Prepare your sample for deploying on Cloud Foundry: Prerequisite-for-sample.
-
Create
ias-config.json
file in your project root folder with the following content and replace the<unique-id>
with a unique value to identify your IAS app in IAS Tenant:{ "authorization": { "enabled":true }, "provided-apis": [ { "name": "incidents-api", "description": "api exposed by incident mgmt app" } ], "display-name": "incident-ias-<unique-id>" }
-
Check if the following dependencies and dev dependencies have been added to the
package.json
:{ ... "dependencies": { "@sap/ams": "^1.14.2", "@sap/cds": "^7.0", "@sap/xssec": "^3.3.5", "hdb": "^0.19.0", "passport": "^0" }, "devDependencies": { "@sap/ams-dev": "^0.8.3" }, ... }
-
Change the
auth.kind
toias
inpackage.json
for the production profile:{ ... "cds": { "requires": { "[production]": { ... "auth": { "kind": "ias" ... } } } } }
- Update the
mta.yaml
with the following content
-
Change the dependency
incident-management-auth
inresources
fromxsuaa
service instance:- name: incident-management-auth type: org.cloudfoundry.managed-service parameters: config: tenant-mode: dedicated xsappname: incidents-${org}-${space} path: ./xs-security.json service: xsuaa service-plan: application
-
To
ias
service instance:- name: incident-management-auth parameters: path: ./ias-config.json service-plan: application service: identity type: org.cloudfoundry.managed-service
-
Add the following configurations to the
incident-management-srv
module-
Change
incident-management-auth
service binding withincident-management-srv
to:- name: incidents-management-srv type: nodejs path: gen/srv requires: - name: incident-management-auth parameters: config: credential-type: "X509_GENERATED"
-
Update your buildpacks section by adding
OPA buildpack
parameters: buildpacks: - https://github.com/SAP/cloud-authorization-buildpack/releases/latest/download/opa_buildpack.zip - nodejs_buildpack
-
Add
AMS_DCL_ROOT
toproperties
sectionproperties: AMS_DCL_ROOT: "ams/dcl"
-
Delete
incident-management-auth
binding fromincident-management-destination-content
- name: incident-management-auth parameters: service-key: name: incident-management-auth-key
-
Delete
incidents_incident_management_auth
destination fromincident-management-destination-content
- Authentication: OAuth2UserTokenExchange Name: incidents_incident_management_auth ServiceKeyName: incident-management-auth-key sap.cloud.service: incidents
Check if the module
incident-management-destination-content
inmta.yaml
looks like this:- name: incident-management-destination-content type: com.sap.application.content requires: - name: incident-management-destination-service parameters: content-target: true - name: incident-management_html_repo_host parameters: service-key: name: incident-management_html_repo_host-key parameters: content: instance: destinations: - Name: incidents_incidents_management_html_repo_host ServiceInstanceName: incident-management-html5-app-host-service ServiceKeyName: incident-management_html_repo_host-key sap.cloud.service: incidents existing_destinations_policy: ignore build-parameters: no-source: true
-
-
Update
incident-management-srv-api
inincident-management-destination-service
-
Add
HTML5.IASDependencyName: incidents-api
- Authentication: NoAuthentication HTML5.IASDependencyName: incidents-api Name: incidents-management-srv-api ProxyType: Internet Type: HTTP URL: ~{srv-api/srv-url} existing_destinations_policy: update
-
-
Update
app/incidents/xs-app.json
with the following code:{ "welcomeFile": "/index.html", "authenticationMethod": "route", "routes": [ { "source": "^/odata/(.*)$", "target": "/odata/$1", "destination": "incident-management-srv-api", "authenticationType": "ias", "csrfProtection": false }, { "source": "^/resources/(.*)$", "target": "/resources/$1", "authenticationType": "none", "destination": "ui5" }, { "source": "^/test-resources/(.*)$", "target": "/test-resources/$1", "authenticationType": "none", "destination": "ui5" }, { "source": "^(.*)$", "target": "$1", "service": "html5-apps-repo-rt", "authenticationType": "ias" } ] }
Change the
authenticationType
ofincident-management-srv-api
andhtml5-apps-repo-rt
fromxsuaa
toias
-
Build the mtar.
mbt build
-
Log in to your SAP BTP subaccount and choose your Cloud Foundry space where you want to deploy your application.
cf login -a <api-endpoint>
-
Deploy on Cloud Foundry.
cf deploy mta_archive/<mtar_name>.mtar
After successful deployment, you can go to SAP BTP Cockpit -> your subaccount and your space and see your application as well as bound services.
-
Log in to your IAS Tenant and go to Applications & Resources.
-
Search and select your application with
incident-ias-<unique-id>
(in this case itsincident-ias-staging
). -
Check the uploaded dcl policies under Authorization Policies.
The application has app2app navigation configuration where the CAP back end with IAS-based authentication exposes an API that is configured as a dependency of the SAP Biuld Workzone’s IAS application. The IASDependencyName
is then defined in the GACD Destination Deployer module configuration.
- Log in to your SAP Cloud Identity Services admin console.
- Go to Applications & Resources.
- Search for your application bound to your CAP backend (in this case its
incident-ias-staging
). - Go to Trust -> OpenID Connect Configuration -> Advanced Settings -> Access Token Format. Choose JSON Web Token and Save.
-
Log in to your SAP Cloud Identity Services admin console.
-
Go to Applications & Resources.
-
Search for your IAS application bound to your CAP backend (in this case it's
incident-ias-staging
). -
Verify that the endpoint exposed by your application is listed in Application APIs -> Provided APIs.
-
Search and select your SAP Build Work Zone Workzone application in SAP Build Work Zone, standard edition -> Application APIs -> Dependencies. Choose Add a dependency.
-
Give the dependency the same name as the one you provided in the
destination service configuration property
in themta.yaml
.HTML5.IASDependencyName: incidents-api
-
For each application, select the IAS application bound to your CAP backend (in this case, it's
incident-ias-staging
). -
Select the exposed endpoint (in this case, its
incidents-api
), and choose Save.
To access the application in launchpad, proceed to Integrate with SAP Build Workzone, standard edition.