Self-registration with SAP Cloud Platform Identity Authentication Service
I had a scenario where I needed to setup self-registration for an app in SAP Cloud Platform. Therefore I used SAP Cloud Identiy Authentication Service. Doing so, I came across the blog posts of Murali Shanmugham. Murali already created a great series of blog posts about a self-registration scenario with approval workflow. In these blogs, he describes all the steps perfectly, it’s a must read if you want to know about all the possibilities of self-registration and SAP Cloud Identity Authentication Service (IAS). You can find the blogs here: https://blogs.sap.com/2017/07/31/implementing-a-user-self-registration-scenario-using-workflow-and-business-rules-in-sap-cloud-platform-part-1/
In my scenario, I didn’t had the need for an approval workflow and the business rule like Murali. Instead, I had to find another solution for assigning newly registered users to my app automatically. To do so, I used a regex in the mapping rule of the assertion-based groups for matching the email address. The defined group is assigned to the role that contains my app. In the end, it should be possible for end users to register themselves and access the app if there email address matches the pattern. That way, I don’t need an approval workflow. In this blog I will show you all the steps to configure this.
Depending on your use case you can also follow the blogs of Murali and use a workflow for this.
Configuring the self-registration form in SAP Cloud Identity Authentication Service (IAS) to automatically receive access to an app (could also be Cloud Portal) requires the following steps:
- Configure a Platform Identity Provider (not required, but helpful)
- Create a role for your app and assign it to a group
- Set up trust between SCP account and SAP Cloud Identity Authentication Service (IAS)
- Configure the self-registration form
- Configure the mapping between groups and your company mail address so everyone of your company can access the app
Platform Identity Provider
This step is not required, it will just make it easier to access IAS.
Let us start by activating the Platform Identity Provider, Services -> Platform Identity Provider
Enable this service and click on “Configure Service”
Instead of “Configure Service”, you could also use the menu “Security” -> “Trust”
Go to the third tab “Platform Identity Provider” and select “Use Identity Authentication Tenant”
You will see a list of all available SAP Cloud Platform Identity Authentication Services (IAS). Select the one you want to use:
After you have saved the selected IAS, you will see it in the list.
Create a role for your app and assign it to a group
Go to your HTML5 app
Go to the menu “Roles” and create a new role, e.g. “DemoRole”
Create a group that we can use for assigning the role to:
Now we can assign the role to this group:
Set up trust between SCP and IAS
Go back to SCP -> Trust and enable the local service provider like this and download the metadata:
Go to IAS, you can use the direct url or use the button “Administration Console” in Platform Identity provider tab:
Go to applications
Create a new app:
Go to SAML2.0 configuration
Upload the downloaded metadata file from SCP here:
Now, IAS has everything that it needs to know of your SCP account to trust it.
This is also the place where you can enable self-registration by going to the tab “Authentication and Access” -> User Application Access. If you put this to public, you’ll get the “registration” button on the login view.
You can also configure the logo and the fields on the registration form in the last tab:
A trust connection goes both ways, so we need to make your SCP subaccount also trust your IAS. Therefore, we need to download the SAML2.0 configuration from IAS and upload it into your SCP subaccount.
In IAS, open Tenant Settings and go to SAML2.0 Configuration
Download the metadata in the left bottom button
Back to SCP -> Trust -> Tab “Application Identity Provider” and add a Trusted Identity Provider
Click on the Browse button and upload the IAS metadata here:
It will look like this:
Go to the “Groups” configuration and map the “DemoGroup” group we configured in the beginning to mail addresses with the domain of your company.
Let’s recap all the steps we did. We have:
- configured a Platform Identity Provider
- deployed our app and assigned a role to it
- added the role to a newly created group
- configured a trust relation between our SCP subaccount and IAS tenant
- made the self-registration button available
- connected the IAS with our app based on the email pattern
If you now open the deployed app, you’ll be able to register yourself and only access the app with the company mail address.
I use my personal mail for registration
I will receive a confirmation of my registration
I will also receive an email to activate my account
But I won’t be able to access the app because my mail address doesn’t match the pattern:
Let’s change the pattern to “hotmail.com”
If I open the app now, I’ll be able to open it!
This is only an example of what you could do. Much more is possible with the expression mapping. It could be useful in case you want to provide apps for external partners of your company.
Thanks for posting on this topic. I had few people ask about the automatic assignment using email address without using Workflows in the past. I can now refer them to this blog post.
In case anyone wants to know what is the role of a Platform Identity Provider, I have described about it in detail here - https://blogs.sap.com/2018/12/13/self-registration-with-sap-cloud-platform-identity-authentication-service/