- SAP Managed Tags
Hi experts,
I try to update an existing Kyma runtime using the SAP Cloud Identity Services as Custom Identity Provider.
I followed the blog Configure Custom SAP IAS tenant with SAP BTP Kyma runtime environment
So, I created a new namespace in my Kyma environment. Here I created a service instance using offering name "identity" and plan name "application" setting following parameters:
assertion-attributes:
email: mail
first_name: firstName
groups: companyGroups
last_name: lastName
locale: language
login_name: loginName
mail: mail
scope: companyGroups
user_uuid: userUuid
default-attributes: {}
display-name: Kyma runtime
home-url: https://api.#######.kyma.ondemand.com
name: ias-kyma-#######
oauth2-configuration:
grant-types:
- authorization_code
- authorization_code_pkce_s256
public-client: true
redirect-uris:
- https://dashboard.kyma.cloud.sap
- http://localhost:8000
token-policy:
access-token-format: default
refresh-parallel: 3
token-validity: 3600
subject-name-identifier:
attribute: mail
fallback-attribute: none
user-access: internalBased on this service instance I created a service binding called "skr-ias-binding" with secret name "skr-ias-binding-secret" and following parameters:
{
"credential-type": "NONE"
}Once the service binding was provisioned I copied the ClientId and Url from the secret and updated the Kyma runtime using following JSON:
{
"oidc": {
"issuerURL": "https://ouriastenant.accounts.ondemand.com",
"clientID": "########-####-####-####-############",
"usernameClaim": "sub",
"groupsClaim": "groups",
"signingAlgs": [
"RS256"
],
"usernamePrefix": "-"
},
"administrators": [
"user1@mycompany.com",
"user2@mycompany.com"
]
}The Kyma runtime was updated successfully. And when I launch the dashboard I'm also asked to log in with my IAS user.
However, after login I see following error:
When I check the network trace within the developer tools of the browser I see lot of HTTP 401 errors telling me I'm not authorized. But when I decode the Bearer token attached to the requests I can see all my users details. The "sub" attribute of the Bearer token contains my email which is also configured to be an administrator of the Kyma environment.
Within the IAS admin console I can see the new application. From the configuration it looks good as also described in SAP Help:
Redirect URIs are set to "https://dashboard.kyma.cloud.sap" and "http://localhost:8000"
The grant types "Authorization code" and "Enforce PKCE" are checked (but no other grant type)
The Public Client is enabled
Did I miss a step?
regards
RenƩ
Accepted Solutions (0)
Answers (0)
Bluesky| User | Count |
|---|---|
| 7 | |
| 6 | |
| 6 | |
| 6 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.