This brief is to showcase how to get this done using a SAP BTP trial account.
Albeit, the entire procedure is well documented in SAP Help portal, namely under Configure a Custom Identity Provider for Kyma, the missing piece of the puzzle is the configuration of the identity provider application.
Any OIDC provider can be used as a custom OIDC provider with a kyma cluster. However, SAP BTP platform makes it both simple and affordable with the Always Free SAP Cloud Identity Authentication services.
From experience, this is is the most error-prone part of the procedure.
In order to alleviate the pain and burden of creating a SAP IAS service provider application I have prepared automation scripts that can be used entirely programmatically either from a kyma environment itself or directly from a BTP subaccount level.
Let's see how.
PS.
1. The SAP IAS service provider application automation script for those you'd like to run it directly from a kyma dashboard.
A hint: You may want to replace all the placeholder values with the shoot name of a kyma cluster.
# Source: skr-easy/templates/binding-ias.yaml
apiVersion: services.cloud.sap.com/v1
kind: ServiceBinding
metadata:
name: skr-ias-binding
labels:
app.kubernetes.io/name: skr-ias-binding
spec:
serviceInstanceName: '<serviceInstanceName>' ##fee3078
externalName: '<externalName>' ##fee3078
secretName: skr-ias-binding-secret
parameters:
credential-type: "NONE"
parametersFrom: []
---
# Source: skr-easy/templates/service-ias.yaml
apiVersion: services.cloud.sap.com/v1
kind: ServiceInstance
metadata:
name: '<name>' ##'fee3078'
labels:
app.kubernetes.io/name: '<label>' ##'fee3078'
spec:
externalName: '<externalName>' ##fee3078
serviceOfferingName: identity
servicePlanName: application
parameters:
name: '<name>' ##'fee3078' ### name of the application created in IAS or the service instance id
display-name: '<display-name>' ##'shoot-name-fee3078' ### display-name of the application created in IAS
home-url : '<home-url >' ## 'https://$BTP_SUBDOMAIN.fee3078.kyma.ondemand.com'
user-access: public ## allows for self-registration
oauth2-configuration:
grant-types:
- authorization_code
- authorization_code_pkce_s256
token-policy:
token-validity: 3600
refresh-parallel: 3
access-token-format: default
public-client: true ## if set to true, enables PKCE flow for the application, where the client does not need to provide a credential.
redirect-uris:
- 'https://dashboard.kyma.cloud.sap'
- 'http://localhost:8000'
subject-name-identifier: ## https://help.sap.com/docs/identity-authentication/identity-authentication/configure-subject-name-identifier-sent-to-application?locale=en-US
attribute: mail ##userUuid
fallback-attribute: none ##uid
default-attributes: ## https://help.sap.com/docs/identity-authentication/identity-authentication/configure-default-attributes-sent-to-application?locale=en-US
assertion-attributes: ## https://help.sap.com/docs/identity-authentication/identity-authentication/configure-user-attributes-sent-to-application?locale=en-US
email: mail
groups: companyGroups
first_name: firstName
last_name: lastName
login_name: loginName
mail: mail
scope: companyGroups
user_uuid: userUuid
locale: language
2. Let's assume one needs to provision a kyma cluster with a custom IAS from the start.
In this case the SAP IAS service provider application must be created before the kyma environment is enabled.
SAP IAS service instance application plan parameters for those who need to enable a kyma cluster configured with a custom SAP IAS from the get-go:
{
"name": "quovadis",
"display-name": "quovadis",
"user-access": "public",
"oauth2-configuration": {
"grant-types": [
"authorization_code",
"authorization_code_pkce_s256"
],
"token-policy": {
"token-validity": 3600,
"refresh-parallel": 3,
"access-token-format": "default"
},
"public-client": true,
"redirect-uris": [
"https://dashboard.kyma.cloud.sap",
"http://localhost:8000"
]
},
"subject-name-identifier": {
"attribute": "mail",
"fallback-attribute": "none"
},
"default-attributes": null,
"assertion-attributes": {
"email": "mail",
"groups": "companyGroups",
"first_name": "firstName",
"last_name": "lastName",
"login_name": "loginName",
"mail": "mail",
"scope": "companyGroups",
"user_uuid": "userUuid",
"locale": "language"
}
}
As the SAP IAS service provider OAuth2 application must be configured with the authorization code with PKCE grant type, one needs to provide the following service bindings parameters:
{
"credential-type": "NONE"
}
The resulting binding will contain both the clientid and the issuer url. These values can be used directly with the kyma cluster provisioning wizard.
{
"clientid": "f61*************",
"url": "https://***.trial-accounts.ondemand.com",
}From now on, one can update/create the kyma environment settings, either from the BTP cockpit or using the btp cli with the below json parameters (saved to a local config.json file)
{
"administrators": [
"email1@domain.com",
"email2@domain.com",
"emailN@domain.com"
],
"oidc": {
"clientID": "f61********************",
"groupsClaim": "groups",
"issuerURL": "https://***.trial-accounts.ondemand.com",
"signingAlgs": [
"RS256"
],
"usernameClaim": "sub",
"usernamePrefix": "-"
},
"name": "quovadis"
}
Eventually, the below script shows how to create a new kyma environment using btp cli with BTP Trial account, namely:
btp create accounts/environment-instance --display-name quovadis --environment kyma --service kymaruntime --plan trial --parameters config.json
Creating an environment instance for subaccount e691b16b-**********...
environment id: B1A10B19-************
environment name: quovadis
environment: kyma
landscape:
state: CREATING
state message: Creating environment instance.
Command runs in the background.
Use 'btp get accounts/environment-instance' to verify status.
OK
btp list accounts/environment-instance
Showing environment details for subaccount e691b16b-*************:
environment name environment id environment type state state message landscape
*******trial AA23C91E-************ cloudfoundry OK Environment instance created. cf-ap21
quovadis B1A10B19-************ kyma OK Environment instance created.
OK
and then how to dispose of it:
btp delete accounts/environment-instance B1A10B19-**************
Do you really want to delete the specified environment instance and all content? [no]> yes
Deleting environment instance B1A10B19-******** and all its data in subaccount e691b16b-***********...
environment name: quovadis
environment id: B1A10B19-***************
environment type: kyma
Command runs in the background.
Use 'btp list accounts/environment-instance' to verify status.
OK
Alternatively, a kyma environment update can be performed as well, for instance:
btp update accounts/environment-instance B1A10B19-******** --plan trial --parameters config2.json
Updating environment instance with ID B1A10B19-***********
OK
Please note it is not possible to amend the list of modules via a kyma environment update.
- SAP Managed Tags:
