opensap hana cloud2 week 4 transcripts

7/21/2019 OpenSAP HANA CLOUD2 Week 4 Transcripts

http://slidepdf.com/reader/full/opensap-hana-cloud2-week-4-transcripts 1/25

openSAPNext Steps in SAP HANA Cloud Platform

WEEK 4, UNIT 1

00:00:13 Welcome to week 4 of the openSAP course Next Steps in SAP HANA Cloud Platform.

00:00:19 In this week, we will concentrate on advanced identity management concepts.

00:00:25 And in this unit, we will look at how to work with user profile attributes.

00:00:31 In a scenario around federated identity management, you have all kinds of different classes for

user account information.

00:00:38 You have things like the authentication credentials where you have password certificates. So

mainly things that you want to keep secret.

00:00:47 You have access control attributes, like definitions of roles, departments that a person works in,

00:00:55 which is something you might want to share for some of your applications.

00:00:59 And the same is also true for profile attributes like e-mail addresses, phone numbers, home

address, department, and so on.

00:01:07 And then last but not least, there are also application-specific user attributes that you might

need,

00:01:14 which are really specific to your application like, for example, if you look into an e-commerce

scenario, an e-commerce application,

00:01:22 things like buying history from what the user has bought in the past six months.

00:01:29 In a scenario where you want to share such information, you always need to think of

00:01:35 what kind of these different classes of information you want to share with your application in the

cloud.

00:01:44 Of course, authentication credentials should be kept with the identity provider and should not

be shared.

00:01:52 Things like the access control attributes or the profile attributes, yes, you might want to share

them, but maybe not everything.

00:02:00 And the application-specific user attributes really depend on your application.

00:02:05 So what does it mean for a sample scenario where you have an application that wants to use

some of them?

00:02:14 In this case that you see here, we want to share first name, last name, e-mail address,

department, and role, but not the SSN.

00:02:25 You can actually do that with the HANA Cloud Platform, where you say,

00:02:29 okay, let's just define which of the possible attributes should be shared and put that via a SAML

assertion

00:02:41 from the identity provider to your account of the HANA Cloud Platform.



3

00:06:30 So that all the classes are imported here that we need.

00:06:36 And we'll just copy one of these rows here into the catch section and just in case something

goes wrong,

00:06:48 just throw out an “Oops: ” + e.getMessage.

00:06:54 So that if something goes wrong, if there is an exception, we get the exception printed out. But

we hope that we don't get an exception.

00:07:06 That's the first step. And the next step, we go to our web.xml file.

00:07:12 You find it under WebContent –> WEB-INF. We double-click and we go to our documentation

of the HANA Cloud Platform.

00:07:24 And it's under help.hana.ondemand.com.

00:07:28 And then you go to the HANA Cloud Platform section under Java Development –> Developer's

Guide –> Securing Applications –> Security Development –> Enabling Authentication.

00:07:41 If you scroll a little bit down on the page, you see here this section with this snippet. I will just

copy that.

00:07:53 So I won't explain too much here, because this is already part of the introductory course.

00:07:59 So adding here the authentication. We'll add Protected Area for all pages in our application, but

we have just one servlet anyway.

00:08:13 And we will define the role...I don't know, maybe sales.

00:08:25 Okay, this is saved.

00:08:27 This is also saved, so saving the changes.

00:08:31 And now we will deploy this to our account on the hanatrial.ondemand.com landscape.

00:08:41 Clicking on Next.

00:08:42 Remember, don't forget that we have to be here on hanatrial.ondemand.com, not on

hana.ondemand.com.

00:08:52 Clicking on Next.

00:08:54 We give the application a name. Let's call it hanacloud2w4u1.

00:09:06 Your account name. It finishes with trial. Your user name. And the password for your account.

00:09:18 We select the application.

00:09:22 Finish it.

00:09:27 Okay, and once this is done, I just click here on Start to publish and start the application on our

trial landscape.

00:09:36 But what we want to do is we want the application to use a local IdP.

00:09:43 So to make it easy for you, you can actually create a local IdP with a new server that we will

add here.

00:09:51 So right-click, New –> Server.

00:09:54 You select SAP HANA Cloud Platform local runtime. Next.



4

00:10:01 Port 8080, that's good.

00:10:03 Next we don't put any application here on the right because we just want to use this server as a

local identity provider. We click on Finish.

00:10:15 Okay. So we see here we already have now a new server here and what we do is we also start

this gentleman.

00:10:30 Okay, it's starting.

00:10:33 The next thing we will do once the local runtime is started, which is the case right now,

00:10:40 is we go to our browser and open up the page localhost:8080/saml2/localidp/metadata.

00:10:53 What does it do?

00:10:54 It provides us with a metadata file that we will need to give to our HANA Cloud Platform

account with all the settings that we require.

00:11:06 So just clicking here to reload this page. And you see that now an XML file has been

downloaded into our machine.

00:11:17 So that's the first step.

00:11:19 The next step is we go to our trial account, so account.hanatrial.ondemand.com/cockpit.

00:11:29 And we click on the Trust tab here.

00:11:33 Okay, the session has expired. I'll just reload, no problem.

00:11:37 Click again on Trust.

00:11:42 By default, the SAP ID Service is used, but we want to change that.

00:11:47 I just click here on Edit and the configuration type is Custom.

00:11:53 Let's just click here on Generate Key Pair to create a new signing key and signing certificate.

