SAP IAS can be setup as an OIDC provider for UAA login. In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the external OIDC provider with a public client.
-
Create an OIDC application and set it with type public. Register the "Redirect URIs" in the application section "OpenID Connect Configuration"
Add following URI in list field:
http://{UAA_HOST}/login/callback/{origin}
. Additional documentation for achieving this can be found here. -
Copy client id.
-
Minimal OIDC configuration needs to be added in login.ym. Read configuration refer to 'https://.accounts.ondemand.com/.well-known/openid-configuration' for discoveryUrl and issuer
login: oauth: providers: ias.public: type: oidc1.0 discoveryUrl: https://trailaccount.accounts.ondemand.com/.well-known/openid-configuration issuer: https://trailaccount.accounts.ondemand.com scopes: - openid - email - profile linkText: Login with IAS-Public showLinkText: true relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123
-
Ensure that the scope
openid
,email
andprofile
is included in thescopes
property. Then UAA shadow user (if addShadowUserOnLogin=true) is created with all properties. -
Restart UAA. You will see
Login with IAS-Public
link on your login page.