Development of multi-tenant applications on the SAP Cloud Platform in the Neo environment, Part 2: authorization and authentication

In the second article from the cycle on developing applications on the SAP Cloud Platform in the Neo environment, we will touch on one of the most important aspects - authorization management and user authentication.
 
 
In this article, we show how to establish a connection between the SAP Cloud Platform and the identity provider (IDP) of an imaginary client, ABC PetroCorp, and add users to the IDP. Next, we'll look at how to assign roles to users from the client company in a specific application (from the IDP), and how to configure the SAML attributes to transfer them from the IDP to the application of the cloud platform SCP.
 
 
from the first article Subscription to pollution monitoring applications in SCP provided by ITeLO Consulting has already been established. Now the employee of ABC PetroCorp needs to make this application available to other colleagues.
 
 
The SAP Cloud Platform user can connect his corporate IDP to the cloud platform and configure security and authentication management for his application downloaded to SCP.
 
 
ABC PetroCorp has connected the SAP Cloud Platform Identity Authentication service, which provides access to business processes, applications and data. This service provides an SCI-tenant, within which there is an application configuration and user authorization management.
 
Emily, the imaginary hero from the first article, has access to this SCI tenant - she is his administrator and can configure user authorization in a specific application. She wants to understand how to create these configurations using the Identity Authentication service.
 
 
Requirements:
 
 
Productive global SCP account (not trial) with Identity Authentication service connected to it (as IDP for subaccount "ABC PetroCorp");
 
The user of the client sub-account must be an administrator of the SCI-tenant, so he will have access to the Identity Authentication service administration console.
 
 
 
Emily needs to perform the following steps in the Identity Authentication Service Administration Console and the SCP control panel to make the application in the cloud platform available to other employees of ABC PetroCorp:
 
 
Step 1: Establish a trust relationship between the SCI tenant and the SCP subaccount.
 
Step 2: Import users into the SCI-tenant and update (add) the required attributes.
 
Step 3: Assign roles to users at the application level in SCP.
 
Step 4: Configure the attributes in the SCI tenant and SCP control panel for transferring them to the application.
 
Step 5: Check the settings.

 
 
Step 1: Establish a trust relationship between the SCI tenant and the subaccount SCP
 

 
Emily is the administrator of the subaccount "ABC PetroCorp" and SCI-tenant, which enables her to apply the necessary settings to use the SCI-tenant as a "user store" for the multi-tenant application provided by the ITeLO Consulting.
 
 
To start Emily, you need to establish a trusting relationship between the SCI tenant and the SCP subaccount of the ABC PetroCorp client.
 
 
Let's go to the Identity Authentication service administration console, using the link "https: //.accounts.ondemand.com/admin", where is the identifier of the SCI-tenant. This link can be found in the registration letter that comes to the administrator of the tenant of the Identity Authentication service. The tenant identifier is also indicated there.
 
The Identity Authentication service administration console looks like this:
 
 
Development of multi-tenant applications on the SAP Cloud Platform in the Neo environment, Part 2: authorization and authentication  
 
In another tab of the browser, open the control panel for the subaccount client "ABC PetroCorp" and go to the tab "Security" -> "Trust".
 
 
 
 
In the "Trust Management" menu that appears, go to the "Local Service Provider" tab and click "Edit".
 
 
 
 
Then perform the following steps:
 
 
In the "Configuration Type" field, change the type to "Custom";
 
Click "Generate Key Pair" to create the key and certificate for the account;
 
Change the value in the field "Principal Propagation" to "Enable";
 
Click "Save".
 
 
 
 
 
Click on "Get Metadata" to download the metadata file in the "xml" format, which contains previously described configurations. It will be used to establish a trusting relationship with the SCI tenant.
 
Let's return to the Identity Authentication service administration console and go to the Applications & Resources tab -> Applications in the left menu. In the "Applications" area, we click the "Add" button to indicate the new application deployed in the subaccount "ABC PetroCorp".
 
