Illustrating SAP Authorization and Trust Management Service (XSUAA)

The XSUAA service, inside of the SAP BTP, handles the authorization flow between users, identity providers, and the applications or services. The XSUAA service is an internal development from SAP dedicated for the SAP BTP. In the Cloud Foundry project, there is an open-source component called UAA. UAA is an OAuth provider which takes care of authentication and authorization. SAP used the base of UAA and extended it with SAP specific features to be used in SAP BTP.

Learn more about the Cloud Foundry UAA here: https://docs.cloudfoundry.org/concepts/architecture/uaa.html

The XSUAA service takes care of authentication and authorization in SAP BTP, Cloud Foundry to give business users permission through business roles. The XSUAA service does not store users data or user records. The XSUAA service needs a trusted connection to an identity provider. This can be the SAP ID Service or another corporate identity provider which was integrated to the SAP BTP. This can be made via SAP Cloud Identity Services - Identity Authentication Service (IAS). Learn more about SAP's XSUAA service here: https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG/ae8e8427ecdf407790d96dad93b5f723/649961f8d4ad463daca33b3a20deba4c.html?locale=en-US and here: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/2ce1a962c3be48dd8035513b0a2d7397.html?locale=en-US

The XSUAA service acts as the central infrastructure component of the Cloud Foundry environment at SAP BTP for business user authentication and authorization. SAP has enhanced the Cloud Foundry UAA by adding a service broker, multi-tenancy, management API functions, and some minor enhancements. XSUAA uses OAuth to authenticate between several services and connecting to the identity provider.

OAuth is an open standard for applications and websites to handle authorization. OAuth doesn’t share password data, but instead uses authorization tokens to prove an identity between consumers and service providers. It is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password. The tokens used from OAuth are called JWT tokens. JWT (pronounced "jot") is an open standard that defines a compact and self-contained way for securely transmitting information between parties. JWT is widely used in OAuth for securely transmit user information and access rights.

Learn more about OAuth here: https://oauth.net/2/ and more about JWT Tokens here: https://jwt.io/introduction

When a business application consists of several different apps (micro-services), the application router is used to provide a single-entry-point to the business application. Technically, an Application Router is a Node.js based app, available in the public NPM registry. An App Router got started based on a configuration file called xs-app.json. Inside of this file, it is defined which routes are served by this App Router and which XSUAA service instance is bounded to the App Router to handle the authentication requests.

An App Router is used to:

• Serve static content or files
• Authenticate users
• Dispatch request to backend applications (micro-services)

In conclusion: The App Router is forwarding authentication requests to the XSUAA service, routing between the apps or micro-services, and if existing in the project, the App Router is also serving static resources like documents or images in a file system structure.

Learn more about the SAP App Router in the documentation: https://www.npmjs.com/package/@sap/approuter#overview

You can have a look at the security section of the SAP BTP documentation here: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/e129aa20c78c4a9fb379b9803b02e5f6.html?locale=en-US

You find further learning resources for security with SAP BTP here: https://help.sap.com/learning-journeys/69aca66b45a74a73b4cc0efddd6ae63f

The XSUAA service is the connection between apps and identity providers to ensure security and grant access through roles without storing user data or user records. It uses OAuth to authenticate between several services and for connecting to the identity provider. Besides that, you have the app router which acts as central entry point and bridge between apps, users, and the XSUAA service.