Skip to content

Latest commit

 

History

History
36 lines (28 loc) · 2.04 KB

sap-public-oidc-provider.md

File metadata and controls

36 lines (28 loc) · 2.04 KB

Registering SAP IAS as external, public OIDC provider in UAA

SAP IAS can be setup as an OIDC provider for UAA login. In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the external OIDC provider with a public client.

  1. Create an OIDC application and set it with type public. Register the "Redirect URIs" in the application section "OpenID Connect Configuration"

    Add following URI in list field: http://{UAA_HOST}/login/callback/{origin}. Additional documentation for achieving this can be found here.

  2. Copy client id.

  3. Minimal OIDC configuration needs to be added in login.ym. Read configuration refer to 'https://.accounts.ondemand.com/.well-known/openid-configuration' for discoveryUrl and issuer

     login:
       oauth:
         providers:
           ias.public:
             type: oidc1.0
             discoveryUrl: https://trailaccount.accounts.ondemand.com/.well-known/openid-configuration
             issuer: https://trailaccount.accounts.ondemand.com
             scopes:
               - openid
               - email
               - profile
             linkText: Login with IAS-Public
             showLinkText: true
             relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123
    
  4. Ensure that the scope openid, email and profile is included in thescopes property. Then UAA shadow user (if addShadowUserOnLogin=true) is created with all properties.

  5. Restart UAA. You will see Login with IAS-Public link on your login page.