Development of multi-tenant applications on the SAP Cloud Platform in the Neo environment, part 2: authorization and authentication

  • Tutorial
In the second article from the cycle about developing applications on the SAP Cloud Platform in the Neo environment, we will address one of the most important aspects - the management of user authorization and authentication.

In this article, we will show how to establish a connection between the SAP Cloud Platform and an identity provider (IDP) of an imaginary client “ABC PetroCorp”, and also add users to IDP. Next, we will look at how to assign roles for users from a client’s company in a specific application (from IDP), as well as how to configure SAML attributes to transfer them from IDP to the SCP cloud platform application.

In the sub-account of the fictional client “ABC PetroCorp” from the first article , a subscription to the SCP pollution monitoring applications provided by ITeLO Consulting is already established. Now the ABC PetroCorp employee needs to make this application available to other colleagues.

The SAP Cloud Platform user can connect his corporate IDP to the cloud platform and set up security and authentication management for his application loaded into SCP.

ABC PetroCorp has connected the SAP Cloud Platform Identity Authentication service, which allows you to provide access to business processes, applications and data. This service provides a SCI-tenant, within which the application configuration and user authorization management takes place.

Emily, an imaginary hero from the first article, has access to this SCI tenant - she is his administrator and can configure user authorization in a particular application. She wants to figure out how to create these configurations using the Identity Authentication service.

Requirements:

  • A productive global SCP account (not a trial account) with Identity Authentication service connected to it (as IDP for the ABC PetroCorp subaccount);
  • The user of the client's subaccount must be the administrator of the SCI tenant, thus he will have access to the administration console of the Identity Authentication service.

Emily needs to perform the following steps in the Identity Authentication service administration console and SCP control panel to make the application in the cloud platform available to other ABC PetroCorp employees:

Step 1: Establish a trust relationship between the SCI tenant and the SCP subaccount.
Step 2: Import users into the SCI-tenant and update (add) the necessary attributes.
Step 3: Assign roles to users at the application level in SCP.
Step 4: Configure the attributes in the SCI tenant and the SCP control panel to transfer them to the application.
Step 5: Check the settings.


Step 1: Establish a trust relationship between the SCI-tenant and the SCP subaccount

Emily is the administrator of the ABC PetroCorp subaccount and SCI tenant, which gives her the opportunity to apply the necessary settings for using the SCI tenant as a “user repository” for a multi-tenant application provided by the provider ITeLO Consulting.

To begin with, Emily needs to establish a trust relationship between the SCI tenant and the client's ABC PetroCorp SCP subaccount.

Let's go to the administration console of the Identity Authentication service using the link "https: //.accounts.ondemand.com/admin", where is the identifier of the SCI-tenant. This link can be found in the registration letter that comes to the tenant administrator of the Identity Authentication service. The identifier of the tenant is also indicated there.

The administration console of the Identity Authentication service looks like this:



In another browser tab, open the control panel for the ABC PetroCorp client subaccount and go to the Security tab -> Trust.



In the “Trust Management” menu that opens, go to the “Local Service Provider” tab and click “Edit”.



Then we perform the following steps:

  • In the “Configuration Type” field, we change the type to “Custom”;
  • Click “Generate Key Pair” to create a key and certificate for the account;
  • Change the value in the “Principal Propagation” field to “Enable”;
  • Click "Save".



Click on “Get Metadata” to download the metadata file in “xml” format, which contains the previously described configurations. It will be used to establish a trust relationship with the SCI-tenant.

Let's go back to the administration console of the Identity Authentication service and go to the “Applications & Resources” -> “Applications” tab in the left menu. In the "Applications" area, click the "Add" button to designate a new application deployed in the ABC PetroCorp subaccount.



In the window that appears, enter the application name (for example, ABC_PetroCorp_IDP) and click "Save". After that, a new point will be created in the tenant for our application.

In the created application, go to the “Trust” tab and select the “SAML 2.0 Configuration” option.



In the “Define from Metadata” section, click “Browse” and select the metadata file in the “xml” format, which we downloaded earlier when setting up trust relationships in the SCP subaccount. Details regarding the SAML 2.0 configuration will be automatically filled in after the file is downloaded. Click "Save" - ​​now the SAML 2.0 configuration is created and saved for this application.



Go back to the point of the application called ABC_PetroCorp_IDP in the tenant, click on the “Home URL” and enter the URL of the type “https: // pollutionmonitoringui- <subaccount name> .dispatcher. <Regional_host>”.

This URL can be found in the description of the HTML5 application to which the client is subscribed (subaccount "ABC PetroCorp"). To do this, go to the subaccount of the client in the tab “Applications” -> “Subscriptions” and select the signed HTML5 application.



In the tab “Overview” will be the URL we need.



Then we return to the application point in the SCI-tenant, designate the URL-applications in the “Home URL” and click “Save”.



