Skip to Content
author's profile photo Brian McDonnell
6
Brian McDonnell
Mar 31, 2021 at 12:54 PM

Multitenant Authentication of UAA Admin APIs

825 Views Last edit Jun 25, 2021 at 08:41 AM 2 rev

Hello Everyone,

I'm trying to make use of the SAP Authorization and Trust Management APIs in a multitenant context. My primary goal is to make use of these APIs within the context of a subscribed tenant subaccount to automate the setup of default role collections and ideally the Identity Provider.

The issue I'm having is related to establishing authentication in the tenant context. These instructions, Access UAA Admin APIs, demonstrate how to access the API for a specific subaccount that has CF enabled. The enablement of CF is important because the documentation states that a new instance of the xsuaa service with plan apiaccess is required. This service instance allows you to generate a service key with the credentials necessary to establish authentication to the relevant APIs.

As a general pattern in multitenant apps though, you only have CF enabled in the provider subaccount where all tenant subscriber subaccounts left CF inactive. I've discovered that it is possible to create service instances of xsuaa in non-CF accounts but the plan apiaccess is inaccessible so this a dead alley.

Given the limitations I've run into, I believe this needs to be controlled entirely by the service instance in the provider account. To do this, I tried to make this service instance available via the getDependencies mechanism, as described here Understanding Dependencies in SaaS Provisioning. This approach has suited me well for other shared services like destinations and themes so I thought this might work.

Unfortunately, even after adjusting the dependencies I was still getting failures. The specific mechanism this usually works is that in the credentials you get from the service key, you simply swap the tenant subdomain for your main subdomain.

So, if the service key looks like this:

{
 "apiurl": "https://api.authentication.eu10.hana.ondemand.com",
 "clientid": "aa-bb-cccc11c1-d222-333e-44f4-g5g55ggg555g!a6666",
 "clientsecret": "aA1B2CcCCC3dDd+ee444fFF5ggG=",
 "identityzone": "my-subdomain",
 "identityzoneid": "a11aaaa1-22b2-33c3-dd44-5555f5555f55",
 "sburl": "https://internal-xsuaa.authentication.eu10.hana.ondemand.com",
 "tenantid": "a11aaaa1-22b2-33c3-dd44-5555f5555f55",
 "tenantmode": "dedicated",
 "uaadomain": "authentication.eu10.hana.ondemand.com",
 "url": "https://my-subdomain.authentication.eu10.hana.ondemand.com",
 "verificationkey": "-----BEGIN PUBLIC KEY-----sadklfjdsaflja
	...-----END PUBLIC KEY-----",
 "xsappname": "aa-bbbb11b1-c222-333d-44e4-f5f55fff555f!a6666"
}

Instead of getting your token here: https://my-subdomain.authentication.eu10.hana.ondemand.com/oauth/token

To get it in a tenant context you'd get it here: https://my-tenant-subdomain.authentication.eu10.hana.ondemand.com/ouath/token

What I'm seeing so far is the normal token retrieval works fine but the tenant specific one fails, even after doing the changes via getDependencies.

Does anyone know if what I'm trying to achieve is even possible and if so, how can it be achieved? I appreciate all responses. We also recently received access to Feature Set B so I'm not sure if that's relevant to this question or not.

Thanks,

Brian