SAP BTP Security

basic concepts:

1. Identity Provider (IdP)
2. XSUAA
3. OAuth
4. Application Router
5. Authentication and Authorization Implementation etc.

1. Identity Provider (IdP)
   Applications in SAP BTP does not store user information. Instead, the applications redirect the authentication to an Identity Provider. This concept makes it possible to decouple and centralize authentication functionality.
   In SAP BTP, there are 2 options for Identity Provider – SAP ID Service and SAP Cloud Identity Authentication service (IAS).

1.1 SAP ID Service
SAP ID Service is the default identity provider in SAP BTP. It is a pre-configured, standard SAP public IdP (account.sap.com) that is shared by all customers.

1.2 SAP Cloud Identity Authentication service (IAS)
For many customers, business users might be stored in corporate identity providers. SAP recommends using SAP Cloud Identity Services – Identity Authentication Service (IAS) as a hub.
We can connect IAS as a single custom identity provider to SAP BTP. Further use IAS to integrate with corporate identity providers.

2.XSUAA - SAP Authorization and Trust Management Service

What is XSUAA?
SAP XSUAA is an internal development of SAP.

In Cloud Foundry, there is an open-source component called UAA. UAA is an OAuth provider which takes care of authentication and authorization. SAP took the base of UAA and extended it with SAP specific features to be used in SAP BTP. Technically XSUAA is an OAuth server and uses JWT tokens.

XSUAA takes care of authentication and authorization in SAP BTP, Cloud Foundry.

XSUAA does NOT store users data. This is why the XSUAA needs to trust an external Identity Provider (IdP). It can establish trust either with SAP ID Service or a Corporate Identity Provider via SAP Identity Authentication Service (IAS).

3. Application Router
   When a business application consists of several different apps (microservices), the application router is used to provide a single-entry-point to the business application.
   Technically, Application Router is a Node.js App.

App Router is used to:
Serve static content
Authenticate users
Dispatch request to backend applications(microservices)

App Router delegates the authentication responsibility to XSUAA.

call flow:
a. User request for the resource from Application. The App Router takes incoming.
b. Since user is not authenticated, App Router initiates an OAuth2 flow with the XSUAA.
c. XSUAA forwards the request to Identity Provider to enforce the business user to authenticate.
d. IdP prompts the user to authenticate himself. For Example, by entering username and password.
e. User authenticates himself.
f. If the authentication was successful, Identity Provider sends a SAML token to user (web browser). The g. web browser sends this new SAML token to the XSUAA for authentication.
h. XSUAA consider this request as authenticated and generates an OAuth Token which is technically a JWT token.
i. The App Router enriches each subsequent request with the JWT, before the request is routed to a dedicated application. The application verify the JWT token and send the requested resource to user.