Now we will go to the tab “Applications & Resources” -> “Tenant Settings” in the administration console of the Identity Authentication service. On the tenant settings page, select "SAML 2.0 Configuration".



In the window that opens, click “Download Metadata File” to download an “xml” file containing the configurations of the SCI-tenant. It will be used later to set up a trust relationship with the client subaccount in the SCP.

Go back to the ABC PetroCorp subaccount and go to the “Security” -> “Trust” menu, in the opened window select the “Application Identity Provider” tab. Click on the “Add Trusted Identity Provider” to add details about the SCI-tenant.



In the “General” tab, click “Browse” and select the metadata file in the “xml” format downloaded from the administration console of the Identity Authentication service. Configuration details are automatically filled after the file is downloaded. Remove the checkmark from the field “Only for IDP-Initiated SSO” and click “Save”.



Now the trust relationship between the client’s sub-account “ABC PetroCorp” and its SCI-tenant has been successfully established. The same settings can be applied for subaccounts of other clients (for example, for the client “XYZ EnergyCorp”).

Step 2: Import users into the SCI-tenant and update (add) the necessary attributes

Emily needs to ensure that the users of the application are registered with ABC PetroCorp's corporate IDP.

Ideally, a corporate IDP (in our case, a SCI tenant) would already include a list of all users in the company. For clarity, we import some users into the SCI tenant, after which they will receive appropriate permissions to access the application.
The demo users for the application are stored in a csv file on github in Github .

Download the “CSV” file for “ABC PetroCorp” from GitHub. In the csv file, two users are designated:

  • ABCPlantSupervisor: This user will be the manager of a specific ABC PetroCorp plant and will be able to view data only about his plant;
  • ABCAreaManager: This user will be the head of the whole area, which may include several ABC PetroCorp factories. He will be able to view data on all plants in his area.



The “CSV” file for “ABC PetroCorp” contains the fictitious email addresses of users. They need to be replaced with real ones, since then they will receive letters to activate accounts. For example, if your real mail is “john.smith@sap.com”, then you need to replace the designation <> with “john.smith”, and << insert_your_company >> with “sap”.



Let's go to the administration console of the Identity Authentication service and select the tab “Users & Authorizations” -> “Import Users”. Select the previously created application point “ABC_PetroCorp_IDP” and click “Browse”, then select the file “ABCPetroCorp.csv” describing our demo users - and click the “Import” button.



Users must activate their account. To receive an e-mail with a link to activate, you must click "Send" in the window "Send E-Mails".

Before you activate the user, you need to change some configurations.
Go to the tab "Users & Authorizations" -> "User Management". Two users appeared in the user lists: "Area Manager" and "Plant Supervisor". They are automatically assigned identifiers: P000011 and P000010. These identifiers can be used as logins to enter the tenant (and into the application, when all the necessary settings have been made).



Go to the user P000011 or "Area Manager" and add a name that can also be used as a login to login. To do this, click on the edit icon in the "Personal Information" field and fill in the "Login Name" (in our case, this is Johan).



Then click "Save".

Now let's do the same with P000010 or Plant Supervisor, but let's call it Smith.



The “Plant Supervisor” user should be able to view information only about his plant, then in the section with company information you need to designate the company identifier (how this identifier will be used will be explained in Step 4).

To do this, go to the "Company Information" section and enter the identifier of the plant, namely "101", in the "Company" field.

Now information about our users is changed. To activate them, go to the mailboxes specified in the "csv" file and click on the link to activate, or click "Click here to activate your account".



So, we have successfully imported users into the SCI tenant, updated information about them and activated them.

Step 3: Assigning Roles to Users at the Application Layer in the SAP Cloud Platform The

multi-tenant Pollution Monitoring application created by Robert from ITeLO Consulting provides two predefined PlantSupervisor and AreaManager roles that control the authorization of users in the application and determine what the end user sees.

  • PlantSupervisor Role: Users who are assigned this role will only be able to view data from the plant indicated in the Company Information in the SCI Tenant.
  • The role of “AreaManager”: users who are assigned this role will be able to view data from all plants in their area.

Let's see how role separation is achieved at the level of the project code.

Let's go to the file “web.xml” located along the path “/ pollutionmonitoring
/src/main/webapp/WEB-INF/web.xml” in the project folder.

Open the file and make sure that the above two roles are defined in the application.



Now let's go to the file “PollutionDataService.java” located along the path “/pollutionmonitoring/src/main/java/com/sap/hana/cloud/samples/pollutionmonitoring/api/PollutionDataService.java” of the project and open it.

In this file, the “getCompanyPollutionData ()” method is indicated. It allows you to check whether the user is an administrator (manager). If yes, then the application displays data for all plants; if not, data is filtered by plant identifier (plant_id). Also, the application will display information only for those plants whose identifiers correspond to those indicated in the user information.