 
 
 
In the window that appears, enter the name of the application (for example, ABC_PetroCorp_IDP) and click "Save". After that, a new point will be created in the tenant for our application.
 
 
In the created application go to the tab "Trust" and select the parameter "SAML 2.0 Configuration".
 
 
 
 
In the "Define from Metadata" section, click "Browse" and select the metadata file in the "xml" format, which we downloaded earlier when setting up trust relationships in the subaccount SCP. Details regarding the SAML 2.0 configuration will be automatically populated after the file is downloaded. Click "Save" - ​​now the SAML 2.0 configuration is created and saved for this application.
 
 
 
 
We return back to the application point called ABC_PetroCorp_IDP in the tenant, click on "Home URL" and enter the URL of the type "https: //pollutionmonitoringui- <имя_субаккаунта> .dispatcher. <хост_региона> ".
 
This URL can be found in the description of the HTML5 application to which the client is subscribed (subaccount "ABC PetroCorp"). To do this, go to the subaccount client in the Applications tab -> Subscriptions and select the signed HTML5 application.
 
 
 
 
The "Overview" tab will be the URL you need.
 
 
 
 
Then we return to the application point in the SCI-tenant, designate URL-applications in the "Home URL" and click "Save".
 
 
 
 
Now go to the "Applications & Resources" -> "Tenant Settings" tab in the Identity Authentication service administration console. On the settings page of the tenant, select "SAML 2.0 Configuration".
 
 
 
 
In the opened window, click "Download Metadata File" to download the "xml" format file containing the SCI-tenant configuration. It will be used later to configure the trust relationship with the client's subaccount in SCP.
 
 
We return back to the subaccount "ABC PetroCorp" and go to the menu "Security" -> "Trust", in the opened window select the "Application Identity Provider" tab. Click on the "Add Trusted Identity Provider" to add details about the SCI-tenant.
 
 
 
 
In the "General" tab, click "Browse" and select the metadata file in the "xml" format downloaded from the Identity Authentication service administration console. The configuration details are automatically populated after the file is downloaded. We uncheck the box "Only for IDP-Initiated SSO" and click "Save".
 
 
 
 
Now the trust relationship between the subaccount of the client "ABC PetroCorp" and its SCI-tenant has been successfully installed. The same settings can be applied to subaccounts of other clients (for example, for the client "XYZ EnergyCorp").
 
 
Step 2: Import users into the SCI-tenant and update (add) the required attributes
 

 
Emily needs to ensure the registration of application users in the corporate IDP of ABC PetroCorp.
 
 
Ideally, the corporate IDP (in our case, the SCI-tenant) would already include a list of all users in the company. For clarity, we import some users into the SCI tenant, after which they will receive the appropriate permissions to access the application.
 
Demo users for the application are stored in a file format "csv" on github - in the Github .
 
 
Download the "CSV" file for "ABC PetroCorp" from GitHub. Two users are designated in the csv format file:
 
 
ABCPlantSupervisor: This user will be the head of a particular plant of the company ABC PetroCorp and will be able to view the data only about his plant;
 
ABCAreaManager: This user will be the leader of the whole area, which may include several ABC PetroCorp plants. He will be able to view data about all the plants in his field.
 
 
 
 
 
The "CSV" file for "ABC PetroCorp" contains fictitious email addresses of users. They need to be replaced with real ones, since then letters will come to them to activate accounts. For example, if your real mail is "[email protected]", then you need to replace the notation <> на «john.smith», а insert_your_company на «sap».
 
 
 
 
Let's go to the Identity Authentication service administration console and select the "Users & Authorizations" tab -> "Import Users" tab. We select the previously created point of the application "ABC_PetroCorp_IDP" and click "Browse", then select the file "ABCPetroCorp.csv", which describes our demo users - and click the "Import" button.
 
 
 
 
Users must activate their account. To receive an e-mail with the activation link, you must click "Send" in the "Send E-Mails" window.
 
 
Before you activate the user, you need to change some configurations.
 