00:12:00 We save this. Okay.

00:12:05 And now we click here on Get Metadata and we're doing now the same for our account to

export this configuration into an XML file.

00:12:17 So in the next step, we switch over to the Trusted Identity Provider tab,

00:12:24 where you can actually now define the local IdP.

00:12:30 You see here I already have one here called localidp-old.

00:12:35 Please be sure that you don't have a local IdP called localidp. So if you have it, just click on it,

rename it here so that the name is not localidp.

00:12:48 So in my case, that's not the case. So I just click here on Add Trusted Identity Provider.

00:12:55 And now what I do is I just click here on the Browse button for the metadata file

00:13:03 and now here I see in my downloads that I have two XML files: one called localidp and the

other one for my account in the cloud.

00:13:16 So I select the local IdP. This is important. If you select the other one, it doesn't work.

00:13:21 You click on Open.



5

00:13:24 Everything is pre-filled for you, and now you see the name is localidp.

00:13:30 You click on Save & Close.

00:13:34 So we have this now here. In my case, I already had one, so I click one.

00:13:37 This is the one which is the default IdP. I click again on it.

00:13:44 I switch to Attributes.

00:13:49 And just leave it as it is right now

00:13:54 because the next thing we will do is doing something similar on our local IdP,

00:14:00 so to create the trust relationship between the two servers.

00:14:06 To do that, I go to the list of servers.

00:14:12 You select the SAP HANA Cloud Platform local runtime.

00:14:15 You switch to the folder config_master –> com.sap.core.jpass.security.saml2.cfg.

00:14:25 You open that. You click on the folder and just refresh it.

00:14:32 A new folder shows up, localidp. Just opening up.

00:14:37 And what we need to is we just copy over the other XML file into this directory. Pretty easy.

00:14:45 You go to your Finder or to your Windows Explorer and copy the metadata file from your

account. So this is the file.

00:15:01 Control+C. Control+V or Paste.

00:15:06 Okay, now we have it here. So we created the trust relationship between the local runtime for

this IdP and our account in the cloud.

00:15:15 As a last step on this side, we create a user to access our application.

00:15:24 Okay. We switch over...I just double-clicked here on the local runtime. We switch over to

Users.

00:15:32 We create a new user. Let's call it...user ID is rui.

00:15:39 [email protected]. Rui Nogueria.

00:15:52 Click on OK.

00:15:54 And I give myself the role of sales.

00:16:03 If you remember, in our web.xml file we already defined the role sales, which should have

access to the protected area.

00:16:13 So what I did here is I created a user who has this role.

00:16:17 And one thing we do is we will rename the attribute from email to emailaddress

00:16:26 because sometimes your identity provider has maybe different names for the attributes, so

emailaddress could be a valid name.

00:16:39 But in our application, if I switch over, we are expecting to use the attribute email.

00:16:47 So how do we do that if we can't change the attribute on the IdP?



6

00:16:53 We simply configure it on the HANA Cloud Platform account.

00:16:57 And that's the next step we want to do, so we've finished everything on the local IdP.

00:17:04 We go now back to our cockpit. To remind you, we are now in the local IdP.

00:17:!2 Clicking on the Attributes. And now we will insert the assertion-based attributes.

00:17:19 So we will map the attributes coming from the local IdP, in our case, to the attributes that theHANA Cloud Platform should use.

00:17:29 So we will map it. So for firstname...

00:17:36 clicking again...and last name. Both are the same.

00:17:43 But for emailaddress we want to use email.

00:17:51 So you see here we're telling from the local IdP, please translate the attribute from

emailaddress to email so that the application only knows those here.

00:18:02 So I click on Save & Close.

00:18:06 And there is one final thing we need to do.

00:18:08 We need to give the user the corresponding authorizations to access the application. So we

switch for that to the Authorizations tab.

00:18:20 Click on Roles.

00:18:22 We select our trial account, so it's your p, s, d, or i user, finishing with trial.

00:18:30 Application, that's the one. hanacloud2w4u1.

00:18:34 And then hopefully...yes, there it is. We have the role sales, the one that we defined in the

web.xml in our deployment descriptor.

00:18:42 And I want to have a list of people who are already assigned to this, so nobody.

00:18:47 And now I will assign the user ID that I defined on my local IdP, just to show you, here.

00:18:55 So not the one in your HANA Cloud Platform account. The one on your local IdP. So in my

case, that's rui.

00:19:04 So assigning rui this role.

00:19:11 So that's mainly it. The last thing that we need to do now is to actually call up the application.

We see it's already started.

00:19:22 I just click on the link here. And what should happen now?

00:19:28 First of all, when the application opens up, we should be redirected to the local IdP. Let's see if

that works.

00:19:39 Ping is crossed. Yes, it worked.

00:19:42 We see here for the identification, the request has been redirected to our local host, meaning

our local IdP.

00:19:57 I provide my user and my password.

00:20:02 And what should happen next?



7

00:20:04 If I didn't forget my password, it should show me what I defined here in my servlet.

00:20:12 It should first say...just making it bigger for you...

00:20:16 it should first say Hello World at the top, and then it should print out the user name. First name

with a blank and last name.

00:20:25 And then, at the end, the e-mail address.

00:20:28 Ideally—and that is the test to see if everything works fine—it's exactly what I typed in here. So

let's see if it works.

00:20:39 Okay, voila. It works.

00:20:41 Hello World, first name, last name, and the e-mail address.

