Cloud Foundry, UAA, and XSUAA | Migrating from the...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Developing Secure Applications on the SAP Cloud Platform
In this blog series, we explore developing secure applications in a multi-cloud Cloud Foundry environment. In this blog, we cover concepts, backgrounds, and additional information.
Introduction
In this first video of the series, we provide an introduction to the topic and cover SAP Cloud Platform security, Cloud Foundry security, and the UAA and XSUAA services.
SAP Cloud Platform and Cloud Foundry
Discovery Center
The SAP Cloud Platform Discovery Center lists close to 100 services, some small like Alert Notification, some large like SAP HANA Cloud, SAP Data Intelligence, or CI/CD. Each service shares security considerations common to the platform but also has security requirements specific to the service. In this blog we will zoom in on application security as provided by the following services:
The SAP Cloud Platform Discovery Center lists the features and service plans for the service with links to resources, tutorials, and support information.
Application Runtime Security
Although Cloud Foundry supports a large selection of development languages (buildpacks) including Go and .NET Core, for the SAP Cloud Platform the focus is on Java, Node.js, Python, and HTML5/SAPUI5. How to develop applications for these languages is extensively documented in the section Development in the Cloud Foundry Environment of the SAP Cloud Platform guide.
Regardless of the development language and runtime used, all share a common authentication and authorisation service called UAA, short for User Account and Authentication.
Platform Security
Cloud Foundry as a platform also has its security requirements. Think secure communications inside the Cloud Foundry vLAN, connectivity with external services, deployment and containers itself.
From the perspective of an application developer on the SAP Cloud Platform, however, these security concerns are the responsibility of the cloud service provider which, depending on where you have created your subaccount, will either be AWS, Azure, Google Cloud, or Alibaba (with SAP responsible for wiring it all together). For more information about Diego Brains, BOSH Directors, and jump boxes, see Security and Networking (Cloud Foundry).
SAP HANA XS Advanced
SAP HANA XS advanced model is a Cloud Foundry "distribution" specifically tailored to the SAP HANA platform. Although this environment is quite distinct from Cloud Foundry as hosted by the public cloud providers, we do encounter some similarities when we consider the security requirements of the platform as documented in the SAP HANA Security Guide: Security for SAP HANA Extended Application Services, Advanced Model.
The default IdP for XS advanced is the SAP HANA database, levering built-in database user management and XSA-specific authorisations (scopes, attributes, roles). On the SAP Cloud Platform, the default IdP is the SAP ID Service.
CF Local
In case you are interested in setting up your own Cloud Foundry environment, see Deploying Cloud Foundry with cf-deployment about the steps to deploy the platform using BOSH.
If your computer is powerful enough, you can even consider to run Cloud Foundry locally. See the Tanzu (VMWare) CF Local project for instructions. The previous implementation, CF Dev is still available on Github but appears to have been discontinued.
The User and Authentication (UAA) services provides role-based access control (RBAC) for both internal services and user-facing applications. Although the UAA can use an internal identity store (e.g. MySQL or SAP HANA), typically an external identity provider (IdP) is used.
The SAP Cloud Platform uses the SAP ID Service as IdP for RBAC to the platform. For business applications hosted in the Cloud Foundry environment we can leverage the same IdP but also configure alternatives. For this we use the Authorization and Trust Management service.
OAuth and JWT
UAA is an OAuth2 provider and what this means is that the UAA issues JSON web tokens (JWT) for client applications to act on behalf of Cloud Foundry users.
This is illustrated below in four steps
App developer executes a cf login command to the CF CLI (command-line interface).
CF CLI makes a RESTful API call (HTTP POST) to the UAA for validation
UAA returns a token
CF CLI uses the token for each subsequent request (until expiration)
The example shows the cf apps command to the CF Controller but this could be any API call. Instead of cf login we could also present the user with web page similar to the one below to request credentials. The key ingredient is that the client application (CF CLI) makes API calls with tokens and not with your credentials.
The get token flow is just one of several OAuth flows, including one involving the Open ID Connect (OIDC) protocol for authentication. Typically a token also includes a scope to control the actions the app can perform on your behalf. Below an illustration of the OAuth grant flow between client (application router), resource server (application service), authorization server (XSUAA) and the resource owner (you).
For more detailed information about how the UAA works, see
The login page displayed provides self-service create account and reset password functionality. The UAA itself is a Java application and like all Cloud Foundry components open source. You can deploy it locally and adapt it as required:
For applications deployed on the Cloud Foundry environment of SAP Cloud Platform, SAP proposes the business application pattern, consisting of multiple microservices each deployed as separate applications. The diagram bellow illustrates the architecture with the XSUAA managing security.
XSUAA is short for extended services for UAA which sounds familiar to SAP HANA extended services (XS) but is not necessarily related as SAP HANA XS also references the classic model which has no relation to Cloud Foundry at all.
In brief, we have
CFUAA: Cloud Foundry open source Java app
Platform UAA: deployed to the SAP Cloud platform
XSUAA: CFUAA extension as tenant service for a business app
For the details, see the SAP Cloud Platform documentation
Before we can create an instance of the XSUAA service, we first need to enable the service for our account. The XSUAA service is available on the Cloud Foundry Service Marketplace and provides four service plans. The documentation link references the SAP Cloud Platform guide, where we find the concepts explained, tutorials (see below), and information how to work with the service (development and administration).
To get a grip on the matter, the XSUAA documentation references two tutorials on the SAP Developer Center, for Node.js and Java (using the SAP Cloud SDK).
OAuth grant flows in a microservices environment can get complex. Should not everything proceed as expected, consult the troubleshooting section of the SAP Cloud Platform guide: