Skip to Content
Author's profile photo Murali Shanmugham

Implementing a user self-registration scenario using Workflow and Business rules in SAP Cloud Platform – Part 5

 

Part 1 – Overall Solution

Part 2 – Setting up Business Rules in SAP Cloud Platform

Part 3 – Modeling workflows in SAP Cloud Platform

Part 4 – Testing you workflow using monitoring tools

Part 5 – Triggering the workflow using a Start UI

Part 6 – Configuring trust between SAP Cloud Platform account and Identity Provider

Part 7 – Mapping user groups and roles in SAP Cloud Platform Portal

 

UPDATE [13/8/2017]: Calling an external service from a Custom UI Task

In this portion of the blog series, I will show you how to create a custom HTML5 app which is the Start UI for triggering the workflow. I have uploaded the project in github for your reference.

SAP Cloud Platform workflow service provides REST APIs which can be used by applications to interact with the service. In this section, we are going to leverage workflow-instance REST API to create a new instance.

You can navigate to a particular API to read the documentation and also find sample payload. In the below image, I have highlighted two important things – Workflow definition ID and context. This needs to be provided when triggering a workflow.

In the Start UI, I have created a XML view which will display the user registration form. I have put the usual fields like firstname, lastname, email, phone etc.

In the controller definition, I am invoking two REST APIs. The first one is to get X-CSRF-Token and the subsequent call is to make a POST call with the X-CSRF-Token along with the context payload. The context payload would contain the information provided by the user in the registration form

You can find the compete source code here at github.

I have deployed this App to my SAP Cloud Platform cockpit. When I run this app, I get the below screen where I can provide user information and click on submit. Notice that I have provided an email with domain “vendorA”. The business rules within the workflow should find the relevant approver and default IdP group for this vendor organization.

After submitting, this request, a task gets created and I can view the task instance using the REST APIs.  In the below screenshot, the tasks is currently sitting in My Inbox for the recipient to action. Notice that the business rules have already been applied. You can say that by the output node which is populated with the approver and default IdP group.

When I logon to My Inbox, I would be able to see this task waiting for me to action. Notice that the default IdP group has been picked up and is also displayed on the screen.

As an approver, I can decide to approve this task by clicking on “Approve” button. This will invoke the SCIM APIs exposed from SAP Cloud Platform Identity Authentication service. I have defined a method called createSCIUser which prepares the input and makes an ajax call.

When calling an external service from the Custom UI task the URL needs to be proerply formatted as explain in the Help documentation. In the example above, the URL to invoke a SCIM API would be URL: /html5apps/mywfapp/SCI/. I have created a destination in my SAP CP cockpit with the name SCI which refers to my SCI tenant.

If you would like to know more about how to invoke the SCIM APIs, you can check the SAP Help documentation.

After approving the task, when I navigate to the Cloud Identity, I will be able to see the user created.

Secondly, when I navigate to the “User Groups” menu and explore the “AccountsPayable_A” group, I would be able to see the newly created user assigned to this group.

In the next part of the blog, I will show you how to setup trust between SAP Cloud Platform Identity Authentication service and Cloud Portal.

 

Assigned tags

      14 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Murali,

      thank you for this great Blog series!

      As I'm currently implementing a similar User Registration process I'm wondering if you've found a way to influence the "Register" button that shows up in the SAP Identity Authentication Login form. I want to either disable it or link it to my custom registration form. Have you looked into this and found a solution?

      Best regards
      Gregor

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Thanks Gregor. I am glad its helpful.

      Few people have asked me the same question. I am not sure if there is a way to influence the register button in the SAP Identity Authentication Login form.  Here are my thoughts - The "Register" button shows up only when you have set the "User Application Access"  to "Public" in Identity Authentication service for the respective application. What if we change this to "Internal" and remove the Register button in the login form. You can then provide the link to your custom registration form to your end users and request them to kick start the process of registering and then accessing the applications.I know this is not an elegant way. I will try and request this feature to be added to Identity Authentication service.

