This sample demostrates how the SAP SAAS Provisioning service can be used to develop a mulitenant application in the Kyma runtime. When a user subscribes the sample app will generate a number of dedicated k8s resources, with their tenent id appended to the name, for the subscribers subaccount which include:
- A configured deployment based on a generate config map of the App Auth Proxy to authenticate and authorize the user.
- An API rule to access the application pointing the the app-auth-proxy.
- A configured deployment based on a generate config map of nginx which outputs information regarding the subscriber.
- An external path to https://httpbin.org/ which will output the headers.
- The related services
kubectl create namespace saasThe XSUAA Service Instance defines how subscribers will authenticate to the sample application. The sample app uses the App Auth Proxy
- Within the Kyma console open the namespace saas.
- Choose Service Management -> Catalog.
- Choose the service Authorization & Trust Management.
- Choose Add.
- Choose the Plan application.
- Choose Add parameters and provide the object after adjusting the value of the redirect-uris.
- After the instance is created, choose the Credentials tab and choose the option Create Credentials.
{
"xsappname": "saas-provisioning-demo-app",
"oauth2-configuration": {
"redirect-uris": ["https://*.<cluster domain>/oauth/callback"]
},
"tenant-mode": "shared",
"scopes": [
{
"name": "$XSAPPNAME.Callback",
"description": "With this scope set, the callbacks for tenant onboarding, offboarding and getDependencies can be called.",
"grant-as-authority-to-apps": [
"$XSAPPNAME(application,sap-provisioning,tenant-onboarding)"
]
},
{
"name": "$XSAPPNAME.User",
"description": "Use the application"
}
],
"role-templates": [
{
"name": "User",
"description": "User",
"scope-references": ["$XSAPPNAME.User"]
}
],
"role-collections": [
{
"name": "saas-provisioning-demo-app-User",
"description": "My SaaS App User",
"role-template-references": ["$XSAPPNAME.User"]
}
]
}- Choose Service Management -> Catalog.
- Choose the service SaaS Provisioning
- Choose Add
- Choose the Plan application
- Choose Add parameters and provide the object after adjusting the value of the onSubscription property.
{
"xsappname": "saas-provisioning-demo-app",
"displayName": "Kyma SAAS Provisioning Demo",
"description": "A Kyma SAAS Provisioning Demo Sample App",
"category": "Kyma Demo",
"appUrls": {
"onSubscription": "https://saas-provisioning-demo.<cluster domain>/callback/v1.0/tenants/{tenantId}"
}
}The sample app is what will be called when a user subscribes to your application. This sample app will provision resources based on the configmap provided.
When a consumer subscribes to the app the Saas Provisioning Service will submit a JWT when calling the On-Subscription Endpoint which will be verified by the Kyma Application Gateway based on the values defined in the Issuer and JWKS URI. These values will cause the subscription to fail if the endpoints are not correct for the envirnoment. Adjust the values for the Issuer and JWKS URI of the apirule.yaml, for example
- Issuer: http://sap-provisioning.localhost:8080/uaa/oauth/token
- JWKS URI: https://sap-provisioning.authentication.us21.hana.ondemand.com/token_keys
Deploy the the resources found in the directory K8s into the saas namespace
The apirule validates the requests coming from the SAAS Provisioning service and forwards it to the sample app.
kubectl apply -f ./k8s/apirule.yaml -n saasThe config-map contains the struture needed to define the subscribers app. At a minimun you will have to adjust the value of domain to match the domain of your Kyma runtime
kubectl apply -f ./k8s/config-map.yaml -n saasThe sample app deployment
kubectl apply -f ./k8s/deployment.yaml -n saasThe service account used by the sample app to generate k8s resources
kubectl apply -f ./k8s/service-account.yaml -n saas- Bind the XSUAA Service Instance by first determine the instance name by running
kubectl -n saas get serviceinstances- Adjust the value of found in
service-binding.yamlto the XSUAA service instance name and then apply it
kubectl apply -f ./k8s/service-binding.yaml -n saas- Create another subaccount using the same provider and region as the Kyma runtime containing the SAAS application and open it
- Choose the Subscriptions menu option
- Find and open the Kyma SAAS Provisioning Demo tile
- Choose Subscribe
- When the subscription completes...
- Choose Security -> Trust Configuration from the subaccount main menu.
- Choose SAP ID Service
- Provide your email address and choose Show Assignments
- Choose Assign Role Collection and choose saas-provisioning-demo-app-User
-
You may have to log out/in for the role assignment to take place.
-
Choose the menu option Subscriptions
-
Find and open the Kyma SAAS Provisioning Demo tile
-
Choose the Go to Application link.
-
The sample will display
-
The app will have the following endpoints
https://saas-demo-<tenant id>.<cluster domain>/
https://saas-demo-<tenant id>.<cluster domain>/headers
https://saas-demo-<tenant id>.<cluster domain>/auth/user
https://saas-demo-<tenant id>.<cluster domain>/auth/groups
- Download a Kubeconfig from the Kyma runtime and set envirnoment variable
export KUBECONFIG=<file path>- Set envirnoment variables
export IDP_clientid='<client id>'
export IDP_clientsecret='<client secret>'
export IDP_url='<url>'
export IDP_identityzone='<identityzone>'
export IDP_xsappname='<xsappname>'- Within the folder cmd/api run
go run .Send a PUT or DELETE request to http://localhost:8000/callback/v1.0/tenants/<a tentant id> containing
Header Authorization: Bearer < valid jwt containing the saas-provisioning-demo-app****Callback scope for the app >
Body: with valid values
{
"subscriptionAppName": "",
"subscriptionAppId": "",
"subscribedSubaccountId": "",
"subscribedTenantId": "",
"subscribedSubdomain": "",
"globalAccountGUID": "",
"subscribedLicenseType": "",
"userId": ""
}