Question

How to add or adjust xsuaa settings (xs-security.json)?

0

Hi, I have an app running on SAP Cloud Plattform. For user authentification I am using XSAUAA. But by opening the app I am always redirected to a login page in which I have to click on “accounts.sap.com” to automatically login – I want to avoid this step. Therefore I got the solution internally, but don’t know how to implement it by using Mendix. So the solution I got internally is that I should use an xs-security.json file while creating the xsauaa instance. In that JSON-File I should enter following information: "oauth2-configuration": { "allowedproviders": ["accounts.sap.com"] } That would make the app skip the login-page, since only one IDP provider is allowed and the login screen only appears if more than one IDP provider is provided/allowed. Now I tried to create the xsauaa instance manually and add the configuration to the instance. But I can’t bind the instance with my Mendix application since I am receiving error messages like that the xsappname doesn’t match. And also I have the feeling that the xsauaa instance settings are updated by Mendix each time I deploy the app. So I looked for a way how to change the xsauaa instance settings in the Mendix environment. I found out that there is a “XsuaaBindingSettings.java” and a “XsuaaIdentity.java” file. For me it seems like the “XsuaaIdentity.java” file contains the settings I am looking for. But since it is a java code and I don’t know how to adapt it so it generates the setting json file I would like to have, could you help me? What changes do I have to make in the XsuaaIdentity.java file to have the setting above (allowed providers) included? The XsuaaIdentity.java file looks like this spackage sapauthentication.xsuaa; import com.mendix.core.Core; import com.mendix.logging.ILogNode; import com.mendix.thirdparty.org.json.JSONArray; import com.mendix.thirdparty.org.json.JSONObject; import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.builder.ReflectionToStringBuilder; import org.apache.commons.lang.builder.ToStringStyle; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; import java.util.Map; public class XsuaaBindingSettings { public static final String AUTHENTICATION_CALLBACK_PATH = "xsauaacallback/"; private final String hostname; private final String redirectUri; private final String urlEncodedRedirectUri; private final String serviceName; private final String servicePlan; private final String clientId; private final String clientSecret; private final String url; private final String verificationKey; private final String xsAppName; public XsuaaBindingSettings(final String vcapApplication, final String vcapServices) { final JSONObject vcapApplicationObject = new JSONObject(vcapApplication); final JSONArray appliationUrisArray = vcapApplicationObject.getJSONArray("application_uris"); hostname = appliationUrisArray.getString(0); redirectUri = "https://" + hostname + "/" + AUTHENTICATION_CALLBACK_PATH; try { urlEncodedRedirectUri = URLEncoder.encode(redirectUri, "UTF-8"); } catch (UnsupportedEncodingException e) { throw new RuntimeException("Failed to encode redirect URI"); } final JSONObject vcapServicesObject = new JSONObject(vcapServices); final JSONArray xsuaaArray = vcapServicesObject.getJSONArray("xsuaa"); final JSONObject xsuaaConfigurationObject = xsuaaArray.getJSONObject(0); serviceName = xsuaaConfigurationObject.getString("name"); servicePlan = xsuaaConfigurationObject.getString("plan"); final JSONObject credentialsObject = xsuaaConfigurationObject.getJSONObject("credentials"); clientId = credentialsObject.getString("clientid"); clientSecret = credentialsObject.getString("clientsecret"); url = credentialsObject.getString("url"); verificationKey = credentialsObject.getString("verificationkey"); xsAppName = credentialsObject.getString("xsappname"); } public String getRedirectUri() { return redirectUri; } public String getUrlEncodedRedirectUri() { return urlEncodedRedirectUri; } public String getServiceName() { return serviceName; } public String getServicePlan() { return servicePlan; } public String getClientId() { return clientId; } public String getClientSecret() { return clientSecret; } public String getUrl() { return url; } public String getVerificationKey() { return verificationKey; } public String getXsAppName() { return xsAppName; } @Override public String toString() { return ReflectionToStringBuilder.toString(this, ToStringStyle.SHORT_PREFIX_STYLE); } public static XsuaaBindingSettings importSettingsFromEnvironment() { LOGGER.info("Importing XSA-UAA binding settings from environment ..."); final Map<String, String> environment = System.getenv(); final String vcapApplication = environment.get("VCAP_APPLICATION"); final String vcapServices = environment.get("VCAP_SERVICES"); final XsuaaBindingSettings settings = new XsuaaBindingSettings(vcapApplication, vcapServices); LOGGER.info("Imported settings: " + settings); return settings; } public static boolean isXsaUaaEnvironment(){ LOGGER.debug("Checking XSA-UAA binding nvironment ..."); final Map<String, String> environment = System.getenv(); final String vcapApplication = environment.get("VCAP_APPLICATION"); final String vcapServices = environment.get("VCAP_SERVICES"); if(StringUtils.isBlank(vcapApplication) || StringUtils.isBlank(vcapServices)){ return false; } return true; } private final static ILogNode LOGGER = Core.getLogger("XSA-UAA-SSO"); }

asked 2020-01-20

Ömer Kafaoglu

2 answers

Ömer Kafaoglu · Answer 1 · 2020-05-02

Hi all,

found the solution:

After creating the service-instances on the SCP and deploying the app, I just created an xs-security.json which looked like this:

{
	"xsappname": "NameOfMyApp",
	"tenant-mode": "shared",
	"scopes"        : [
    {
      "name"        : "$XSAPPNAME.User",
      "description" : "User"
    },
    {
      "name"        : "$XSAPPNAME.Administrator",
      "description" : "Administrator"
    }
  ],
  "role-templates": [
    {
      "name"             : "User",
      "description"      : "User",
      "scope-references" : [
        "$XSAPPNAME.User",
        "uaa.user"
      ]
    },
    {
      "name"                 : "Administrator",
      "description"          : "Administrator",
      "scope-references"     : [
        "$XSAPPNAME.Administrator", 
	"uaa.user"
      ]
    }
  ],
"oauth2-configuration": {
		"allowedproviders": ["accounts.sap.com"]
	}
}

Consider that I only have the two roles Admin and User in my app.

After that I updated my xsuaa instance with CF CLI:

cf update-service <SERVICE_INSTANCE> -c xs-security.json

Now I am able to login directly with using accounts.sap.com as IdP.

After re-deployment of the app the configuration still remains the same – but I think, after adding/delete/updating a role it will also overwrite the xsuaa-instance settings and I have to update the service again with my xs-security.json file – but that is only what I assume, still have to test it.

Best regards,

Ömer

Ömer Kafaoglu · Answer 2 · 2020-04-15

Push, anyone who can help? I somehow need to adjust the XS-security.json file, but don’t know how to do that in Mendix.