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Murali,

      thank you for the quick response. I gave it a try already and that is a good intermediate solution. I would like to support this feature request. Have you posted it already somewhere? https://ideas.sap.com/ct/c_b.bix?a=OD3837 seems not to include an SAP Cloud Identity Authentication Service.

      Best regards
      Gregor

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Yes, it looks like SAP Cloud Identity Authentication Service is not accepting ideas through Idea Place. I am reaching out internally to check if we can have an Idea place for this service too.

      Author's profile photo Leigh Mason
      Leigh Mason

      Hey Gregor, I'm working through the same process now 🙂

       

      In the administration cockpit for the Identity Authentication, you can navigate to:

       

      Custom Application->Authentication & Access Tab->User Application Access list item:

       

       

      These options seem to influence the "Registration'" Button on the logon page.  If this is set to "Internal" for example, the Registration Button doesn't appear.

      I'm actually struggling with this, I need to couple a SCP Workflow into this process rather than just direct self-registration ( i.e. the scenario in Murali's blog ) but I can't find anyway to influence the behaviour after clicking "Register" when the user completes the registration form.

      When I work this out I'll share it 🙂

       

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Leigh,

      our solution was to link a public accessible HTML5 app with an XS Classic backend. The XS Classic backend then calls the SCP Identity Service API. But there you could also call the Workflow.

      Best regards
      Gregor

      Author's profile photo Raghavendra H K
      Raghavendra H K

      Hi Murali,

      thank you for this great Blog series!

      Actually I am doing workflow for vendor data creation, in that multiple level of approvals are there. Can u please explain how to achieve multiple approvals in workflow.

       

      Best regards
      Raghvendra

       

      Author's profile photo Raghavendra H K
      Raghavendra H K

       

      Hi Murali,

      thank you for this great Blog series!

      Actually I am doing workflow for  vendor data creation for this app multiple level of approvals are there. Can u please explain how to achieve multiple levels of approving.

      Best regards
      Ragahvendra

       

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Raghavendra,

      Thanks. You should be able to achieve multiple levels of approval by modeling your workflow with several "User Tasks".

      Author's profile photo Lucas Erni
      Lucas Erni

      Hi Murali,

       

      Thanks for the introduction.

      I got a question about the authientification for the SCIM API, do i access the API via SAP Certificate?

      Is there any tutorial existing? The relation between the application and the API is not quite clear?

       

      Best regards

      Lucas Erni

       

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Erni

      Did you check this help documentation - https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/

       

      Author's profile photo Christian Hecktor
      Christian Hecktor

      Hi Murali,

      thanks a lot for providing this blog post!

      I am currently trying to call my IdP's SCIM REST API from within the workflow environment in order to register the provided user after approval. Calling it from inside the approval UI as indicated in the blog post results in an 405 (Method Not Allowed) response. The corresponding destination seems to work since a static call from the same UI deployed outside the workflow environment does not cause any problems.

      I tried to circumvent this problem by implementing the approval UI as a simple User Task form with two descision buttons (accept / deny) and introducing an exclusive gateway which triggers a Service Task only when the "Accept" button is hit. In this Service Task I tried to call the SCIM REST API to register my user. Again, an error occured, in this case a 415 (Unsupported Media Type) response. It seems that this is caused by a default content type which is not the required "application/scim+json" one. I did not find a way to adjust the content type using the GUI.

      How do I use SCIM REST APIs from within the worklow environment?

      Best regards,

      Christian

      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Christian,

      Its been a while since I worked on the Workflow service. Can you please raise a question in the forum and tag the Workflow service? Thanks

      Author's profile photo Vijay Madhavan
      Vijay Madhavan

      Hi Murali Shanmugham Murali Shanmugham /

      Did you find any option to configure the self-registration to a custom application?
      Thanks & Regards
      Vijay