This sample provides details on how a principal propagation flow can be achieved when extending an on-prem system using SAP BTP, Kyma runtime.
The sample can use XSUAA as well as SAP Identity Authentication Service (IAS) as an external identity provider with user federation.
The principal propagation relies on the exchange of the JWT token received in Kyma. The exchanged token is then forwarded to the SAP Cloud Connector and is used to identify the logged-in user.
In the sample flow, a logged-in user will fetch his sales data from the on-prem system.
Using standalone SAP application router an API sap/com/onprem/mysales
is hosted on the Kyma runtime. This API then calls the on-prem system via Connectivity Proxy.
- SAP BTP, Kyma runtime instance
- Kubernetes tooling
- Cloud Connector on your laptop or test system
- Node.js | The Node.js runtime including the node package manager NPM. Install an LTS version.
- OpenSSL or another similiar tool to generate the certificates
Refer Configuring Principal configuration on help.sap.com
-
Configure Trusted Entities in the Cloud Connector
-
Ensure that for Principal Propagation, the Subject Pattern is
CN=${name}
-
- Use third option - generating a self-signed certificate.
You can run the on-prem backend on your laptop or a test system. For simplicity, use the same system where you SAP Cloud Connector is running.
-
Download the CA certificate from the Cloud Connector under
certs
directory asca_cert.der
. -
Convert it to
PEM
formatopenssl x509 -inform der -in certs/ca_cert.der -out certs/ca_cert.pem
-
Generate self-signed server key and certificate
# Generate a key file openssl genrsa -out certs/server_key.pem # Generate a Certificate Signing Request openssl req -new -key certs/server_key.pem -out certs/server_csr.pem # Generate the certificate by signing it with the key openssl x509 -req -days 9999 -in certs/server_csr.pem -signkey certs/server_key.pem -out certs/server_cert.pem
-
Update the mock sales data in on-prem-backend/sales.json to provide your
{logged-in-user-email}
. -
Run the app locally
# go to the nodejs project cd on-prem-backend # install dependencies if not done earlier npm install # start the application locally HTTPS=true && npm start
-
Configure the on-prem-backend in cloud connector as a virtual host
-
Set up environment variables
export NS={your-namespace} # only required once to enable istio sidecar. Ignore if done already kubectl label namespaces $NS istio-injection=enabled
-
Create Connectivity Service Instance in any namespace.
Note: Only one instance is required for the cluster. If you have deployed it previously, simply skip this step.
-
Create xsuaa instance. Update the app-router/k8s/xsuaa-instance.yaml to provide
{your-cluster-domain}
kubectl -n $NS apply -f app-router/k8s/xsuaa-instance.yaml
-
Create a Destination Service instance.
kubectl -n $NS apply -f app-router/k8s/destination-instance.yaml
-
For the application router to automatically exchange the token using the destination configuration, it needs to be provided with the necessary credentials as well as the details of the connectivity proxy running inside the Kyma cluster.
-
Create the configmap containing connection details about connectivity-proxy running inside kyma runtime.
kubectl -n $NS apply -f app-router/k8s/connectivity-proxy-info.yaml
-
Create the configuration required for application router.
kubectl -n $NS apply -f app-router/k8s/config.yaml
-
Deploy the application router. Update the app-router/k8s/deployment.yaml to provide
{your-cluster-domain}
kubectl -n $NS apply -f app-router/k8s/deployment.yaml
-
Expose it over internet using API Rule.
kubectl -n $NS apply -f app-router/k8s/api-rule.yaml
Access the sales data for the logged-in user https://principal-prop-on-prem.{your-cluster-domain}/sap/com/onprem/mysales