cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CAP: XSUAA and IAS

Go to solution
kammaje_cis
Active Contributor

on ‎05-07-2020 5:59 AM

I am asking this question in the context of a CAP application.

Obviously even after reading lots of documentation about XSUAA and IAS, I am confused. Apologies for a newbie question here.

It will be great if you can validate my below understanding.

  • XSUAA is a service available on SCP (only on CF) for authentication and authorization management. You can plugin your own Identity Provider (IDP) in SCP. When you deploy the CAP MTA, it creates an instance of XSUAA service and binds this instance to app/srv/db applications.
  • IAS is a service available on SCP (both CF and Neo) for authentication and authorization management. You can plugin your own Identity Provider (IDP) in SCP. This service can be used by any app deployed on SCP.

So I am confused on

  • What is the difference between these two services (XSUAA & IAS)?
  • Do I need a subscription of both XSUAA and IAS service once I deploy my CAP app?

Any comments are useful.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

matthias_buehl
Explorer
‎05-07-2020 9:07 AM

Hi Krishna,

from a technical perspective the IAS is doing user authentication and issues SAML Tokens.

XSUAA is not only issuing JWT tokens for users that are needed for within CF but also is used as OAuth Server and issues tokens for the communication between different CF micro services.

Best regards

Matthias

Show replies
Show replies
kammaje_cis
Active Contributor
‎05-07-2020 11:28 AM
0 Kudos

Thanks, Matthias. That helped.
So if I have to deploy a CAP service to SCP, subscribing to SCP's XSUAA service is mandatory isn't it?

gregorw
Active Contributor
‎05-07-2020 1:37 PM

If you want to have authentication for your app, yes.

But it isn't necessary to have IAS in the game as you can configure also directly your own SAML2 compatible IdP i.e. Azure AD or Azure AD B2C with the SAP CP Cloud Foundry subaccount.

Answers (1)

Answers (1)

gregorw
Active Contributor
‎05-07-2020 7:57 AM

Dear Krishna,

IAS as an Identity Provider (IdP) does execute the authentication of the user and can provide group membership information and other attributes. For an explanation of XSUAA please check out the Cloud Foundry documentation on User Account and Authentication (UAA) Server.

Best regards
Gregor

Show replies
Show replies
kammaje_cis
Active Contributor
‎05-07-2020 11:26 AM
0 Kudos

Thanks, Gregor. So you are saying SCP IAS == SAP IDP?

gregorw
Active Contributor
‎05-07-2020 1:36 PM

Don't mix it up with SAP ID. SAP ID (https://accounts.sap.com/) is an instance/tenant of SAP CP Identity Authentication Service (IAS). And IAS is acting in the SAML authentication flow as the Identity Provider (IdP).

Ask a Question