00:20:49 And the e-mail address is interesting because if you remember, we defined for our local IdP

that the attribute is called emailaddress,

00:20:59 but our code works the attribute email and we created that mapping in our cockpit just before,

where we mapped emailaddress to email.

00:21:14 That's what I wanted to show you. And this is actually also the preparation for the next unit.

00:21:20 So just going back again to the slides to see what we have learned in this unit.

00:21:29 You learned that there are different classes of user account information,

00:21:34 and how you actually need to think of which of them you want to share with your HANA Cloud

Platform account and which not.

00:21:43 You know how to actually configure the attributes with a local identity provider,

00:21:49 and how you actually also do the mapping in the Cloud Cockpit.

00:21:54 And, as a last step, how you can access those user attributes programmatically in a Java-

based app.

00:22:02 That's it for this unit. In the next unit, we will make much more use of this.

00:22:07 Thanks a lot.



8

WEEK 4, UNIT 2

00:00:12 Welcome to week 4, unit 2 of the openSAP course Next Steps in SAP HANA Cloud Platform.

00:00:19 In this unit, we will be looking into group management.

00:00:23 So what are groups in the SAP HANA Cloud Platform?

00:00:27 On the one side, they actually allow you to collect Web application roles and assign them to

one specific group.

00:00:34 And on the other side, it also enables you to map these technical roles to business-level

functions in an organization.

00:00:42 You see here an org chart with two areas.

00:00:47 One is the Finance area with a VP and a chief accountant and a budget analyst.

00:00:53 And the other one is Human Resources with a training specialist, benefits administrator, and a

corresponding VP.

00:01:01 So what would you need then? You would need some kind of mapping that allows you to map

these business-level functions to the groups,

00:01:12 which actually then drill down into roles that are coming from applications on the HANA Cloud

Platform

00:01:20 so that if you have multiple applications with multiple roles, you could assign corresponding the

roles to a specific group—like for example, a group of Finance—

00:01:29 and then both colleagues who would be part of that group could access all applications

belonging to the group of Finance.

00:01:41 How do you do that? There are two options.

00:01:44 The first one is if you do that by using the unique identifier of the employee and assign it to the

group (for example, Employees) and that's it.

00:01:59 This works fine as long as you have a low number of employees.

00:02:03 But if we are thinking about hundreds, thousands, or maybe tens of thousands of employees,

this becomes really very difficult and doesn't scale.

00:02:14 That's why we have also a second option which allows you to do what we called federated

authorization

00:02:23 to take a group of users who share common attributes like, for example, the business function

accountant,

00:02:32 and assign these users to the group Finance.

00:02:38 And then the group Finance is mapped to specific roles coming from the applications.

00:02:47 So with that you ensure also if employees change positions or change their departments,

change their functions in the company,

00:02:57 that you don't have to maintain this meta information in two places, meaning on your local IDP

and then also in the HANA Cloud Platform,

00:03:06 but rather just at your local IDP. So you just change the function of that person or the



9

organizational unit or the department on your local IDP,

00:03:18 and then everything is set up. You don't have to change things also on the HANA Cloud

Platform side.

00:03:26 How do you do that?

00:03:29 In this exercise, I will show you how we will create two groups and assign those groups to the

corresponding technical roles of an application.

00:03:44 We will do it right now.

00:03:47 I will switch over to Eclipse.

00:03:52 What you need to do now is take, from the training material related to this unit, the

corresponding ZIP file.

00:04:00 And inside the ZIP file, you find a web.xml and HelloWorldServlet.java file.

00:04:08 And you simply take the project we already set up for unit 1 and substitute both the web.xml

file

00:04:18 with the content from the training material as well as the HelloWorldServlet.java file.

00:04:25 I did that already. So just to explain what is different to the things we had before.

00:04:33 You see we have here, compared to the initial code from the HelloWorld sample application,

two roles.

00:04:42 One is the role Finance. The other one is the role HR.

00:04:47 They are part of the web.xml file, so these are the technical roles of our application.

00:04:55 And here you have now the servlet that is doing two things.

00:05:01 Firstly, it shows you also an example of how you programmatically authenticate a user,

00:05:08 so you don't have to do that just with a web.xml file.

00:05:12 You see here the whole login information and security constraints are not inside the web.xml.

They are out.

00:05:23 But they are here inside this code.

00:05:27 And you can also find the corresponding code—how you do that programmatically—in the

help.hana.com documentation of the HANA Cloud Platform.

00:05:38 And you see here that's the part...making it a little bit bigger here...

00:05:44 that's this part here. So that you do the authentication.

00:05:48 And once the user is authenticated, the application will simply say “Hello” and print out the user

ID of the user.

00:06:00 And then there is this IF statement here.

00:06:06 If, from the request, the user is in the role Finance, it will print out “You belong to finance!”

00:06:13 If the user is in the role HR, the user will get a printout, “You belong to HR!”

00:06:22 So what I already did is I already deployed the changed XML file and the Java file into my trial

account.



10

00:06:33 So let's go there.

00:06:37 And you go now to the Authorizations tab. Okay, the session has expired. Just reloading again,

no problem.

00:06:46 You go to the Authorizations tab and you switch over to the tab Groups.

00:06:52 And now we will create two groups. So we no longer use the Roles tab now. We will do this

dynamically.

00:07:01 We create the group Finance. Let's show if there are already any assignments to this group.

00:07:08 No there aren't. So I will do this assignment.

