assignment managed at IAS.

If Identity Federation is off, the correct group assignment need to be done at your corporate IdP and correctly transferred to IAS. Unfortunately, different IdP solutions handle this topic in different ways. Microsoft Azure Active Directory (AD) / Microsoft Entra ID, for example, requires a paid subscription to be able to send group names as their default is to transfer the generated group id.

To make this a little more customizable, especially for the Microsoft Entra ID case, we've something on our roadmap for this year:

https://roadmaps.sap.com/board?PRODUCT=AF740456A03F1EDDAA9212F748EDC3E2&range=CURRENT-LAST#;INNO=D59...