Skip to Content
Technical Articles
Author's profile photo Yordan Pavlov

Eclipse Dirigible – SAP Identity and Authentication Service Integration on the SAP Cloud Platform

Overview


Eclipse Dirigible is an open-source cloud development platform that provides capabilities for end-to-end development processes from database modeling and management, through RESTful services using server-side JavaScript, to pattern-based user interface generation, role-based security, external services integration, testing, debugging, operations and monitoring.

Some of the unique features include:

The platform aims to unify open-source business services by providing software developers with a convenient set of tools for building, running, and operating business applications in the Cloud. Dirigible is also part of the Eclipse Cloud Development top-level project.

Setup


Starting with Eclipse Dirigible 5.0, there are built-in integrations with the SAP Cloud Platform Cloud Foundry and Kyma environments. Beyond the most basic configuration with the default Identity Provider, there are plenty of use cases where integration with the SAP Identity and Authentication Service is needed.

In this tutorial I’m going to assume that that you have access to your own SAP Identity and Authentication Service tenant and you’ve already deployed Eclipse Dirigible either in the SAP Cloud Platform Cloud Foundry or Kyma environments:

First let’s access the Identity and Authentication Service tenant:

(Identity and Authentication Service)

The first part of the integration is to create an Application in the Identity and Authentication Service tenant:

  1. Go to Applications & Resources -> Applications.
  2. Click on the Add button.
  3. Set an application name (e.g. demo-application) and click Save.

After the new application is created, then it should be configured:

  1. Open the Assertion Attributes:
    • This configuration is related to the assertion attributes that will be send back to the application after successful SAML authentication. The most common use case is to send the assigned User Groups as part of the SAML response, so Role Base Access Control could be implied based on the groups assertion attribute.
  2. Click on the Add button.
  3. From the list of assertion attributes, select the Groups option.
  4. Save the changes

The next step is to setup a trust configuration between the SAP Cloud Platform and the SAP Identity and Authentication Service. To do so, the SAML 2.0 metadata configurations should be exchanged:

  1. From the Identity and Authentication Service tenant, navigate to Applications & Resources -> Tenant Settings.
  2. Go to the SAML 2.0 Configuration.
  3. Click on the Download Metadata File button:
  4. SAML2.0 metadata file (metadata.xml) should be downloaded.
  5. Navigate to the SAP Cloud Platform Cockpit and to the subaccount where the trust configuration will be done.
  6. Go to Security -> Trust Configuration.
  7. Click on the New Trust Configuration button.
  8. In the Trust Configuration dialog, upload the metadata.xml file that was downloaded from the Identity and Authentication Service tenant:
  9. After the new trust configuration is created, click on the SAML Metadata button to download the SAML metadata for the SAP Cloud Platform subaccount, that is being configured:
  10. SAML metadata file (saml-xxxxxx-sp.xml) should be downloaded.
  11. Switch back to the Identity and Authentication Service tenant.
  12. Go to Applications & Resources -> Applications.
  13. Select your application (e.g. demo-application).
  14. Open the SAML 2.0 Configuration.
  15. Upload the SAML metadata file (saml-xxxxxx-sp.xml), that was downloaded from the SAP Cloud Platform Cockpit:
  16. Save the changes.

With this, the trust exchange between the SAP Cloud Platform and the SAP Identity and Authentication Service is done. Now let’s create few Users and User Groups in the Identity and Authentication Service:

  1. Go to Users & Authorizations -> User Management.
  2. Click on the Add button and create few users.
    • This step is optional, as you can also use in the next steps the user that’s been used so far to access the Identity and Authentication Service (e.g. P000000).
  3. Go to Users & Authorizations -> User Groups.
  4. Click on the Add and create the Developers user group:
  5. Go back to the User Management section.
  6. Select the user that you want to made changes to (e.g. P000000).
  7. Go to the User Groups tab.
  8. Assign the Developers user group to the user:

Last, but not least mapping based on the assertion attributes (groups) should be done in the SAP Cloud Platform:

  1. Navigate from the SAP Cloud Platform Cockpit to the subaccount, that was used previously.
  2. Go to Security -> Trust Configuration.
  3. Select the trust configuration that was previously created (e.g. ias-demo).
  4. Go to the Role Collection Mapping section.
  5. Click on the New Role Collection Mapping button.
  6. Enter the following properties:
    • Role Collection: <the-target-role-collection> (e.g. dirigible)
    • Attribute: groups
    • Value: Developers

The Rolle Collection Mapping steps, should be repeated as many times, as User Groups and Role Collections are expected in the application.

When accessing the deployed application (e.g. Eclipse Dirigible), you’ll notice that there is second log in option (e.g. ias-demo), click on it, to trigger the authentication flow via the SAP Identity and Authentication Service:

After login, you should be able to access Dirigible and create “hello world” project, meaning that the Assertion Attributes to Role Collection Mapping was successful:

From the Trust Configuration section the default sap.default trust configuration could be disabled, so that the SAP Identity and Authentication Service tenant is used by default.

Notes


Next, you can visit the Samples section to master some of the basic Eclipse Dirigible functionalities, explore the Enterprise JavaScript APIs, check out the YouTube channel for video content, or simply visit the official site for news and updates.

Assigned tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.