00:07:12 I click here on the Assign button and what you see here. And that's also what I explained

before.

00:07:21 We have here your account, and now you also see you could select multiple applications.

00:07:26 So in our case we just take the application we just deployed and we select the Finance role

and save it.

00:07:38 Meaning that I assigned now the technical role Finance we defined in our application to the

group Finance.

00:07:50 And what I could do now in addition if I would have more applications that would be assigned

to the group Finance, I would do that exactly right here.

00:07:59 So clicking again on Assign, selecting maybe another application, and select a corresponding

role which should be mapped to the group Finance.

00:08:09 That's it. And we will create also now another group...clicking again on Show Assignments...for

HR.

00:08:20 Let's click here. There are no assignments yet.

00:08:24 We click on Assign.

00:08:27 And do the same. Okay, that's already pre-loaded here with the right settings, so we selected

the role HR. We save it.

00:08:38 And we have now here the same.

00:08:42 We assigned the application with the role HR to the group HR.

00:08:46 And in case you would have more applications on your account you would do that here step by

step until you are sure you have all applications with all roles assigned to this group.

00:08:58 That's mainly it. So nothing more to do on your side with that,

00:09:03 so meaning that if we reiterate what I said before at the beginning what you can do with

groups,

00:09:11 it's the first part, meaning that you can assign groups to specific technical roles from different

applications.

00:09:23 So let's go back to our slides.

00:09:28 That's what we did in this little exercise. Assigning the technical role of an application to a

group.



11

00:09:39 So what have you learned in this unit?

00:09:41 You have learned how to use groups in the SAP HANA Cloud Platform and how to assign

users to groups.

00:09:47 What we will do in the next unit is we will actually finalize our exercise and configure user

assignment

00:09:55 based on the mapping between the groups and the user attributes of the identity provider.

00:10:01 So looking forward to see you next unit. Bye-bye.



12

WEEK 4, UNIT 3

00:00:09 Welcome to Week 4 Unit 3 of the openSAP Course Next Steps in SAP HANA Cloud Platform.

00:00:19 In this unit, we will be looking into federated authorization, with groups.

00:00:26 In the last unit, we assigned a group or two groups to corresponding technical roles of an

application that we deployed

00:00:38 and what is still missing in this exercise that we started in the former unit is the dynamic

assignment of the users to those groups

00:00:47 based on an attribute exposed by the identity provider and that's what we will do now in this

unit. So the example actually looks into an identity provider having 3 employees, defined

inside.

00:01:04 So there are 2 employees namely, John Doe and Jane Smith, they have a function in their

organization

00:01:14 so they are budget analysts and they both belong to the finance area and another colleague

called Ted Miller

00:01:25 who is a training specialist working in the HR area and we have defined those 3 colleagues in

our identity provider

00:01:35 and based on the attribute function that the IDP provides the identity provider, the SAML

search will provide

00:01:46 this function to together with the id to HANA Cloud Platform Account and there it will map

00:01:56 this function dynamically to the finance group for John Doe and Jane Smith.

00:02:04 So that at the end those 2 uses are recognized as belonging to the Finance Group. Let's do it.

00:02:15 So let's switch over to our eclipse. So you see here we have exactly those 3 colleagues.

00:02:28 So that's the still up and running HANA Cloud Platform local run time, that we setup in the first

unit of this week

00:02:38 and I just doubled clicked on it so that you see users that are assigned to it and this local run

time is used as the identity provider

00:02:50 and here you see now, just make it a little bit smaller, you see John Doe here with all of his

attributes

00:03:00 in the IDP email, first name, last name and function. You see here is a budget analyst.

00:03:10 We have here Jane Smith, she is also working as a budget analyst and we have Ted Miller

who is a training specialist, working in the HR area.

00:03:20 So we defined those here so if you want to follow the exercise, you need to do the same, the

attribute function needs to be added for each of those users accordingly.

00:03:33 So, that's all you need to do from a local IDP perspective.

00:03:40 So, if you look into real life scenarios of course, this information is already available inside the

identity provider.

00:03:50 If we go now, back to our account, just going again to the authorizations tab,



13

00:04:04 clicking on groups, type in here show us the assignments for the group, Finance, so this is a

technical role, Finance that is assigned to this group.

00:04:16 That's what we did in the former Unit and now if we click on trust, and switch to our trusted

identity provider and click on the corresponding link here local IDP,

00:04:29 you see here at the right the groups link. So we click on it and you see that I already created 3

mappings.

00:04:41 So where I mapped the group Finance to the attribute from the IDP function

00:04:51 and what I'm saying is that this attribute needs to be equal to budget analyst, meaning that with

this row in this table,

00:05:03 you say everybody who works as a budget analyst, is assigned dynamically to the group

Finance.

00:05:11 I did the same also for the Chief Accountant and for the VP of Finance and they are all

assigned to the group Finance.

00:05:21 What I will do now in addition is to add the assertion based group for HR.

00:05:29 If you see those rules here, they are all connected with logic or so meaning that either this

applies or this or this.

00:05:43 You can also apply other rules like, for example, connecting it with an “and” for that you just

click here on this plus

00:05;54 and it will show up underneath this meaning that in that case the mapping will only work if more

than one of these rules applies, right,

00:06:05 so like, it equals budget analyst and some other attributes so you can do that by clicking on

this plus but that's not what you want to do now because we say,

00:06:14 this is an “or” assignment it works for us. Let's do the same now for the HR group. So we will

say HR.

