Monday, August 21, 2017

SCI and User, Roles and Groups

In the previous post I discussed how to get started with SAP ID Service and build a simple HCP Application which outsources its authentication to SAP ID Service. 
Now let's extend this scenario. In general I like to use Identity Provider to provide me with user attributes like name, email address etc. and also provide me with group memberships. So the greeting service should greet the end user with the real name, rather then an ID like P0000 which we saw in the previous post. 

I would also like to introduce 2 roles in my application viz. Everyone and GreetingEditor. 

At the application side I generally prefer to create roles and groups. These roles and groups on the application side have a 1:1 mapping. So we will create a group called GreetingEditor and a group called GreetingEditors.

While creating/enrolling the application with the IdP I generally like to map the groups on IdP side with the groups on Application side. These mappings could be based on AND or OR condition. e.g. A user in IDP who is present in both 'ChiefGreeters' and 'Editors' group should be mapped to the group called "GreetingEditors" in my greeting application. 

The group GreetingEditors should then be assigned the role GroupEditor. 

Let's extend our Greetings Application for the above scenario. Let's first fix the fact that it greets the end user with her name rather then the crazy ID like P0000. 

Open web.xml and add the following entry 




Then open your Greeting.java and in your doGet method add the following code. 


What you are essentiallly doing is that you are using User Provider available in HCP to parse and provide us with the SAML attributes which we get from the SAP Identity Service. In order to ensure that these attributes viz. firstname and lastname are available with the application we need to configure the application correctly in the SAP Identity Service management console. 

Go to your Management Console and choose Applications & Resources -> Applications -> Custome Applications -> sayHello (This is the name of my applications" -> Assertion Attributes.
Now Ensure that you have First Name and Last Name added in the user attributes. This is how the screen should look like 




If you look at the screenshot above the attributes are called first_name and last_name while I query firstName and lastName in my application code. This is because the second mapping is yet to be done. In the second mapping we are going to map these attributes for the application in the Cloud Cockpit. Go to your SubAccount -> Trust -> Application Identity Provider -> (Select the IdP) 

Now select Attributes tab and add 2 assertion based attributes. The assertion based attribute should map first_name to firstName and last_name to lastName. This is how my screen looks like 




This mapping ensures that the SAML attributes coming from IdP are mapped to the user attributes in the application which is using the UserProvider. 

Now deploy the application and run it. It should now say "Hello, <>" 

So we achieved the first objective of this exercise. As a matter of fact you can map many user fields like phone number, address, groups etc. as assertion attributes in the Application Configuration at the IdP side and then map them to custom attributes on the IdP configuration at the application side. 
This helps us with the fact that you can outsource the user management totally to SAP Identity Service. 

Let's go ahead and now and configure the roles and groups as per our requirement. 

First let's try to setup roles to ensure that we have OOB roles created when we deploy the applications. 

Open web.xml and add the following security roles there. 





Please note that the role EveryOne is created and assigned to every authenticated user by default, so you need not specify this role in the web.xml. Next time you publish your application to HCP you'd see a role called GreetingEditor. In your cloud cockput, you can go to SubAccount -> (Select the Application) -> Security -> Roles.  



Once this is done let's go ahead and create a group called GreetingEditors. On the same screen click Assign on the Groups tab and create a new group and save it. Once it is assigned to the role this is how your screen would look like. 



Now let's go ahead and add the relevant groups we discussed to the IdP. In the SAP Identity Service admin console go to Users & Authorizations -> User Groups and Add 2 new groups. Now go to the User Management and assign these 2 groups to a user. This is how my user looks like after the changes are done. 




Now we need to ensure that these groups are sent to the application as part of SAML attributes. In order to do this we need to go to Application Configuration on the IdP side and add another SAML Assertion Attribute called groups to the list of attributes the IdP passes to the application. Here's how my screen looks like once I make this change. 




Once this is done we need to ensure that we do the appropriate mapping in the application such that if a user is part of both ChiefGreetors and Editors group in IdP, she is assigned to GreetingEditors group in the application, thus assigning her with the role GreetingEditor.  In order to do this we need to enter the IdP configuration in the HCP Cockpit and add a simple assertion based group in the Groups Tab.  Here's how my tab looks like after the change. 



Now let's  change the doGet method of our greeting service to list out the roles the logged on user has been enrolled in. Change the doGet method to the following. 



Try running your service with the user who has been added to both ChiefGreeters and Editors group and you should see the output which looks like the following. 



Happy Coding!!