Authentication
By assigning trusted Web Servers, you can set up a trusted relationship between the Application Server and one or more Web Servers. Only trusted Web Servers are allowed to create new user sessions and to specify a value for the client IP address. Open the IT Management Console and navigate to → to assign a trusted Web Server by adding its IP address to the list of trusted Web Servers.
For each authentication provider, the following data is shown:
Setting | Description |
|---|---|
Provider | Shows if the authentication provider is enabled or not. |
Default | Here you can select the default authentication provider. For the default authentication provider, users can login with their username and password only. For non-default authentication providers users need to add <name of the authentication provider> in front of their username. For example: |
ID | The ID used by the Application Server for the authentication provider. |
Type | The type of authentication provider. Angles for SAP supports the following types of authentication providers:
|
Description | Description of the authentication provider. |
Action | Button that allows you to edit and/or delete the authentication provider. |
Adding an authentication provider
Open the IT Management Console and navigate to → .
Click Add new authentication provider.
Select an authentication provider.
The information you now need to enter depends on the selected provider:
Setting | Description |
|---|---|
ID | The ID used by the Application Server for the authentication provider. |
Description | Description of the authentication provider. |
Type | The type of authentication provider. Angles for SAP supports the following types of authentication providers:
|
Enabled | This setting indicates whether the authentication provider is an active provider or not. |
Automatically create users | If this setting is selected, a new Angles for SAP user account is automatically created when a user from this authentication provider logs in to Angles for SAP for the first time. This Angles for SAP user will then be assigned the default roles as defined on this page. For ADFS and SAML, this option is selected by default. |
Sync roles to groups | If this setting is selected, the Application Server will always check AD group membership when a user logs in. When an AD group exists as a role in Angles for SAP, this role will be assigned to the user during the session. Note that the group name may not contain any spaces. |
Default roles | These roles will be assigned to new user accounts from this authentication provider. Setting a default role is mandatory unless you use Sync roles to groups. Click the cell to add or remove roles by selecting or deselecting roles in the drop-down list. The drop-down list contains all available system and model roles. Hover over a role to see which model it belongs to. |
Domain | The domain name of the active directory. |
User container (DN) | In a default Active Directory hierarchy structure, users are located in the "Users" container. This container is always on the main level of your domain. If you leave this field empty, the Angles for SAP Application Server will retrieve users from this default location. If you want to retrieve the users from a different container, enter the Distinguished Name (DN) of this container here. An Active Directory browsing tool can help you find the correct DN syntax for the container. For example, Ldap Admin is a free Windows LDAP client that lets you browse the Active Directory and copy the DN. Example DN: CN=External users, DC=Contoso, DC=com |
Target | Holds the target of the ADFS. During a login challenge resulting from a URL link into the instance that requires an Single Sign-On session, the referring URL often needs to be supplied to the Single Sign-On provider so that after authentication, it can be passed back to our instance and linked to the correct resource. The target is built with the elements: <Service><address of service>, for example, |
Identity | Holds the identity of the ADFS. The identity consists of the elements <service> and <address of service>, for example: |
Identity provider issuer | Holds the SAML identity provider issuer. |
Identity provider single sign on URL | Holds the SAML identity provider single sign on URL. |
Identity provider certificate string | Holds the SAML identity provider certificate string. |