00:06:24 The HR group again using the attribute function, just for you to remember, going back to

eclipse,

00:06:33 it's exactly the same attribute that we defined here in our local IDP and that can equal the PHR

00:06:48 and we will get another one, another function, it can also equal training specialist

00:07:00 and another one, a last one, equals benefits administrator.

00:07:17 We save this, save and close and that's all. So going now to our application that we deployed.

00:07:29 Just for you to remember again, the application or the servlet here that we introduced in Unit 2,

00:07:40 we identify the user and then we say if the user is in role finance, the technical role, you will

see here

00:07:50 that it belongs to finance and if the user is enrolled in HR, it will printout that you belong to HR

00:07:57 and the mapping between the technical role, finance, which is part of the application, and the

mapping to the group,

00:08:08 that we did in Unit 2, and the mapping from the group to the functions that we just did right

now.



14

00:08:16 So let's start our application, just go in there. The application is up and running, clicking on the

link

00:08:24 and now we will log in as Jane Smith. We log in.

00:08:37 Okay, here we are, so as expected, Jane Smith belongs to the group Finance, so it worked.

00:08:48 If we wanted to just cross check again, going back to the IDP.

00:09:00 So Jane is a budget analyst, belonging to HR but now let's take also a real life scenario where

an employee is promoted

00:09:11 so let's assume that Jane has been promoted from budget analyst to VP of HR.

00:09:22 So that's what you would also normally do now with your identity provider, if the person has

changed the role.

00:09:32 So Jane is very happy. She has been promoted and wants now to use applications that are

opened to the Finance group.

00:09:43 Let's see if this works. We will open again our application.

00:09:50 So for the application to know it's a new user I will just open up in my browser a new icognito

window.

00:09:58 If you don't know in your browser how to do that, just close all browser windows or close your

browser and open it again.

00:10:07 So the new browser session is created. So I will just do that. So that Jane has to log in again.

00:10:16 So let's see, Jane Smith, yes, let's see what happens.

00:10:26 Yes, you belong to HR and as you see now in this example, we didn't touch any codes.

00:10:34 We didn't have to maintain any data on the account of the HANA Cloud platform.

00:10:42 We simply changed the attribute in the identity provider and through the dynamic mapping of

the groups

00:10:53 to the functions and to the technical role of the application everything was done automatically

without having to maintain that data on two different sides.

00:11:03 On the IDP side and on the HANA Cloud platform side. So just off the IDP and everything was

done. It was a matter of a few seconds to do that

00:11:13 and that's actually the most important take out here that with this way to handle the

authorizations

00:11:23 you can really reduce the efforts to maintain such data very very easily.

00:11:30 So going back to our slides,. So we finalized our example. You know now how to create these

mapping rules.

00:11:44 So you assign a user to a group and then say if a specific attribute, also a regular expression,

00:11:54 maybe also important to note that in our case we used very easy comparisons

00:12:04 so we just used the equals comparison but you can also, as you see here use, regular

expressions. So to handle much more complex scenarios

00:12:16 for example based on an e:mail and if you want to know more about how to do that, you can



15

also find information on the documentation

00:12:26 of the HANA Cloud platform, go to help.hana.ondemand.com .Go for the HANA Cloud platform

documentation.

00:12:35 Go to JAVA development, developers guide, securing applications, security configuration and

then ID Federation with a Corporate identity provider

00:12:46 and if you scroll down you see some examples for comparison operators with regular

expressions and here for example,

00:12:54 one of those regular expressions that you could use for example, to check e:mails for specific

patterns

00:13:03 and then dynamically assign the user to a specific group.

00:13:12 So that's what I also wanted to let you know. Exactly, let's watch what we just saw, also a quick

screenshot.

00:13:22 So on the left hand side, you start with the mapped group, it needs to be exactly the same

name as the one that you find

00:13:34 before when you mapped the group to the role of the application. Then you put in here the

attribute

00:13:44 coming from your identity provider, that has been exposed by the identity provider in the

sample message, then the comparison operator and then the corresponding value.

00:13:55 So very easy to do. So what have you learned in this unit? Well, very easily you've learned

how to define mapping rules and most importantly how this really helps you to reduce efforts

00:14:08 in your day-to-day work, if you have applications up and running in the Cloud and using local

identity provider with all the attributes,

00:14:17 with all of the profile information that you also need in the Cloud and still keeping the efforts

very low to handle that.

00:14:26 That's all for now and see you in the next unit.



16

WEEK 4, UNIT 4

00:00:12 Welcome to week 4, unit 4 of the openSAP course Next Steps in SAP HANA Cloud Platform.

00:00:19 In this unit, we will be looking into custom roles.

00:00:25 In this week, we already used a lot the definition of roles in the web.xml at design time.

00:00:33 So whenever we needed a role, we defined it in the web.xml, we deployed it to the account,

and then your application could use those roles.

00:00:44 But now think of a scenario where you want to allow more flexibility for, for example,

00:00:52 subscribers of an application that you provide so that they can define their own roles.

00:01:11 And that's what custom roles do and where they come into play.

00:01:05 With such an example that you see here, you have a provider account with a Project

Management application,

00:01:14 which has a role called Administrator defined in the web.xml and a custom role called ProjectDirector.

00:01:23 But the two subscribers to that Project Management application, they want to have another

custom role, or a different name of that role:

00:01:35 on the one side Project Manager, and on the other side the Team Lead.

