cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Propagate user attributes from MDK application to backend services in different subaccounts

Go to solution
PAstolfi86
Explorer

on ‎12-20-2023 4:01 PM

0 Kudos

Hi,

we are implementing an MDK application deployed on subaccount "A" that consume a OData service deployed on subaccount "B".

The subaccount "A" has a custom IdP that is federated with ADFS. In federation has been inserted a custom assertion attribute.

In other application deployed on subaccount "A" I can see custom assertion attribute.

I want that the service on subaccount "B" reads the custom assertion attributes. To do this I've created, in mobile connectivity, a destination with OAuth2 SAML Bearer Assertion. I've established a trust with this new destination in subaccount "B" and the Authentication is correctly propagated but in the service I can't see the custom assertion attribute.

How can I propagate the assertion attributes?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

PAstolfi86
Explorer
‎01-15-2024 3:39 PM

Hi,

I solved it by following this blog:

https://blogs.sap.com/2020/07/24/mapping-of-saml-attributes-with-xsuaa-jwt-in-cloud-foundry/

Once the service has been deployed with the xs-security which contains the list of attributes and the related role template contains the list of attribute references, the role must be created on the related deployed service. The attributes defined in the IAS must be mapped to this role.

Thank you.

Ciao.

Piervincenzo.

Show replies
Show replies

Answers (2)

Answers (2)

guo-pingzhang
Advisor
Advisor
‎12-21-2023 6:29 AM

The oauth2saml bearer assertion flow is Mobile Services will generate a SAML assertion based on current login context.

The current login context will contain SAML attributes from IDP during login to Mobile Services.

So the SAML assertion Mobile Services send to 'Token Service URL' will contain the SAML attributes from IDP.

But whether Token Service will maintain the SAML attributes is up to the implementation of the Token Service.

Show replies
Show replies
PAstolfi86
Explorer
‎12-22-2023 4:49 PM
0 Kudos

I've configured the custom Assertion Attributer properly in Corporate Identity provider and in IdP. In other applications I can see the custom attributes.

In MDK application, in the Security tab, I've inserted the following xs-security.json

{
	"xsappname": "anasgallerie",
	"tenant-mode": "dedicated",
	"scopes": [
		{
			"name": "$XSAPPNAME.gallerie_user",
			"description": "gallerie_user"
		}
	],
	"attributes": [
		{
			"name": "postOfficeBox",
			"description": "PIVA",
			"valueType": "s",
			"valueRequired": true
		}
	],
	"role-templates": [
		{
			"name": "gallerie_user",
			"description": "generated",
			"scope-references": [
				"$XSAPPNAME.gallerie_user"
			],
			"attribute-references": [
				{
					"name": "postOfficeBox"
				}
			]
		}
	],
	"role-collections": [
		{
			"name": "ANAS_GALLERIE",
			"description": "User Gallerie",
			"role-template-references": [
				"$XSAPPNAME.gallerie_user"
			]
		}
	]
}

Below the xs-security.json of the provider service

{
  "xsappname": "ANAS-Gallerie",
  "tenant-mode": "dedicated",
  "description": "Security profile of called application",
  "foreign-scope-references":  ["user_attributes"] 
  "scopes": [
    {
      "name": "uaa.user",
      "description": "UAA"
    }
  ],
  "role-templates": [
    {
      "name": "Token_Exchange",
      "description": "UAA",
      "scope-references": [
        "uaa.user"
      ]
    }
  ]
}

But I can't see the attributes on provider service.

guo-pingzhang
Advisor
Advisor
‎12-26-2023 6:33 AM
0 Kudos

Let me try to explain it:

The flow is

1. Device MDK app authenticate with Mobile Services xsuaa and get $token_mobile.

2. Mobile Services use the login context in step 1 to generate the saml assertion and use it to call the xsuaa of 'provider services' to get $token_provider

Both $token_mobile and $token_provider does NOT contain the IDP attributes

The IDP attributes are in login context in step 2, and in the generated saml assertion in step 2 too.

3. To prove this, you can call Me service in mobile services like:

curl https://<your mobile app host>/mobileservices/application/<appID>/roleservice/application/<appID>/v2/Me -H "Authorization: Bearer $token_mobile"

4. To prove the saml assertion contains the IDP attributes, you can get the $token_provider to call provider's xsuaa userinfo endpoint:

curl 'https://<your xsuaa domain>.authentication.ap21.hana.ondemand.com/userinfo' -i -X GET -H "Authorization: Bearer $backendtoken"

In order to get $backendtoken, you can use https://httpbin.org/headers as your backend url. This endpoint will respond with all request headers include authorization header, which is $backendtoken in this case.

I tried #3 and #4 and they all contains the IDP attributes. And I did NOT update xs-security.json for mobile services.

Please try #3 and/or #4 and let me know the result.

And do you want to inject SAML attributes in JWT token like $token_mobile or $token_provider?
If you're able to include SAML attributes outside mobile services, please attach the entire xs-security.json and any other configuration steps so that I can find out how to do it in mobile service context.

Show replies
Show replies
Ask a Question