SAP ® Cloud Identity service Onboarding Kit for SAP HANA Cloud® Platform Customers and Partners Log OnTable of Contents Access to Your SAP HANA Cloud Platform Cock} Access to SAP Cloud Identity Servi Trust Configuration between SAP Cloud Identity and SAP HANA Cloud ACCOUMt .csnnnmnnnnnnnee 9 Adding Trust Configuration between SAP Cloud Identity and a sub account of your SAP HANA Cloud Account. Further Steps ssccnnnnnnnnnnnnnneiin 2[PaACCESS TO YOUR SAP HANA CLOUD PLATFORM COCKPIT ‘The Contact Person IT from your company has received an e-mail with link to your SAP HANA Cloud Platform hitps://account.hana.ondemand,com/. Each account is associated with a region, which represents the data center that is used by the account, so the links to the SAP HANA Cloud Platform Cockpit differ per region: Australla: hitos://account.ap1 hana.ondemand.com/cockpit Europe: https://account eu hana ondemand,com/cockpit US East: httos://account.us4,hana ondemand.com/cockpit US West: hitos://account.us2.hana.ondemand.com/cockoit The Contact Person IT from your company as specified in the Order Form for SAP Cloud Services that you have signed is the first account member of the SAP HANA Cloud Platform Cockpit. This user has s-User ID (this user has been registered beforehand). With the s-User ID and her or his password, she or he can log (on into https://account.hana.ondemand.com, You can request new user IDs at the SAP Service Marketplace: htip://service sap com/request-user and then ‘add them into the Members page of the SAP HANA Cloud Platform Cockpit. Members (All: 1) “Ladminisirator 1 Developer 0 Support User OApplicaton User Admin 0 Cloud Connector Acmin story httpsi/fhelp.hana.ondemand.com/help/frameset.htm?937¢3cef72bb101490cf767db0291070. htm! Users registered for the SAP HANA Cloud Platform Developer Trial (Register from here htlos//account.hana.ondemand.com/ or on scn.sap.com) can also be granted access to the cockpit, these are p-User IDs, and also partners with c-User IDs. ACCESS TO SAP CLOUD IDENTITY SERVICE ‘SAP Cloud Identity service does not use for authentication the users registered in the SAP Service Marketplace, but maintains an own user store for administrators and users as part of the service. ‘Anew user account for the same Contact Person IT has been created, but itis still not active. The user has received the following e-mail 3|Pagetome Activate Your Account for Administration Console lassi notification @sapnetworkmai.com 453 PM (2 mines apo) EZ rn nt an Senn tn AP Dear Sofia Stevens, ‘An account has been created for you. To activate your account for Administration Console, lick the link below. You will be taken to a page where you wil also set a password for your account ® If the link above is not displayed or does not work, copy and paste the link below to the ‘address bar of your browser. 1119FFBEC8AG072E3028D9C91B519979FE11D1B1A438564E31343003F ASE al iZ For more information, see SAP Cloud Identity service documentation. In case of any issues, create a ticket with BC-AVHDS component in SAP Support Portal Best regards, ‘Your SAP Cloud Identity Service Team ry avew. copying, oraatouton ots sy Bronoaes The user needs to click on the provided link in order to activate his or her administrator account for the SAP Cloud Identity tenant https://.accounts.ondemand,com. Then he or she needs to set an own password, and once finished with this step, the administrator can continue to the Administration console for ‘SAP Cloud Identity service as shown below: 4|PageSafi Activate Your Account ‘An account has been created for you with SAP Cloud Identity for use with Administration Console. The account information we already have for you is below. To begin using your account for Administration Console, set a password below. Tell Us About Yourself FirstName | Sofia LastName | Stevens Email | sofiastevensmail@gmail.com Set Password Password” nter Password” EY” cloud identity Account Successfully Activated > = EDT cious identity 5|Page‘#0 couse amnsaton Cane @ 10 1% 2, Toms of racy Ploy Ino ser port Users Documents Documents pete tae Seomumtcaaneteyar || copgreanamamest | | conga cae pay aera ‘ercnine | “Geleppis pces yeep ‘Seto & bi 0 * a 0 Socal Sgn-0n orga ety ime 2 1 sor Management For subsequent logons, the user needs to use his or her e-mail and password for login into the Administration console for SAP Cloud Identity service. accessible to the administrators under his /admin, e.g, https:// accounts, ondemand,com/admin 6|Page"tps://pariner accounts endemand cony/sai2/do/ssoPsp=oacaccountssap.