SAP Authorization and Trust Management Service

Manage application authorizations and connections to identity providers.

The SAP Authorization and Trust Management service lets you manage user authorizations and trust to identity providers. Identity providers are the user base for applications. You can use an identity authentication tenant, an SAP on-premise system, or a custom corporate identity provider. User authorizations are managed using technical roles at the application level, which can be aggregated into business-level groups and role collections for large-scale cloud scenarios.

SAP Authorization and Trust Management Service

Feature	Description
Use your corporate or a default IdP	Enable user management for your applications by handling authentication to an external identity provider. Start with SAP ID service as a pre-configured easy-to-use identity provider. Switch to your corporate identity provider for customized user management.
Enable role-based access to applications	Enable different privileges to users accessing your applications based on roles.

Update Service Instance

Changes to the security descriptor can be made using the command line tool.

1. Login to CF and choose the org and space where you have created the instance.

cf login -a https://api.cf.{region}-{instance}.hana.ondemand.com/ -o {orgId} -s {spaceId}

2. Run the update command:

cf update-service myappxsuaa -p application -c xs-security.json

Space dependent identity provider

Using the allowedproviders parameter it is possible to define a specific custom identity provider for the XSUAA instance.

The mta.yaml deployment descriptor ensures the automatic mapping of the space relevant target identity provider:

resources:
- name: app-auth
  type: org.cloudfoundry.managed-service
  parameters:
    service: xsuaa
    service-plan: application
    config:
      xsappname: app-${space}
      tenant-mode: dedicated
      # Use inline config instead reference file
      #path: ./xs-security.json
      oauth2-configuration:
        redirect-uris:
          - "http*://*.localhost:5000/**" # hybrid testing only!
          - "http*://*.${default-domain}/**"
          - "http*://*.<CustomDomain>/**"
        allowedproviders: 
          - "${space}-IDP"
      scopes:
          - name: "$XSAPPNAME.Administrator"
            description: Administrate the application
          - name: "$XSAPPNAME.User"
            description: Use the application
      role-templates:
          - name: Administrator
            description: Administrator
            scope-references:
             - "$XSAPPNAME.Administrator"
          - name: User
            description: User Required
            scope-references:
             - "$XSAPPNAME.User"

Deployment specific parameters

The inline use of the security profile allows deployment-specific overrides using the MTA Extension Descriptor.

Support

Component Name	Component Description
BC-CP-CF-SEC-IAM	Support component for this service