Explaining SAP Authorization and Trust Management Service (XSUAA)

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Describe SAP Authorization and Trust Management Service (XSUAA)

SAP Authorization and Trust Management Service (XSUAA)

XSUAA: Overview

The XSUAA service inside of the SAP BTP handles the authorization flow between users, identity providers, and the applications or services. The XSUAA service is an internal development from SAP dedicated for the SAP BTP. In the Cloud Foundry project, there is an open-source component called UAA. UAA is an OAuth provider which takes care of authentication and authorization. SAP took the base of UAA and extended it with SAP specific features to be used in SAP BTP.

Learn more about the Cloud Foundry UAA here: https://docs.cloudfoundry.org/concepts/architecture/uaa.html

The XSUAA service takes care of authentication and authorization in SAP BTP, Cloud Foundry to give business users permission through business roles. The XSUAA service does not store users data or user records. The XSUAA service needs a trusted connection to an identity provider. This can be the SAP ID Service or another corporate identity provider which got integrated to the SAP BTP. This can be made via SAP Cloud Identity Services - Identity Authentication Service (IAS). Learn more about SAP's XSUAA service here: https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG/ae8e8427ecdf407790d96dad93b5f723/649961f8d4ad463daca33b3a20deba4c.html?locale=en-US and here: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/2ce1a962c3be48dd8035513b0a2d7397.html?locale=en-US

The XSUAA service acts as the central infrastructure component of the Cloud Foundry environment at SAP BTP for business user authentication and authorization. SAP has enhanced the Cloud Foundry UAA by adding a service broker, multi-tenancy, management API functions, and some minor enhancements. XSUAA uses OAuth to authenticate between several services and connecting to the identity provider.

OAuth is an open standard for applications and websites to handle authorization. OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers. It is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password. The tokens used from OAuth are called JWT tokens. JWT (pronounced "jot") is an open standard that defines a compact and self-contained way for securely transmitting information between parties. JWT is widely used in OAuth for securely transmit user information and access rights.

Learn more about OAuth here: https://oauth.net/2/ and more about JWT Tokens here: https://jwt.io/introduction

App Router

When a business application consists of several different apps (micro-services), the application router is used to provide a single-entry-point to the business application. Technically, an Application Router is a Node.js based app, available in the public NPM registry. An App Router got started based on configuration file called xs-app.json. Inside of this file is defined which routes are served by this App Router and which XSUAA service instance is bounded to the App Router to handle the authentication requests.

An App Router is used to:

  • Serve static content or files
  • Authenticate users
  • Dispatch request to back end applications(micro-services)

So as a conclusion: The App Router is forwarding authentication requests to the XSUAA service, routes between the apps or micro-services and if existing in the project the App Router is also serving static resources like documents or images in a file system structure.

Learn more about the SAP App Router in the documentation: https://www.npmjs.com/package/@sap/approuter#overview

Key takeaways of this unit

The SAP BTP has built-in functionalities for managing roles and role collections and assigning them to platform or application users. When you want to use another identity provisioning or identity authentication service than the default SAP ID, you can use other identity providers like the Identity Provisioning service. These identity services can also be used for other use cases, for example, you can have one central identity provisioning and authentication service for your platform and your application (PaaS and SaaS). Platform users inside of SAP BTP need to be managed and assigned on the architecture level with global accounts, directories, subaccounts, and spaces. Services and applications running on SAP BTP also ensures security, authorization, and authentication through the platform capabilities. The XSUAA service is the connection between apps and identity providers to ensure security and grant access through roles. An App Router acts as central entry point and bridge between apps, users, and the XSUAA service.

You can have a look at the security section of the SAP BTP documentation here: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/e129aa20c78c4a9fb379b9803b02e5f6.html?locale=en-US

You find further learning resources for security with SAP BTP here: https://help.sap.com/learning-journeys/69aca66b45a74a73b4cc0efddd6ae63f

Save progress to your learning plan by logging in or creating an account