%?| Log On E-Mail Password Administration Console Password EE cious sentry Adding other Administrators: If new SAP HANA Cloud Platform members are added into the Members page of the SAP HANA Cloud Platform Cockpit these members will not be added as administrators of SAP Cloud Identity service, as this is done only for the initial user. To add new administrators of SAP Cloud Identity service, the first SAP Cloud Identity service tenant administrator should access the Administration console and do the following steps: Choose the Administrators Tile: € > @ Ai B https//partner.accounts.ondemand.com/admin/ » Configure tenant stings 7|Page‘Add a new administrator user and configure the right authorizations: € > © Ai [Gi btp2//partner accounts ondemand,com/adimin/#/tsnantAdmine/=ystem/S67207b6e4b0/36c412050eb/ oP EL “« Ey (4? omen hanno once 3 sora sevens Administrators System Details @ SAP HANA Cloud Platform ® SAP HANA Cloud Platform & Sofia Stevens CONFIGURE SYSTEN AUTHENTICATION Conticate Coniston cenit or athentton Set Password CONFIGURE AUTHORIZATIONS Manage Corporate Identity Providers Manage Users Agborzatoneto manage. ego ard ion wars se woraoe Groupe 8|Page€ © © AB htipe//pariner accounts ondemand conv acimin/¢/tenantdmnn “a Ey oa Ari Cs aeons Adminstators e ‘Ad Administrator @ SAP HANA Cloud Platform User Details 2 Sota stevens suet rote eat “eat pewacrin@cempan.com “LastName Lasnamel ‘Manage Applications ‘Manage Corporate kdentty Providers Manage Users @ @ & ese @ The newly added administrator will receive an activation e-mail, as described above for the first administrator user. TRUST CONFIGURATION BETWEEN SAP CLOUD IDENTITY AND SAP HANA CLOUD ACCOUNT During the onboarding, your SAP Cloud Identity tenant has been created and you have to add it as a Trusted Identity Provider of your SAP HANA Cloud Platform Account. 9|PageGo to Trust section of your SAP HANA Cloud Platform Cockpit and choose Edit: {B. s#P cent Management vj} Parser Acourt Local See revicer | Tres enn Prost Manage Lees Provider Setngs oe Change the Default Configuration Type to Custom: Trust Management Gane ewonson Tie [Bema =) cpa Pcption| peat Se oc Sao Generate Key Pair and then Sav ‘Trust Management Manage Loca Provider Settings © torassanceta Comguaton Type ust ¥ i ‘Soneg cenncte:* Aathoretons Sener Pa - Pepa Propagation. cies ~ 10|Page€ 2 © Ai _B hitps//accounchanaordemandicom, Pent et ees Wm Europe v / SAP ently Management ¥ £2) Parner Account ‘Trust Management Manage Loss! Proviser Satins ©) toraasasesta Coniguaon Typ: Cus . ‘Soong Hey * KE GADANNKARIGEHOS eScStennaorewcsman CRoepbayevisecaaTveg anea conse: * miocemgeniag Aor WVTELIAGMUESRUGRED SeanegissorSNOUCESRS | Generate Key Par Pcp Propagation Disabled » Save | (Cancel Alert x Now you can proceed to configuring the trusted identity provider setings in the next tab. Go to Next Tab Trusted Identity Provider and choose “Add SAP Cloud Identity Tenant”: Trust Management Sees Local Service Provider | Trusted entity Provider « ‘Manage Local Provider Settings Drs | torassazcsta Trust Configuration Type: Local Provider Name: * hitps:/hana ondemand comia364¢ Authorizations [Page€ > © fA hrtps//accounthara ondemandcom/cockpité Rene im Europe vB SAP iden Management v / Parner Account v ‘Trust Management Local Serie Poncer | Tested Identity Provicer 2 ‘Manage TustRestonships ang Feceraton Settings »> ‘Aad Trusted Wentty Provider No Taste laetty Provcers ceined Choose your SAP Cloud Identity Tenant and then Sav ‘Add SAP Cloud lentty Tenant Select your SAP Cloud entity Tenant: © patmevenei 12|Page‘The tenant was added as your Default Trusted Identity Provider. ese | ween oui | mame ee Sowers en ‘You can edit the default rust configurations by clicking on the name of the SAP Cloud Identity tenant, You can access the Administration console for SAP Cloud Identity service from the link an the same line. Automatically the SAP HANA Cloud Platform Account is registered as an Application (Service Provider) in SAP Cloud Identity service. © ff |G heps//parneraccountsondemand.com/ac Privacy Policy Documents You can find it as the first Custom Application, representing your SAP HCP account. 