SAP website architecture diagram cloudplatform.sap.com/scenarios/u…
The figure above shows the Authentication process that users go through when accessing SAP cloud platform. The example used in this article is a user accessing the SAP Marketing Cloud rather than the SAP Cloud platform, but the principles are the same.
Step 1: The user sends a Service request to the Service Provider. Step 2: The Service provider redirects the request to the tenant providing authentication, which in my case is the SAP ID Service, account.sap.com.
Here the Marketing Cloud and SAP ID Service are configured to trust each other.
The 302 redirection field in the response header of request 1: let-me-in.hybris.com/saml/idp-re…
Be redirected to the SAP cloud platform account ID service (accounts.sap.com) : accounts.sap.com/saml2/idp/s…
Step 3: IDP sends an HTML page to the user asking for a username and password.
If you look at the HTML source code, you can see that in addition to the username and password input fields, there are some hidden fields, highlighted in the figure below, that are generated on the server side when the IDP is returned to the user for the IDP server side authentication processing in Step 5:
- xsrfProtection
- spId
- spName
- authenticity_token
- idpSSOEndpoint
Step 4: After the user enters the user name and password, click the login button, and the information is sent to the server side of the SAP ID Service through the HTML form:
Sso request url:accounts.sap.com/saml2/idp/s…
The second uppercase url:let-me-in.demo.hybris.com/saml/SSO SSO request
Step 5: The server side of the SAP ID Service completes validation, sending SAML assertions to the user in response.
The SAML response is in XML format and is structured as follows:
In step 6, the final step, with the SAML Assertion, the user can access the Service Provider.
For more of Jerry’s original articles, please follow the public account “Wang Zixi “:
