User Account and Authorization

Server at SAP
Title / Subtitle Here

SAP

About SAP
Focus on business applications
20k+ developers in R&D
Helping customers with digitization
IoT, Industrie 4.0
cloud offerings, e.g.:

2011: SuccessFactors
2012: Ariba
2012: SAP HANA Cloud Platform
2013: Hybris
2014: Concur
2015: SAP S/4 HANA

(HCM)
(business network)
(PaaS)
(E-Commerce)
(travel)
(business suite)

SAPs journey
1972 SAP R/1
packaged software to process data when needed

1979 SAP R/2

supporting global businesses
1991 SAP R/3
Client server
2011
SAP HANA
In-memory computing
2015 SAP S/4 HANA
a suite of real-time, in-memory applications built on
top of SAP HANA

Agenda

User Account and Authorization

Server at SAP
What is the CF User Authentication
and Authorization (UAA)
Integrating the UAA into business
applications
Simplify Integration

What is the UAA

Central identity management
service for Cloud Foundry
Used e.g. when calling cf login
Supports multi tenancy
Authentication and Authorization of
users
Rich set of REST APIs for
administration

UAA: Authentication
Name

Authentication

Authorization

Management

Remarks

Internal UAA users

Password

grouping of users
(hierarchical)

SCIM

1,2

LDAP

Password

Mapping LDAP groups to

UAA groups

(LDAP)

2,3,5

SAML2

Delegated to
SAML2 Identity
Provider

Mapping SAML groups to

UAA groups

(Depends on
SAML2 IdP)

4,5

Open ID Connect

Delegated to Open
ID Connect Identity
Provider

Mapping to UAA groups

(Depends on
Open ID
Connect
Provider)

Remarks:
1.
2.
3.
4.
5.

Password change through email password reset flow

No password change enforcement
No password change
Relies on outdated OpenSAML 2.X library
UAA creates shadow user during logon. How to delete this e.g. for data privacy?

UAA: Strong authentication

UAA contains no pluggable
authentication
When e.g. two factor authentication
is required, delegate to SAML2 IdP
cf cli integrates through:
cf login sso

Use a passcode issued by uaa for

authentication

UAA: Multi Tenancy

UAA supports multi tenancy through identity
zones
Multiple identity zones share the same UAA
Each identity zone has own:
Users
OAuth2 clients
Groups

Adressing:
https://login.<domain>: default identityzone
https://<zone>.login.<domain>: custom identityzone

Application Integration

Application Integration
Pass information about authenticated
subject and authorization to a business
application
Supported protocols:
OAuth2 using JWT
SAML2

OAuth 2.0 Entities

Resource Owner
Person or company that owns the data
AppRouter

OAuth 2.0 Client

Application that wants to access/use the data

Authorization Server
Authenticates the user
Grants the access token for the resource server
May support multiple grant types

Resource Server
Stores the data of the resource owner

OAuth 2.0 Grant type

Authorization Code
GET AUTHORIZATION CODE

Check OAuth client

Check clients scopes

GET ACCESS TOKEN

Check users scopes

OAuth
Authorizazion

Application

Server (UAA)

USE ACCESS TOKEN

RESOURCE
OWNER

Node.js/Java

Evaluate authorization
code

Validate access token

Check service scope

Application integration using Security

Assertion Markup Language (SAML)
Description
Identity Provider* (IdP) role: authenticates
the user (various mechanisms)
Service Provider (SP) role: enables
participating systems to
o
o

UAA as SAML IdP

trust the IdPs authentication

consume SAML assertions from the IdP to identify the user

Identity federation: map the identity

information in the assertions to local SP
users

Features
Cross-domain SSO as well as Single Logout
(SLO)
Powerful user mapping
Mainly for UI / HTTP-based scenarios
Additional IdP system required

Application as SAML SP

Simplify Integration

Boundary Conditions
Developers have no admin access
to UAA
Usage of OAuth2 for microservices
Simple application integration
Declarative approach for security
artifacts

Managing application access to UAA

Service broker for integrating an
application with the UAA
Application Router as standard
OAuth2 client

Service Broker
Applications define their artifacts:
Scopes for functional authorization
Attributes for instance based
authorizations

Passed as parameter to the service

broker
cf create-service xsuaa default myUaa c xssecurity.json

Service Broker generates OAuth2

client
Service Broker controls scopes used
by applications

From Development Artifacts to

Configuration Time
Applications specify role
templates
in file xs-security.json

EVENTS APP

A role template may consist of

ROLE TEMPLATE: Event Reader

SCOPE: Read Events

ROLE: Event Reader

Scopes (functional
authorizations)

can be checked
declaratively
at the application router

can be checked
declaratively
in the Java container

can be checked
programmatically
in the Java and Node.js
containers

SCOPE: Comment Events

ROLE TEMPLATE: Event Manager

SCOPE: Read Events

SCOPE: Comment Events

SCOPE: Manage Events
ATTRIBUTE: Country

ROLE: Event Manager DE

ATTRIBUTE Country, VALUE DE

ROLE: Event Manager US

ATTRIBUTE Country, VALUE US

Attributes (for instance-based

authorizations)

If a role template contains no

attributes,
then a role with the same name
is generated automatically
else a role based on this
template
can be generated using the
administrative UIs

Application Router
Application Router:
GET AUTHORIZATION CODE
GET ACCESS TOKEN

UAA
Application
Router

Act as OAuth2 client

Enforce
authentication

CSRF protection

Reverse proxy

Binds against xsuaa

service broker

USE ACCESS TOKEN

RESOURCE
OWNER

Resource Server

Resource Server

Advanced application integration

GET ACCESS TOKEN

OAuth
Authorizazion

Application

Server (UAA)

USE ACCESS TOKEN

Node.js/Java

RESOURCE
OWNER
TECHNICAL USER USING
CLIENT CREDENTIALS

Node.js/Java

REQUEST NEW TOKEN

Node.js/Java

Contributions
Completed
Attribute API
Vulnerable library versions

Planned
OAuth2 SAML Bearer flow
Performance improvements
Enforced password change

Summary

Summary
UAA can also be used for
authentication and authorization of
business applications
Authentication, authorization: All
included in UAA
Service broker needed to simplify
integration

Thank You