00:01:40 And you can do that very easily with custom roles.

00:01:45 Such custom roles can only be defined by the account members of an account.

00:01:51 So nobody else can do that, only those who can actually manage and deploy applications on

this account can change and modify such custom roles.

00:02:03 And they extend the role model of an application or subscription at runtime, meaning that the

application is already up and running. You don't have to change the application.

00:02:14 You can simply change it in your cockpit, meaning you can add new roles, you can delete

them, you can rename them.

00:02:25 And also important to know is that such custom roles are of course not shared with any other

subscribed account,

00:02:33 meaning if you change it on your account,

00:02:40 nobody else from maybe other subscribers of an application can see what kind of roles you

have, and vice versa.

00:02:52 Together with custom roles, we also have the possibility to use the predefined roles of a

web.xml and share it with any other subscriber account.

00:03:08 And you can also very nicely unshare them.

00:03:12 Think of an example or a scenario where you want to provide yourself as a provider with kind

of a super-admin user to help your customers with support.

00:03:23 You can do that, meaning you let the predefined role assigned to yourself and unshare it for all

others.



17

00:03:35 From that moment on, only you as the provider of that application can have this right—nobody

else can.

00:03:45 This is what the custom roles are.

00:03:49 But what we want to do now is actually see how it works in real life.

00:03:54 For that, what you have to do is you take your training material, please, for week 4, unit 4 and

you will see a ZIP file there.

00:04:03 And what you need to do is unzip this file.

00:04:08 And you will notice you have two files inside that ZIP file: a web.xml and a Java file called

HelloWorldServlet.java.

00:04:22 What you need to do is import again the HelloWorld application, as we already did several

times, for this unit.

00:04:32 So like always, right click –> Import.

00:04:36 And then you select Existing Projects into Workspace.

00:04:39 Select the sample HelloWorld application. Put it on your machine.

00:04:45 And then you take the content of the unzipped web.xml file into the web.xml file of that newly

imported HelloWorld application.

00:04:57 You find it under WebContent...making it a little big bigger here...under WebContent —> WEB-

INF —> web.xml.

00:05:04 Just override the web.xml.

00:05:07 And what you also need to do to substitute the content of the HelloWorldServlet.java,

00:05:15 so meaning just double-clicking on it, opening it,

00:05:18 and I'm substituting what is inside with the content of the downloaded training material, the

HelloWorldServlet.java.

00:05:28 After that, please deploy your application into your trial account, and that's mainly it.

00:05:37 If you still have your local IDP set up to be used, please switch over to the customer account.

00:05:47 I'll just show you quickly how you can do that.

00:05:51 You go to your account, to the Trust tab.

00:06:01 And then the configuration type for your local service provider should be set to Default.

00:06:08 And then you save it so it's done.

00:06:15 After doing that, just deploy your application there. And I already did that on my side.

00:06:22 And you notice that the link here at the top looks a little bit different than the one you are used

to on your trial account because

00:06:30 while this unit is being recorded, this functionality has not been made available yet on the trial

account,

00:06:36 but at the point where you see this video, it's already there. So don't be confused about that.

00:06:42 So you will actually see the same user interface like I'm seeing right now.



18

00:06:48 I just switch over now to my Java Applications tab.

00:06:56 I select my application that I deployed. I called it opensap.

00:07:01 And I open it.

00:07:06 So. what does this application do?

00:07:10 You provide here the role name. I will just type in test.

00:07:17 And when you click on Check Assignment...just making it a little bit bigger...

00:07:23 When you click on Check Assignment, it will tell you whether or not you are assigned to that

role.

00:07:32 As you see here, my user is not assigned to the role test. So I will just go back again.

00:07:41 And let's look again into our web.xml file.

00:07:44 And we will notice that there is one predefined role inside of it. It's called Employee.

00:07:53 So let's see if I'm assigned to it. Switching over here.

00:08:05 Click on Check Assignment. And it tells me I am not assigned to the role of an Employee.

00:08:!3 How do I overcome this issue?

00:08:16 I just click on Roles, and that's actually the tab that has been newly added.

00:08:24 And I see that there is nobody assigned to that role yet. So I click on Assign and I will assign

my user to this.

00:08:42 Assign. Okay.

00:08:45 So now I have to open up a new incognito window and use the link here for my application.

00:09:02 Okay.

00:09:06 Now I type in my user.

00:09:14 Check. Employee.

00:09:19 And it tells me I am assigned to the role Employee.

00:09:23 Important to know that this is now the predefined role that we have here. The Employee role.

00:09:32 Meaning for the code—and we will prove it right now in a minute—

00:09:38 for your code it doesn't make any difference if you are working with a predefined role or with a

custom role.

00:09:46 From a developing and programming perspective, it doesn't make any difference.

00:09:51 So I will now check and create first a custom role.

00:09:57 So to do that, I'm going back again to this Roles tab.

00:10:02 And I click here on New Role.

00:10:07 And I will assign myself to the role Manager.

00:10:13 So first of all creating this role. And you see here it's not called Predefined as a type, but

Custom.



19

00:10:22 And then also again assign myself to this role,

00:10:31 to this custom role.

00:10:37 Okay. And I still have now here the session open which doesn't still have the custom role.

00:10:46 So just to see if Manager...

00:10:51 It says no. But if I open up a new incognito window...

00:11:00 typing again my user credentials.