Let's go to the tab "Users & Authorizations" -> "User Management". Two users appeared in the user lists: "Area Manager" and "Plant Supervisor". They are automatically assigned the identifiers: P000011 and P000010. These identifiers can be used as logins to log in to the tenant (and to the application when all necessary settings are made).
 
 
 
 
Let's move on to the user P000011 or the "Area Manager" and add a name that can also be used as login for login. To do this, click on the edit icon in the "Personal Information" field and fill in the "Login Name" (in our case it's Johan).
 
 
 
 
Then click "Save".
 
 
Now we'll do the same with user P000010 or "Plant Supervisor", but let's call it Smith.
 
 
 
 
The user of the "Plant Supervisor" should be able to view information only about his plant, then in the section with information about the company it is necessary to designate the company identifier (how this identifier will be used, will be explained in Step 4).
 
To do this, proceed to the "Company Information" section and enter the plant identifier, namely "101", in the "Company" field.
 
 
Now the information about our users has been changed. To activate them, go to the mailboxes specified in the "csv" file and click on the link for activation, or click "Click here to activate your account".
 
 
 
 
So, we successfully imported users into SCI-tenant, updated information about them and activated them.
 
 
Step 3: Assign roles to users at the application level in the SAP Cloud Platform
 

 
The multitenant application "Pollution Monitoring", created by Robert from the company "ITeLO Consulting", provides two predefined roles "PlantSupervisor" and "AreaManager", which control the authorization of users in the application and determine what the end user sees.
 
 
The role of PlantSupervisor: users assigned to this role will be able to view data only from the plant that is identified in the Company Information in the SCI tenant.
 
The role of AreaManager »: users who are assigned this role will be able to view the data of all the plants in their field.
 
 
Let's see how partitioning by roles is achieved at the level of the project code.
 
 
Let's move on to the file "web.xml", located along the path "/pollutionmonitoring
 
/src/main/webapp/WEB-INF/web.xml "in the project folder.
 
 
Open the file and make sure that the two above mentioned roles are specified in the application.
 
 
 
Now, move on to the file "PollutionDataService.java" located on the path "/pollutionmonitoring/src/main/sava/com/sap/hana/cloud/samples/pollutionmonitoring/api/PollutionDataService.java" of the project and open it.
 
 
In this file, the method "getCompanyPollutionData ()" is indicated. It allows you to check whether the user is an administrator (manager). If yes, then the application displays data for all plants, if not, the data is filtered by plant identifier (plant_id). Also, the application will display information only for those plants whose identifiers correspond to those indicated in the user information.
 
 
 
 
For more clarity, you can refer to the "isUserAdmin ()" method, which allows you to determine by the role whether a particular user is an administrator (manager) or not.
 
 
 
 
A similar algorithm is used to extract plant data from local systems.
 
 
 
 
Now Emily as an employee of the company "ABC PetroCorp" needs to allocate managers of the region and plant managers, assigning them the appropriate roles ("ABCPlantSupervisor" and "ABCAreaManager") in the application in SCP.
 
 
Let's go to the subaccount of the client "ABC PetroCorp" and select the Java application "pollutionmonitoring" provided by the provider "ITeLO Consulting" (it is located in the "Applications" tab -> "Subscriptions").
 
 
 
 
Next, go to the tab "Roles" (at the application level).
 
 
In the opened window, a list of the roles indicated in the application appears. We select the role of "PlantSupervisor" and click "Assign". In the window that appears, enter the user ID specified in the SCI tenant as "ABCPlantSupervisor". In our case, the identifier of such a user is P000010.
 
 
Then select the "AreaManager" role and click "Assign". In the window that appears, enter the user ID specified in the SCI tenant as "ABCAreaManager" (in this case, the user's identifier is P000011).
 
 
 
 
So, we successfully associated the application roles with the corresponding users of "ABC PetroCorp" from the SCI-tenant.
 
