Developing multi-tenant applications on HCP : Identity Management – Part 5.2

In this previous part (Part 5.1), we looked at establishing trust between HCP and the consumer’s IDP and imported the users required for our application into the SAP Cloud Identity.

In this part, Part 5.2, we will look at assigning application specific roles to the IDP users from SCI, configuring SAML assertion attributes to be passed from SCI to the HCP application and validate the complete setup. So:

Section 3: Assign application roles to users in HCP

Section 4: Configure assertion attributes in SCI and HCP to pass onto the application

Section 5: Validation of the setup

Section 3: Assign application roles to users in HCP

The Pollution Monitoring multitenant application built by Robert from ITeLO Consulting (Provider), provides two predefined roles PlantSupervisor and AreaManager which control the authorization of the application and decide what the end-user actually sees in the application.

• PlantSupervisor: Users who are assigned this role will be able to view the data of only the plant maintained in his User details (Company Information) in SCI.
• AreaManager: Users who are assigned this role will be able to view the data of all plants in his area.

Let us check out how this is achieved in the code. We will use the project which we have imported from Github in the previous blogs:

Steps	Screenshot
In the imported project, navigate to /pollutionmonitoring /src/main/webapp/WEB-INF/web.xml.Open the xml file.
Check out the two security roles created in the application.
Navigate to the java file /pollutionmonitoring/src/main/java/com /sap/hana/cloud/samples/pollutionmonitoring /api/PollutionDataService.java.Open the java file.
Check the method getCompanyPollutionData(). Here we check if the user is an admin (manager). If yes, we show the complete Resultlist, if not we filter by plant_id and show only those results.
For more clarity, you can also check the method isUserAdmin() where we check the role and decipher if he is an Admin (manager) or not.
A similar logic is also followed for retrieving the plant data from the on-premise systems (Check future blogs for more details)

On the consumer side, Emily will now have to assign these roles to the Area Managers and Plant Supervisors in her company ABC PetroCorp i.e. ABCPlantSupervisor and ABCAreaManager.

Steps	Screenshot
In the HCP cockpit of the consumer, ABC PetroCorp, navigate to Applications -> Subscriptions.
Click on the pollutionmonitoring subscribed Java application, provided by ITeLO Consulting.
In the application overview page, navigate to Roles. The list of application roles will be displayed.
Select the PlantSupervisor role and click on Assign. In the pop-up enter the User ID of the ABCPlantSupervisor (noted in the previous blog after import) and click on Assign.
Similarly, select the AreaManager role and click on Assign. In the pop-up enter the User ID of the ABCAreaManager (noted in the previous blog after import) and click on Assign.

Completed! We have successfully mapped the application roles to the corresponding users of ABC PetroCorp from SCI.

Note: Stephen will have to repeat the same steps for XYZ EnergyCorp

Section 4: Configure assertion attributes in SCI and HCP to pass onto the application

Robert from ITeLO Consulting has programmed the multi-tenant application, such that it needs a plant id to be passed on, for the PlantSupervisor user so that the pollution data can be filtered in the application for that particular plant id.

In the earlier sections (Section 2) we have added a plant id to the PlantSupervisor user in SCI under the Company field which we need to pass on to the multi-tenant application so that it can be used in the application to show only the data relevant to that plant to the PlantSupervisor, whereas the AreaManager is more like an Admin user, who can view the data from all plants.

Let us check out how this is achieved in the code:

Steps	Screenshot
Navigate to the java file /pollutionmonitoring/src /main/java/com /sap/hana/cloud/samples /pollutionmonitoring /api/PollutionDataService.java.Open the java file.
Check the method getPlantId(). Here we get the User principal and name and check for an attribute PLANT_ID, which we return for use in filter operations of pollution and plant data as explained earlier.

We can pass on User attributes in SCI to the application via SAML Assertion Attributes. This is necessary so that the User Attribute of company from SCI is read by HCP during logon and it needs to know that the Assertion Attribute should be passed on to the Pollution Monitoring application.

To ensure this, on the consumer side, Emily would have to first create an Assertion Attribute in SCI and then in her ABC PetroCorp HCP account, she would need to capture the assertion attribute in a Principal Attribute which can be read by the code as shown earlier.

Steps	Screenshot
In the SCI Admin Console, navigate to Applications & Resources -> Applications
Select the appropriate application name from the list of Custom Applications.
Go to Trust tab and click on Assertion Attributes.
A list of existing assertion attributes is shown. We need to add a new attribute, so click on Add and scroll to select the attribute Company.
Change the assertion attribute name to plant_id (CASE SENSITIVE), and click on Save.
Go back to the HCP cockpit and navigate to the Security -> Trust page and select the Trusted Identity Provider tab.
Click on the name of the Identity Provider.
In the pop-up dialog which opens, go to Attributes tab and click on Add Assertion-Based Attribute.
Enter Assertion Attribute as plant_id (CASE SENSITIVE) – this is coming from SCI Enter Principal Attribute as PLANT_ID (CASE SENSITIVE) – this will be passed on to the application and utilized in the code as shown earlier. Click on Save.

Completed! We have successfully created assertion attributes in SCI and passed it onto the multi-tenant application via the principal attribute of the HCP cockpit.

Note: Stephen will have to repeat the same steps for XYZ EnergyCorp

Section 5: Validation of the setup

Emily can now check if the setup of the HCP account and the application with the corporate IDP, in our case SCI, works as expected.

Steps	Screenshot
In the HCP cockpit of the consumer, ABC PetroCorp, navigate to Applications -> Subscriptions.
Click on the link of the subscribed HTML5 application pollutionmonitoringui
Copy the Application URL link in the Active Version section.
Open a browser in Incognito mode/Private mode, paste the URL and click on Go.The login page from the application configuration in SAP Cloud Identity is shown with the correct name.

You should be able to use the User ID of the AreaManager or PlantSupervisor user / password you set during email activation, and login to the application and use it without any issues. (Although, you may find that you do not find any data as the setup is still not complete. This is okay!)

Note: Stephen will have to repeat the same steps for XYZ EnergyCorp

Done! We have connected the Identity Provider to our Pollution Monitoring application on HCP. We have imported and assigned the user with proper roles and authorizations to access the application.We have also ensured that the right plant information is passed on to the application, to ensure the right data reaches the right user in real-time!

In the next blog, Part 6 we will look at setting up the Connectivity service to get the plant data from On-premise into the Multi-tenant Application to get it up and running!

Do come back! 🙂