cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

providing IAS authentication through cloud identity service for UI5 MTA app

rakeshBaggam
Explorer

2 weeks ago

0 Kudos

Hi,
I have created a sap ui5  MTA(multi target application) with stand alone app router. its having mta-approuter(router), mta-ui(ui5 app), xs-security.json, mta.yml etc..
mta-approuter is having xs-app.json file which is pointing to mta-ui as the welcome file and authentication as 'route'. mta-ui as well having another xs-app.json file which is having the default route pointing to html5-repo-rt and 'xsuaa' as authentication type.
I have deployed this app to CF and on running the app from CF its working good.

Now I wanted to try out cloud identity services which provides IAS authentication. So i have created an IDP in my trial account. then inside my mta-ui's 'xs-app.json' i have changed authentication type from 'xsuaa' to 'ias' .

And in my mta.yml i have added a identity service in the required section of app router and  defined it in resource section as well.

Now I have deployed it to CF. On try running the app I am getting the below error. even i tried enabling third party cookies. 

Error.png

my expectation is same like default IDP with cloud identity services as well SSO works smoothly.

Can you please help me what am i missing?

PFA details of app/trial account.

 

Thank in Advance.

Show replies
Show replies
Answer
View Entire Topic
Willem_Pardaens
Product and Topic Expert
Product and Topic Expert
2 weeks ago
0 Kudos

There should be no need to change your application when switching from the default SAP ID Service to your own IAS tenant. The application still connects with XSUAA to handle authentication, it is just XSUAA that will either delegate to the default IdP or your own IdP.

When your application 'works on CF' with the default settings, leave it like that. Create a trust in the cockpit with your own IAS tenant (which I believe you did already, if not, see here: https://help.sap.com/docs/btp/sap-business-technology-platform/manually-establish-trust-and-federati...) and make it available for user login.

When reopening the application, the user will be presented with a choice of the 2 IdP's that are linked to the account and you can choose your custom one to complete the authentication. Later on, to remove the screen with the 2 choices, you can disable the default IdP for user login.

Show replies
Show replies
rakeshBaggam
Explorer
2 weeks ago
0 Kudos

Hi Willem,

Thanks for your detailed explanation.

Anyway I am getting below error on running the app router.
in my UI5 App (xs-app.json) if i am maintaining 'authentication type' as 'xsuaa' and running the app router I am getting identity provider selection page. And then irrespective of selecting default IDP or Custom IDP; application is running fine.
if i am maintaining  UI5 App (xs-app.json)  'authentication type' as 'ias' then I am getting the error.

Here I want to understand How can i get the authentication as authentication type 'ias'.
And how can i remove the dependency of user selecting the IDP. Cannot it be processed as SSO? (without deleting default IDP). I want it like authentication type as 'ias' and should proceed with custom IDP as SSO.

Please find the below for reference.

errorOnUISelection.pngidpselectionPage.pngui-xsapp-json.png

 

Thank you

Willem_Pardaens
Product and Topic Expert
Product and Topic Expert
2 weeks ago
0 Kudos

For multiple IdPs, have a look at the documentation here for your options: https://help.sap.com/docs/btp/sap-business-technology-platform/using-multiple-identity-providers-fro... . It also refers to a further document (here: https://help.sap.com/docs/btp/sap-business-technology-platform/html5-apps-routes ) which mentions the configuration for choosing a default IdP for your application (see "Routes with an identityProvider").

Switching the entire authentication flow to ias (and not use xsuaa) is also possible but you'll have to consult further documentation/examples on this, e.g. here: https://github.com/SAP-samples/btp-developer-guide-cap/blob/8795a3f4ebf0ce99445043231db77b2ad487baca... and here: https://www.npmjs.com/package/@sap/approuter#authentication-with-identity-service-ias 

Note that, as a best practice, all applications on BTP should be linked to your own IAS tenant and the default SAP ID Service should be disabled.

Ask a Question