13|Pagea EY Aspicatons ‘CUSTOM APPLICATION partner hts ana ondemand con/asS18cSta ‘SAP Cloud Identity spaccountssp.com Alication partner Ths appaton name appears on he logen and registration pages. Trust Aumereaton and Assess Srandng and Layout ‘SAML 2.0 Configuration Ceti ns ih sera ory ead mata wbnt Name ID Attribute Gagne as th ciety ees. The Assertion Attributes eg a at nt the alent he ed arin Defaut Atvioutes Certificate for API Authentication HTTP Basie Authentication ome URL net centaur You can start customizing the settings for this application — add Home URL, configure the User Access, Logo and Branding Style, Terms of Use among others. ‘Once you have deployed an application to SAP HANA Cloud Platform that has protected resources and requires SAML authentication, the user will be redirected to the SAP Cloud Identity Login page to provide credentials. Note: All SAP HANA Cloud Platform applications (JAVA and HTMLS) and SAP HANA Cloud Platform services in this HCP Account are going to use these Trust settings. as an HCP account acts as one Service Provider (one Application). For example, all SAP HCP applications in this account will show the same application logo, Privacy Policy, User Access — public (user registration allowed) or private. 14|PageLog On E-Mail Password Forget password? Remember me Register EY cloud identity If you need different settings for the different SAP HCP applications or SAP HCP services, you need to open separate sub accounts and add the SAP Cloud Identity tenant in the sub account. Find the necessary steps. in new next section: ADDING TRUST CONFIGURATION BETWEEN SAP CLOUD IDENTITY AND A SUB ACCOUNT OF YOUR SAP HANA CLOUD ACCOUNT 15|PageADDING TRUST CONFIGURATION BETWEEN SAP CLOUD IDENTITY AND A SUB ACCOUNT OF YOUR SAP HANA CLOUD ACCOUNT fm Europe ¥/ Bh SAP Henty Management ¥ EB) Pane Account ¥ ‘Account Detalls a 21 Dec 2015, 1506 14 ‘Manage Accounts 5 Mow account Ql Derlay Name Parmer Account New Account Display Name: [Partner Sub Account Assigned Quota: Lite 0 we | | Cancel Account Created ‘Account successfully created “The page will be reloaded for the account to appear in the Account lst 16|PageChoose the new account: fm exrope ¥ / 2 SAP oeany Management v EZ) Parner Account ‘Account Details ‘New Sup Account Yates econ Account Name: at648esta Parner Sub Account Go to Trust section in the Cockpit: © AB hups//accounthana.andemandcom cockpit Wm viene ¥/ B, SAP ner Management ¥-/ Parner Sv account ‘Trust Management manage Local Provider Stings 5 toratncteat ‘Trust Management ‘corepraon Ty eat . Local Ponte Nave * nips maa tear conan Sona kay * meyrsebaveprnaconce El Aaerbacconmpy gece ‘Shactseuprantpettacart ceooeaOSNONUES Seng Centexe * wyovTccamosmiager D Soncovowsoceniee, BD Se) cre! 17|Page1m cawpe + / Steet anapement © / Famer Sub rect “Trust Management ea Sei Prove | ated en Provider gr remnant sone ee ue anormal mmm ‘ie sea deryProviers cei Select your tenant and Save: ‘Add SAP Cloud lenty Tenant Select your SAP clous aenty Tenant: panei ‘The tenant was added and the new account is added as an application inside the Administration console SAP Cloud Identity racers€ > © iB htips//partneracounts ondemand.com/acmin/ ‘SAP Coud tent Adminstration Console 5 & fe Terms of Use Privacy Poicy Documents Documents Sete ates tr your | Crtige cso ems ot Corte cazon pay ‘oben eferyoracatans| poles ry opens "is aceescn mare opera een na agate pases ae Ua ae UR ott nae onsenonacamitess SAP Clous eentty ust Aumeneezon ane Acess sang na Layat SSAML.2.0 Centguraton Ebigraet see py hn aie Name 1 atrbute ‘estiaaceamt ene ean 0 esata ‘Assoron Atrivtes FURTHER STEPS You can acquaint with the capabilities of SAP Cloud Identity service in a Product Presentation and can start learning how to use them in the online documentation Enjoy your journey with SAP Cloud Identity service and SAP HANA Cloud Platform. 19|Page