00:11:06 And if I check now for Manager, You are assigned to role Manager.

00:11:15 Very easy, wasn't it?

00:11:18 We didn't touch our code. We just added here a new role at runtime and assigned users to it

and very easy.

00:11:30 No touching the code necessary.

00:11:34 And you can create now as many new roles as your application needs.

00:11:42 So that's it.

00:11:46 We learned how to define and use custom roles.

00:11:52 That's it, and see you in the next unit.



20

WEEK 4, UNIT 5

00:00:13 Hi and welcome to week 4, unit 5 of the openSAP course Next Steps in SAP HANA Cloud

Platform.

00:00:20 In this unit, we will learn how to work with multiple identity providers.

00:00:28 In some scenarios, you might have the situation to provide employees of two differentcompanies

00:00:33 access to your application on the SAP HANA Cloud Platform.

00:00:38 In the sample scenario you see here on the slides, there is one project management

application from the company BestRun Corporation

00:00:47 that is accessed by the project members of the company.

00:00:51 But there is also a partner company involved, and the employees of that company should also

have access to the project management application.

00:01:02 So to make the user experience as seamless as possible, ideally all employees of allcompanies should be able

00:01:10 to access the project management application with their corporate identity provider.

00:01:16 The good news is you can handle this with the SAP HANA Cloud Platform easily

00:01:21 by configuring both identity providers as trusted identity providers in your account.

00:01:27 Let's see how to do that.

00:01:31 You can set up as many trusted IDPs in your account as you want.

00:01:36 What you need to know is that the IDP marked as default is the one that any application

protected with FORM-based authentication will choose.

00:01:49 If the application is accessed with an additional parameter called saml21idp,

00:01:54 the user is redirected to the trusted IDP that is defined as parameter value.

00:02:00 So in the example here, if you want that the IDP sso.partner.com is used for authentication,

00:02:08 you need to provide the value sso.partner.com for your parameter saml2idp.

00:02:15 But let's do a little exercise so that you can see how this works in real life.

00:02:22 I just switch to my Eclipse.

00:02:27 And what I did is I used the Hello World application from the SDK.

00:02:34 I imported it, as we already did quite often, and I substituted the web.xml file

00:02:41 with the web.xml file which is part of the learning material for week 4, unit 5.

00:02:49 So I ask you to do the same. Take the web.xml file from the learning materials for this unit

00:02:55 and paste it into the web.xml of the Hello World application.

00:03:01 So what I did here is simply securing the application so that you need to authenticate.

00:03:12 So that's the first step.



21

00:03:14 As you see here, I already deployed this application to my account in the cloud.

00:03:22 What I want to do now is to simulate the scenario. I will create two local IDPs here on my local

machine.

00:03:38 And before you add now a new server here, please be sure to use the most current SDK from

the SAP HANA Cloud Platform.

00:03:49 You know where to get it: tools.hana.ondemand.com/cloud. So that this works smoothly.

00:03:58 I just make this a little bit bigger. We will create now a local runtime for the SAP HANA Cloud

Platform that we will call IDP1.

00:04:10 Next. So this will run on HTTP port 8080.

00:04:15 And we don't deploy any application. We just finish here.

00:04:21 And the second thing we will do is do exactly the same for another local runtime.

00:04:30 So New –> Server. SAP HANA Cloud Platform local runtime. And this will have the server

name IDP2.

00:04:42 Next. HTTP port 8672 because 8080 is already blocked by the other local runtime.

00:04:50 Clicking on Next and on Finish.

00:04:54 So we have now two local runtimes that we will use as local IDPs.

00:05:04 What will we do?

00:05:07 We need to establish a trust relationship between your account in the cloud and these two local

identity providers.

00:05:18 So I will switch first now to the local service provider here and click on Edit.

00:05:25 And we'll change the configuration type from Default to Custom.

00:05:31 I will click on Save here.

00:05:35 Okay.

00:05:37 And...wait a second...just deleting here everything I had in my browser.

00:05:43 And also deleting everything I had in downloads. Now nothing there. Just the web.xml.

00:05:49 I will click now here on the Local Service Provider on Get Metadata

00:05:56 so that I have the settings for my local IDP.

00:06:02 And then I can add the trusted identity provider.

00:06:06 And you see here we already have a local IDP.

00:06:11 And the name localidp is actually also the default name for any identity provider that we would

add here from the local IDP.

00:06:23 So we want to use a different name.

00:06:27 This is an optional feature that we have to provide a specific name to your IDP.

00:06:35 And to do that, we will switch to the IDP config,



22

00:06:39 so to the configuration of the IDP1 local runtime, and switch to the folder config_master

00:06:48 and to the subfolder com.sap.core.jpass.security.saml2.cfg.

00:06:55 Here we will create a new file.

00:07:00 We need to call this file local_idp.cfg.

00:07:09 Again, remember this is just now an optional functionality to allow us to create two local identityproviders here.

00:07:20 And to define a name, we need to provide here one line inside this file. localidp_name=idp1

because we are in idp1.

00:07:36 We save this.

00:07:38 We take now exactly this file. We just copy it and switch to the idp2 config. config_master. The

same directory.

00:07:49 And we paste it in here.

00:07:52 And I double-click and now I will name this one idp2.

00:07:58 I save this file.

00:08:02 Okay.

00:08:04 So what I do now is I start both local runtimes. Start.

00:08:14 Nope. We forgot...no, everything is fine.

