cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Using the SCP NEO Console Client with SAP Identity Authentication/ADFS Platform IdP?

BrendanFarthing
Participant

on ‎02-18-2018 7:13 PM

Hi,

We are using SAP Identity Authentication as our SCP SubAccount platform identity provider. That is then configured to use ADFS to our Active Directory user store. All of that works fine. We are using the NEO SCP platform.

My problem is... Since switching the platform identity provider on our SCP SubAccounts from accounts.sap.com to SAP Identity Authentication with ADFS I can no longer authenticate to the SubAccounts using the NEO Console Client. It will not accept either my SAP ID (which works fine if the platform IdP is accounts.sap.com) nor my AD ID (I guess it cannot do ADFS via the command line as that isn't really possible).

Does anyone know if there is a workaround for this? i.e. a way that I can still use the NEO Console Client, but with my SAP ID, although our platform IdP isn't accounts.sap.com? Or any other workaround?

I really need to continue to use the Console Client, but we also must keep our corporate ADFS as our platform IdP.

Thanks,

Brendan

Show replies
Show replies
LutzR
Active Contributor
‎04-12-2019 2:02 PM

Hi Brendan, we are facing the same issue. Do you have findings you could share?

Thanks! Lutz

Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

BrendanFarthing
Participant
‎04-14-2019 11:32 AM

Hi Phil,

Thanks for your comments, unfortunately we found the NEO Console Client not working exactly as you describe, but I did find the answer. I think your scenario might have been working due to a coincidence though e.g. if you had the same user as an admin of the SubAcocunt and who is also loaded to the SAP Identity Authentication tenant with the same email address/password (which is not our scenario normally).

I found that as soon as we switch on SAP Identity Authentication (which links to ADFS/corporate AD) as the Platform IdP of the SubAccount, then the NEO Console Client can no longer reference an Admin user from the SubAccount. If I go back to "accounts.sap.com" as the Platform IdP then we can reference an Admin user from the SubAccount with the SAP S-user credentials. We need to use SAP Identity Authentication with ADFS/corporate AD as our Platform IdP so i have to leave that switched on. I also tried using a user from SAP Identity Authentication which was also set as an Admin in the SubAccount - but we always use the "Login ID" field of the user from SAP Identity Authentication as the username at SubAccount level - this was actually the problem. I'll explain more below.

I found a SAP Note that pointed out a finer piece of detail that solved my problem. The key thing is that you must use the internal P user ID from SAP Identity Authentication or the email address associated with that user. We were using the "Login ID" field normally as the user. Once i switched to using the "P" user it started working. It's important to ensure that the SubAccount admin user is also present in SAP Identity Authentication or it wont work when the Platform IdP is SAP Identity Authenticaiton. And also important to note that it cannot just be a user that only resides in the backend corporate AD, it must be a local user in SAP Identity Authentication.

The SAP Note in question is 2501986 https://launchpad.support.sap.com/#/notes/0002501986

The key info in the SAP Note is:

"In case you are using an SAP Identity Authentication Service (IAS) tenant as Platform Identity Provider, you can only authenticate with users from the IAS tenant by entering its ID (PXXXXXX) or e-mail. Check SAP KBA 2752896 to identify which Platform Identity Provider is being used."

lutz.rottmann2,

Hopefully the above will work for you. Key points:

Assuming the SubAccount Platform IdP is a SAP Cloud Identity Authentication tenant:

1. Add your admin user to SAP Identity Authentication and set their password there. Suggest to logon with it once into SAP Identity Authentication to change the initial password.

2. Add that user as an Admin to the SubAccount which has the above Identity Authentication tenant as the IdP. When you add the user to the SubAccount, add it with its "P" ID, of course ensure that the "user base" is your Identity Authentication tenant when adding the user to the SubAccount.

3. Logon to the SubAccount using the NEO Console Client using the "P" ID (or email address) and password from SAP Identity Authentication and it should work.

Regards,

Brendan

Show replies
Show replies
LutzR
Active Contributor
‎04-15-2019 8:57 AM
0 Kudos

Hi Brendan, thank you for this in depth report and your lightspeed reaction!

