cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using the SCP NEO Console Client with SAP Identity Authentication/ADFS Platform IdP?

BrendanFarthing
Participant

on ‎02-18-2018 7:13 PM

Hi,

We are using SAP Identity Authentication as our SCP SubAccount platform identity provider. That is then configured to use ADFS to our Active Directory user store. All of that works fine. We are using the NEO SCP platform.

My problem is... Since switching the platform identity provider on our SCP SubAccounts from accounts.sap.com to SAP Identity Authentication with ADFS I can no longer authenticate to the SubAccounts using the NEO Console Client. It will not accept either my SAP ID (which works fine if the platform IdP is accounts.sap.com) nor my AD ID (I guess it cannot do ADFS via the command line as that isn't really possible).

Does anyone know if there is a workaround for this? i.e. a way that I can still use the NEO Console Client, but with my SAP ID, although our platform IdP isn't accounts.sap.com? Or any other workaround?

I really need to continue to use the Console Client, but we also must keep our corporate ADFS as our platform IdP.

Thanks,

Brendan

Show replies
Show replies
LutzR
Active Contributor
‎04-12-2019 2:02 PM

Hi Brendan, we are facing the same issue. Do you have findings you could share?

Thanks! Lutz

Answer
View Entire Topic
former_member369619
Explorer
‎05-13-2019 2:28 PM
0 Kudos

Hi all,

As this is an old post I am assuming its been solved, but for anyone else here is how I fixed the issue:

  • Set the platform IDP to my new SCP Identity tenant
  • Ensure my user only has single factor authentication (fails with 2fa)
  • Ensure my user is an Admin on the Sub account

once the pre-reqs are done, you can then use the console client.

./neo.sh <command> --host <host> --account <subAccName> --user <username>

Note the following

<command>

This is the NEO command you want to run Console commands


<host>

This is the most important part and where I failed a few times. when you are using regular s-numbers you can run commands with hana.ondemand.com as the host, but for SCP Identity users you need to be specific to the region, in my case eu2.hana.ondemand.com


<subAccName>

This is the technical name for your sub-account, it does not change no matter the IDP you are using.

<username>

This is the SCP IDP user, in my case it was P00001.

Thanks and hope this helps

Show replies
Show replies
lucasvaccaro
Product and Topic Expert
Product and Topic Expert
‎05-14-2019 9:02 PM
0 Kudos

Hi Shaun,

the region is a common mistake indeed. But hana.ondemand.com is the eu1 region so both can be used in case the subaccount is in Europe - Rot. For other regions, even Europe - Frankfurt or Amsterdam, the specific host has to be used.

Best Regards,
Lucas

Ask a Question