00:08:21 The two IDPs are started now and I switch back to my local browser to the

localhost:8080/saml2/localidp/metadata.

00:08:34 So we also looked into this in a former unit in this week. And if we execute this link,

00:08:44 nothing happens because I forgot something here. localidp/metadata.

00:08:58 Okay, now it works. You see a file, idp1 –metadata.xml has been downloaded.

00:09:05 And I will call the same URL just with a different port. If you remember the port...I just double-

click here on IDP2 and IDP1.

00:09:15 So I just click here on IDP2. The port for IDP2 is 8672.

00:09:20 8672.

00:09:24 And I call this too. And voila. I have now the same metadata file for my IDP2 identity provider.

00:09:34 I will now take first...

00:09:41 wait a second, just cancel this...I didn't know where we are right now.

00:09:47 I will now add a trusted identity provider.

00:09:51 Click on here. And select the files that we just downloaded: idp1 for the IDP1 identity provider.

00:10:01 And you see here also the name idp1, By default, as I said before, the name would be localidp,

00:10:08 but because we provided the localidp.cfg file, we gave it another name. In this case it's idp1.

00:10:18 And for the IDP2 we called it idp2. And this is the name you see here now.



23

00:10:24 I will also tell the system that this is our default IDP. And now I will add the second one.

00:10:32 Selecting the idp2 –metadata file. Open it and save it.

00:10:40 So now we created a trust relationship between the account and the local IDPs.

00:10:51 But now we need to also make the account settings here known to our local IDP.

00:10:59 And for that, we take the XML file we just downloaded before when we clicked on the LocalService Provider on Get Metadata.

00:11:08 So I just take this file. I just copy it.

00:11:13 And I go to the com.sap.core.jpass.security.saml2.cfg folder and do a refresh.

00:11:25 And you see a new directory opens up. I open this directory and I paste the file in here.

00:11:33 And I will do the same also for IDP1.

00:11:38 Also refresh.

00:11:43 And paste it.

00:11:46 And now the local IDPs and the account trust each other.

00:11:52 So what will I do now?

00:11:55 The trust relationship is established. I will call my Java application,

00:12:02 the one I just deployed before with the changed web.xml.

00:12:10 Okay. You see now that the authentication switched over to the 8080 port, meaning that it tries

now to use the IDP1.

00:12:24 Before being able to test it, we now need to also provide two users. So I will use here on the

IDP1 the user Teddy.

00:12:39 Okay. And save it.

00:12:42 And do the same for IDP2. Here it's Tina.

00:12:51 Okay. And save it.

00:12:54 And for IDP1, I selected Teddy. For IDP2, Tina.

00:13:02 So I I'll just try now to authenticate with Tina, which will not work—authentication failed—

because our default IDP is IDP1.

00:13:13 Meaning if I try out now Teddy, I will be able to log in and I see here now my Hello World text.

00:13:25 Actually, I changed it because of the Circa World Cup: Olé Brasil!

00:13:32 I will now try to do the same with a new incognito window.

00:13:37 Paste the URL of the application again. But now I will provide the parameter saml2idp=idp2

00:13:51 to really specifically tell the application to please use the other identity provider.

00:13:58 Okay. We already can see that the port is no longer 8080, but the port from the IDP2.

00:14:07 Nevertheless, I will try to log in with Teddy,

00:14:13 who belongs actually to the IDP1 identity provider. Try to log in.



24

00:14:19 And authentication failed.

00:14:22 If I try it out with Tina,

00:14:28 here we are. Olé Brasil!

00:14:31 So. This worked.

00:14:33 So if we go back to our slides, that's what we wanted to see in our exercise: how to work withmultiple identity providers.

00:14:43 And you can use the same way also in your real-life scenario to create here as many trusted

identity providers as you need for your account,

00:14:55 maybe to allow also employees of other companies accessing an application running on the

HANA Cloud Platform.

00:15:03 That's all for this week. Wishing you good luck for your weekly assignment

00:15:09 and see you in the next week. Bye!



© 2014 SAP AG or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or forany purpose without the express permission of SAP AG or an SAP affiliatecompany.

SAP and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP AG (or anSAP affiliate company) in Germany and other countries. Please seehttp://www.sap.com/corporate-en/legal/copyright/index.epx#trademark foradditional trademark information and notices. Some software productsmarketed by SAP AG and its distributors contain proprietary softwarecomponents of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG or an SAP affiliate company forinformational purposes only, without representation or warranty of any kind,and SAP AG or its affiliated companies shall not be liable for errors oromissions with respect to the materials. The only warranties for SAP AG orSAP affiliate company products and services are those that are set forth in theexpress warranty statements accompanying such products and services, ifany. Nothing herein should be construed as constituting an additional warranty.In particular, SAP AG or its affiliated companies have no obligation to pursueany course of business outlined in this document or any related presentation,or to develop or release any functionality mentioned therein. This document, orany related presentation, and SAP AG’s or its affiliated companies’ strategyand possible future developments, products, and/or platform directions andfunctionality are all subject to change and may be changed by SAP AG or itsaffiliated companies at any time for any reason without notice. The informationin this document is not a commitment, promise, or legal obligation to deliverany material, code, or functionality. All forward-looking statements are subjectto various risks and uncertainties that could cause actual results to differmaterially from expectations. Readers are cautioned not to place undue

www sap com

opensap hana cloud2 week 4 transcripts

Documents