Now I have some more information to brood over. Note 2501986 is especially helpful because we are researching how to incorporate Multi Factor Authentication into our subaccount administration authentication. Unfortunately nothing seems to be as straight forward as expected.

Regards, Lutz

pjcools
Active Contributor
‎04-16-2019 8:57 AM
0 Kudos

Thanks brendan.farthing3 - yes understand this now. In my case I am not using the IdP as the Platform IdP for the subaccount I am only using the IdP for services within the subaccount (portal / OData prov etc) which is why I can login with my normal S user email and password. In your case yes - you definitely need to login via the SCIAS username and password and also need to provide that user with Administration rights. You may need to also create an AccountDeveloper role similar to requirements for UI theme designer security when authenticating via an ADFS.

Sounds like you are along the way though, nice!

Thanks & Regards

Phil

pjcools
Active Contributor
‎04-13-2019 8:12 AM

Hi lutz.rottmann2 and brendan.farthing3 (hope this is not too late)

The ADFS set up won't impact on logging into the SAP Cloud Platform NEO console. You don't use the ADFS login when performing commands in the Neo console - you use your email address for your S (or P) number and it must be an Administrator for the sub-account.

For example, I ran this command yesterday to create an SSL host even though an iDP is used for the subaccount.

neo create-ssl-host --account subaccount --user phil@bournedigital.com.au --host ap1.hana.ondemand.com --name sslhostname

The user I included in the above command is the email attached to the S number linked as an Administrator in the subaccount mentioned above. When entering this a Password will be requested. This password is the initial one you would use when logging into SAP Cloud Platform, in my case I enter this when running ap1.hana.ondemand.com.

So, in summary, the ADFS or SCI logins are NOT used for the Neo console at all.

Hope this helps! If so please mark as the Best Answer!

Kind Regards

Phil Cooley

Show replies
Show replies
LutzR
Active Contributor
‎04-16-2019 7:35 AM
0 Kudos

Thanks Phil for your comment!

The constraints of using a Platform IDP seem to be quite confusing and the opposite of straight forward. I learn that we need to perform our own experiments and own risk assessment.

Cheers, Lutz

former_member369619
Explorer
‎05-13-2019 2:28 PM
0 Kudos

Hi all,

As this is an old post I am assuming its been solved, but for anyone else here is how I fixed the issue:

  • Set the platform IDP to my new SCP Identity tenant
  • Ensure my user only has single factor authentication (fails with 2fa)
  • Ensure my user is an Admin on the Sub account

once the pre-reqs are done, you can then use the console client.

./neo.sh <command> --host <host> --account <subAccName> --user <username>

Note the following

<command>

This is the NEO command you want to run Console commands


<host>

This is the most important part and where I failed a few times. when you are using regular s-numbers you can run commands with hana.ondemand.com as the host, but for SCP Identity users you need to be specific to the region, in my case eu2.hana.ondemand.com


<subAccName>

This is the technical name for your sub-account, it does not change no matter the IDP you are using.

<username>

This is the SCP IDP user, in my case it was P00001.

Thanks and hope this helps

Show replies
Show replies
lucasvaccaro
Product and Topic Expert
Product and Topic Expert
‎05-14-2019 9:02 PM
0 Kudos

Hi Shaun,

the region is a common mistake indeed. But hana.ondemand.com is the eu1 region so both can be used in case the subaccount is in Europe - Rot. For other regions, even Europe - Frankfurt or Amsterdam, the specific host has to be used.

Best Regards,
Lucas

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎02-19-2018 1:19 PM
0 Kudos

Hi Brendan,

How are your trying to login using the console client? What is the error message? Maybe you could post a screenshot of the error.

When you configure the authentication to a different IdP, it may be required to add additional roles to AD users to be able to access all of the cockpit features as well as the console client. So you may need to add the role "Administrator" to your AD email account via "Members". Once this is done you should use the IDs from ADFS (which is supposed to be an email address) to login via console client.

If this doesn't work at all and there is no fallback authentication, then I would suggest you to open an incident on SAP support system.

Regards,
Ivan

Show replies
Show replies
Ask a Question