For greater clarity, you can refer to the “isUserAdmin ()” method, which allows you to determine by role whether a user is an administrator (manager) or not.



A similar algorithm is used to extract plant data from local systems.



Now Emily, as an employee of ABC PetroCorp, needs to select regional managers and plant managers by assigning them the appropriate roles (“ABCPlant Supervisor” and “ABCAreaManager”) in the SCP application.

Let's go to the ABC PetroCorp client subaccount and select the pollutionmonitoring java application provided by ITeLO Consulting (it is located in the Applications -> Subscriptions tab).



Next, go to the tab "Roles" (at the application level).

A list of roles indicated in the application will appear in the opened window. Select the role of "PlantSupervisor" and click "Assign". In the window that appears, enter the user ID, indicated in the SCI-tenant as "ABCPlantSupervisor". In our case, the identifier of such a user will be P000010.

Then select the role “AreaManager” and click “Assign”. In the window that appears, enter the user ID, indicated in the SCI-tenant as “ABCAreaManager” (in our case, the user ID of this user will be P000011).



So, we have successfully compared the roles of the application with the corresponding users of ABC PetroCorp from the SCI tenant.

The same settings can be applied in the subaccount of another client (for example, “XYZ EnergyCorp”).

Step 4: Setting Attributes in the SCI Tenant and the SCP Control Panel for Their Transfer to the Application

Robert from ITeLO Consulting has programmed a multi-tenant application in such a way that he needs to pass the PlantSupervisor user plant identifier so that plant data can be filtered in the application for this particular plant identifier.
In the previous steps, we added the plant identifier to the PlantSupervisor user in the SCI tenant in the Company Information field, which we now need to transfer to the multi-tenant application. It can then be used in an application for displaying data related to a specific plant. The user of the AreaManager is essentially an administrator who can view data from all plants.

Let's see how this is organized at the level of the application code.

Open the file “PollutionDataService.java”, located along the path “/pollutionmonitoring/src/main/java/com/sap/hana/cloud/samples/pollutionmonitoring/api/PollutionDataService.java” in the project.

This file describes the getPlantId () method. This method describes getting the username and checking the PLANT_ID attribute, which is used to filter pollution level data and plant data.



We can transfer user attributes from the SCI tenant to the application via SAML Assertion Attributes. This is necessary so that the user attribute from the SCI tenant containing the company information is read by the SCP during the user login. It is necessary that the so-called “Assertion Attribute” (attribute of approval) defined for the user be transferred to the pollution monitoring application.

To do this, we first create an “Assertion Attribute” in the SCI-tenant, then we denote the approval attribute in the main attribute (“Principal Attribute”) in the “ABC PetroCorp” subaccount, which can be read by the application code, as shown above.

Let's go to the administration console of the Identity Authentication service and select the tab “Applications & Resources” -> “Applications”. Select the application we need (ABC_PetroCorp_IDP) and in the “Trust” tab click on “Assertion Attributes”.



A list of already existing attributes will appear, we need one more in it. To do this, click on the button "Add" and select the attribute "Company".

Then we add “plant_id” to the attribute value (case sensitive) and click “Save”.



Now let's move on to the sub-account “ABC PetroCorp” in the SCP and go to the tab “Security” -> “Trust”. In the “Trust Management” window, go to the “Application Identity Provider” tab and select the IdP associated with the subaccount.



In the opened window, go to the “Attributes” tab and click “Add Assertion-Based Attribute”. In the Assertion Attribute field, enter the value of plant_id (as in the SCI tenant), and in the Principal Attribute field, enter PLANT_ID (this value will be transferred to the application as the plant code) and click Save.

So, we have successfully configured the attributes in the SCI-tenant and in the SCP control panel for their transfer to the application.

Step 5: Verify Settings
Now Emily can check if the SCI-tenant (IdP) settings for the sub-account “ABC PetroCorp” in the SCP and for the application provided by the provider are correctly defined.

To do this, go to the ABC PetroCorp subaccount and turn to the pollutionmonitoringui HTML5 application (it is located in the Applications -> Subscriptions tab).



Copy the link to the application. Open a new tab in the browser in incognito mode and insert a link to the HTML5 application. A window will appear to enter the application, where the name indicated in the SCI-tenant will be displayed.

If everything is configured correctly, then you should be able to enter the application under the users of the AreaManager and PlantSupervisor, indicated in the SCI-tenant.

In our case, the area manager is the user Johan (P000011), and the plant manager is Smith (P000010). You can log in to the application under these users, using either the username or user ID as the login.

Note: when entering the application at this stage no data will be displayed. This is normal because the configuration is not yet complete and the local system is not connected.


So, we set up an identity provider (IDP) connection with our SCP pollution monitoring application. We also imported users and assigned them the correct roles to access the application, ensured the transfer of correct information about the plant to the application.

Also popular now: