When developing your own Cloud Foundry applications, one of the most important components to deal with is the XSUAA. It takes care to authenticate and authorise your business users and assign the appropriate principles to your user’s session so that your application can analyse the user by its email id, first name or last name. It also allows examining roles (scopes) to determine whether or not a user is permitted to do something.
The XSUAA is an SAP internal development. The XSUAA does not store “real” users, which is critical. This is why the XSUAA must rely on an external Identity Provider (abbreviated “IdP”). But how does a user obtain his roles and the necessary permissions to access your applications? Before we get into the specifics, consider the following terms and their relationships: Collections of Roles, Roles, and Scopes; keep on reading the blog to learn about why protecting Fiori app in SAP BTP with XSUAA!
Create DB Module in SAP BTP
Now that you have your Fiori app, it’s time to create a DB module in SAP BTP.
- Create a new DB module and name it “SAP_BTP_SECURE_FIORI”, for example.
- Create a new DB instance with the class “DB_PUBLIC” and name it “SECUREFIORI”.
- Create a new database and call it “SECUREFIORI”.
- Add an external user (for example XSUAA) which has read-write access rights on this database, then grant all roles to this user (ROLE_SUPERUSER/ROLE_RESOURCEADMINISTRATOR/ROLE_OPERATIONS). For example: * ROLE SUPERUSER: * Grant SUPERUSER role in DB SECUREFIORI so that you can use the XSUAA user to log in to this database using the OSUAA username and password combination given by you earlier during the installation of Secure Fiori App XSUAA. In general terms, all other users who need access should give their own username/password combination, which will be used during the login process for accessing the secure Fiori app xsuaa from the SAP BTP server-side only.
Create DB instance
- Create a DB Instance
- Create a DB Instance with a Database Server
- Create a DB Instance with a Database Content Delivery Network (CDN)
- Create and configure the client.
Create XSUAA instance
Creating an XSUAA instance
An SAP Fiori App will be created on top of the existing BTP instance, which means that you cannot create an XSUAA instance if the underlying BTP is already an XSUAA. To create an XSUAA instance, perform the following steps:
- Go to Manage Apps > All instances and select New app.
- In step 2 of “New application”, select Create new instance as shown in Figure 1 and click Continue.
Create Application Bindings
You can bind your Fiori application to the XSUAA service. To do this, you need to create an application binding in the App Admin Console. There are three different ways you can create an app with XSUAA:
- Create and deploy your app as usual, but use xsuaa instead of xsuaa-server in the server-side components section of your manifest file.
- Create a new xsuaa application from scratch and then deploy it on top of XSUAA. The advantage here is that your new app will be compatible with both SAP BTP 1+ and 2+.
- Create an existing Fiori application using xsuaa-server or xsuaa-server-node for server-side components (SC), and then deploy the SC on top of XSUAA.
Create an app with xsuaa
In this blog post, you will learn how to create an app with XSUAA.
XSUAA stands for SAP User Application Access. It is a service that allows users to access and manage their own apps in SAP Business Suite Cloud (BASCC) via a single sign-on (SSO). In short, it gives users the convenience of signing on once and then being able to access all the apps they have created or been assigned via XSUAA.
With these steps, you will have created a secure Fiori app in SAP BTP. You can use this to create your own apps for use in your company as well!
Some Good Read,