In this blog series, I am going to walk through the process of implementing a user self-registration scenario using SAP Cloud Platform. Over the last few months, I have had couple of requests on this topic from few customers. I have outlined some of the challenges with the existing out-of-the-box capability. With the recent availability of new services on SAP Cloud Platform, this has opened the possibility to extend this scenario and make it more flexible for different customer requirements.
As of today, you can implement this partially using out-of-the-box capability offered by SAP Cloud Platform Identity Authentication Service(IAS). I will refer to it as Cloud Identity throughout this blog for simplicity. In the Cloud Identity, there is an option to turn on a user self-registration form. This is a customizable and you can pick and choose the field which you want to show in a registration page.
When you activate the changes, you will be able to see a “Register” link in the logon screen of Cloud Identity. External users can use the option to register themselves.
For this blog, I am assuming there are several external organizations that you deal with – these could be vendors/supplier and you are looking for a way to provide seamless access to your apps which are hosted on SAP Cloud Platform. Some of the challenges around this are that if you want to apply validations to the request coming in from an external vendor, there is no room to do this.
You also at times, want an approval process to restrict every external vendor to use the self-registration form and submit a request. As of today, if the form is used by an external vendor to create a user identity, it gets created automatically within the Cloud Identity. In some large organizations, there are several departments and each department handles the relationship with specific vendors. Hence, you want to have a flexibility to direct each of the incoming user creation request to the relevant department/person within the organization for approvals.
Another challenge is around assignment of roles. As of today, when a user uses the self-registration form, their identity gets created in Cloud Identity. Now the admin of Cloud Identity needs to manually check for such newly created user identities and assign the relevant roles which need to be provided to those users of a particular external vendor organization.
Implementing a custom Self-registration process
In order to achieve a self-registration scenario which addresses the above challenges, I am going to leverage the new services on SAP CP – Workflow and Business Rules. In the below image, I have shown external vendors accessing a custom self-registration application. This application will be a custom HTML5 application (referred to as a Start UI in workflow development). This Start UI will capture the user information and trigger a workflow process.
Once the workflow process is triggered, business rules will be invoked to determine the relevant approver for user requests flowing in through a particular vendor. The rules will also determine the default IdP roles which need to assigned to this user creation request. Once the approver navigates to My Inbox App via the Fiori Launchpad in the Portal, the custom UI Task will show the user information along with Approve and Reject buttons. On approval, the relevant SCIM APIs will be called to create the user identity. In this example, the Identity provider used is SAP Cloud Platform Identity Authentication service. This could be any other SAML2 based IdP which offers APIs. Once the user identity is created along with the respective IdP roles, the external user (from the vendor organization) can login to the Portal and start to access only the relevant Apps which they are authorized to use.
In the blog series, I will show you how to create a Start UI and model a workflow using custom Task UI. You will also get to learn how to create a Business rule service which will be invoked during one of the workflow steps. I will also point out some of the lessons learnt while developing workflows and also show you how to use the workflow monitoring tools. Finally, I will also show you how to create groups in Cloud Identity and map them to SAP Cloud Platform groups.