The same settings can be applied in the subaccount of another client (for example, "XYZ EnergyCorp").
 
 
Step 4: Configure the attributes in the SCI tenant and SCP control panel for transferring them to the
application.  

 
Robert from ITeLO Consulting programmed a multi-vendor application in such a way that he needs to transfer the PlantSupervisor user plant identifier so that plant data can be filtered out in the application for that particular plant identifier.
 
In the previous steps, we added the plant identifier to the "PlantSupervisor" user in the SCI tenant in the "Company Information" field, which we now need to transfer to the multi-tenant application. It can then be used in an application for displaying data related to a particular plant. The "AreaManager" user is essentially an administrator who can view data from all the plants.
 
 
Let's see how this is organized at the application code level.
 
 
Open the file "PollutionDataService.java" located on the path "/pollutionmonitoring/src/main/java/com/sap/hana/cloud/samples/pollutionmonitoring/api/PollutionDataService.java" in the project.
 
 
This file describes the method "getPlantId ()". This method describes obtaining the user name and checking the attribute "PLANT_ID", which is used to filter data on pollution level and plant data.
 
 
 
 
We can transfer the user attributes from the SCI-tenant to the application via "SAML Assertion Attributes". It is necessary that the user attribute from the SCI-tenant containing information about the company be read by SCP at the time the user logs on to the system. It is necessary that the so-called "Assertion Attribute", defined for the user, be transferred to the pollution monitoring application.
 
 
To do this, we first create the "Assertion Attribute" in the SCI tenant, then - denote the approval attribute in the main attribute ("Principal Attribute") in the subaccount "ABC PetroCorp", which can be read by the application code, as shown above.
 
Let's go to the Identity Authentication service administration console and select the "Applications & Resources" tab -> "Applications". Select the application we need (ABC_PetroCorp_IDP) and click on the "Trust" tab on the "Assertion Attributes".
 
 
 
 
A list of already existing attributes appears, we need one more. To do this, click on the "Add" button and select the "Company" attribute.
 
 
Then add the "plant_id" (value-sensitive) to the attribute value and click "Save".
 
 
 
 
Now go to the subaccount "ABC PetroCorp" in SCP and go to the tab "Security" -> "Trust". In the "Trust Management" window, go to the "Application Identity Provider" tab and select the IdP that is bound to the subaccount.
 
 
 
 
In the window that opens, go to the "Attributes" tab and click "Add Assertion-Based Attribute". In the "Assertion Attribute" field, enter the value "plant_id" (as in the SCI tenant), and in the "Principal Attribute" field enter "PLANT_ID" (this value will be transferred to the application as the plant code) - and click "Save".
 
 
So, we have successfully configured the attributes in the SCI-tenant and in the SCP control panel for transferring them to the application.
 
 
Step 5: Verify the settings of
 
Now Emily can check whether the SCI-tenant (IdP) settings for the subaccount "ABC PetroCorp" in SCP and for the application provided by the provider are properly defined.
 
 
To do this, go to the subaccount "ABC PetroCorp" and turn to the HTML5 application "pollutionmonitoringui" (it is located in the Applications tab -> Subscriptions).
 
 
 
 
Copy the link to the application. Let's open a new tab in the browser in incognito mode and insert a link to the HTML5-application. A window will appear for entering the application, where the name indicated in the SCI-tenant will be displayed.
 
 
If everything is configured correctly, then you should be able to enter the application under the users of the "AreaManager" and "PlantSupervisor", indicated in the SCI-tenant.
 
In our case, the domain manager is the user Johan (P000011), and the factory manager is Smith (P000010). In the application under these users you can log in using either the username or its identifier as login.
 
 
Note: when you enter the application at this stage, no data will be displayed. This is normal, since the setting is not yet complete and the local system is not connected.
 

 
 
So, we set up an Identity Provider (IDP) connection with our SCP pollution monitoring application. We also imported users and assigned them the correct roles to access the application, provided the transfer of correct information about the plant to the application.
+ 0 -

Add comment