Add Multitenancy to a Node.js Application Secured by the SAP Authorization and Trust Management service (XSUAA)

To enable multitenancy, you need to change the parameter tenant-mode in the xs-security.json file to make it available for multiple tenants.

1. Go to the product-list/security folder.

2. Open the xs-security.json file.

3. Change the value of the parameter tenant-mode to shared.

4. Under scopes, add access to the SaaS Provisioning service to call the product list callback API directly. You’ll implement the callbacks in Step 3.

   "scopes": [
     		{
     			"name": "$XSAPPNAME.read",
     			"description": "With this scope, USER can read products."
     		},
     		{
     			"name": "$XSAPPNAME.Callback",
     			"description": "With this scope set, the callbacks for tenant onboarding, offboarding and getDependencies can be called.",
     			"grant-as-authority-to-apps": [
     				"$XSAPPNAME(application,sap-provisioning,tenant-onboarding)"
     			]
     		}
     	],
   

5. Save the file.

In this step you need to complete the following tasks:

• Add a new routing pattern
• Add the service binding for the SaaS Provisioning service

You can either do these steps one by one or copy the complete manifest.yml at the end. Remember to adapt the routes, URLs, and the TENANT_HOST_PATTERN according to your own example.

Add a new routing pattern

Add a parameter called TENANT_HOST_PATTERN to the approuter application. The parameter specifies a generic route for all tenants to call the application over the approuter.

1. Go to the product-list folder.

2. Open the manifest.yml file.

3. For the approuter application, add the parameter TENANT_HOST_PATTERN under the env parameter.

   env:
     destinations: >
       [
         {"name":"hw-dest",
          "url":"https://product-list-ap25.cfapps.eu10.hana.ondemand.com",
          "forwardAuthToken": true}
       ]
     TENANT_HOST_PATTERN: "^(.*)-approuter-product-list-ap25.cfapps.eu10.hana.ondemand.com"
   

   RESTRICTION: The value of the parameter TENANT_HOST_PATTERN has to be lowercase.

Add the service binding for the SaaS Provisioning service

Adding the service binding of the SaaS Provisioning service in the manifest.yml will automatically bind the service instance to the product-list application when deploying it.

Add the service binding for the SaaS Provisioning service to the product-list application.

services:
  - xsuaa-service-tutorial
  - saas-registry-tutorial

At the end your manifest.yml file should look like this:

applications:
# Application
- name: product-list
  instances: 1
  memory: 128M
  routes:
    - route: product-list-ap25.cfapps.eu10.hana.ondemand.com
  path: myapp
  buildpacks:
    - nodejs_buildpack  
  timeout: 180
  services:
    - xsuaa-service-tutorial
    - saas-registry-tutorial

# Application Router
- name: approuter
  routes:
    - route: approuter-product-list-ap25.cfapps.eu10.hana.ondemand.com
  path: approuter
  buildpacks:
    - nodejs_buildpack
  memory: 128M
  services:
    - xsuaa-service-tutorial
  env:
    destinations: >
      [
        {
          "name":"products-destination",
          "url":"https://product-list-ap25.cfapps.eu10.hana.ondemand.com",
          "forwardAuthToken": true
        }      
      ]
    TENANT_HOST_PATTERN: "^(.*)-approuter-product-list-ap25.cfapps.eu10.hana.ondemand.com"

To enable other subaccounts to subscribe to your application, you need to implement an endpoint for the SaaS registration manager to subscribe/unsubscribe.

1. Go to the myapp folder.

2. Open the index.js file.

3. Add the following lines of code after the checkReadScope function (replace the string “ap25” with the string that you used when deploying the first tutorial. Adapt the region code if your trial isn’t in the eu10 region):

     app.put('/callback/v1.0/tenants/*', function (req, res) {
     	var consumerSubdomain = req.body.subscribedSubdomain;
     	var tenantAppURL = "https:\/\/" + consumerSubdomain + "-approuter-product-list-ap25." + "cfapps.eu10.hana.ondemand.com/products";
     	res.status(200).send(tenantAppURL);
       });
   
     app.delete('/callback/v1.0/tenants/*', function (req, res) {
     	var consumerSubdomain = req.body.subscribedSubdomain;
     	var tenantAppURL = "https:\/\/" + consumerSubdomain + "-approuter-product-list-ap25." + "cfapps.eu10.hana.ondemand.com/products";
     	res.status(200).send(tenantAppURL);
     });
   

4. To be able to read the body of those calls, add the body parser module at line 9 of the index.js file.

   const bodyParser = require('body-parser')
   app.use(bodyParser.json())
   

5. Add the body parser module as a dependency to the product list/myapp/package.json file.

   "dependencies": {
     "express": "^4.17.1",
     "@sap/xsenv": "^3.1.0",
     "@sap/xssec": "^3.0.10",
     "passport": "^0.4.1",
     "body-parser": "^1.19.0"   
   }
   

To make your multitenant application endpoints available for subscription to consumer subaccounts, you must register the application in the Cloud Foundry environment via the SaaS Provisioning service.

To register your application, you need a configuration file called config.json. In this file, you specify the subscription URL, the name and description of your application. The xsappname has to be the same as the xsappname in the xs-security.json file.

1. Go to the product-list folder.

2. Create a config.json file.

3. Insert the following lines:

   {
     "xsappname":"product-list",
     "appUrls": {
       "onSubscription" : "https://product-list-ap25.cfapps.eu10.hana.ondemand.com/callback/v1.0/tenants/{tenantId}"
     },
     "displayName" : "Product List MTA",
     "description" : "Product list MTA sample application",
     "category" : "Custom SaaS Applications"
   }
   

When you change the tenant mode from dedicated to shared like you did in step 1, it’s not enough to update the XSUAA service instance. You have to unbind and delete the old service instance first to recreate it later with the updated tenant mode settings.

1. Unbind the existing XSUAA service instance from the product-list

   cf unbind-service product-list xsuaa-service-tutorial
   

2. Unbind the existing XSUAA service instance from the approuter.

   cf unbind-service approuter xsuaa-service-tutorial
   

3. Delete the existing XSUAA service instance.

   cf delete-service xsuaa-service-tutorial
   

Create the new multitenant XSUAA service instance and the SaaS Provisioning service instance and redeploy your application.

1. Log in to your Cloud Foundry account with the Cloud Foundry CLI.

2. Go to the product-list folder.

3. Create the XSUAA service instance with the xs-security.json security descriptor file.

   cf create-service xsuaa application xsuaa-service-tutorial -c security/xs-security.json
   

4. Create the SaaS Provisioning service instance with the config.json file.

   cf create-service saas-registry application saas-registry-tutorial -c config.json
   

5. Redeploy the application with the updated manifest.yml file.

   cf push
   

Make your application reachable for consumer subaccounts by adding a new route in the Cloud Foundry CLI. The route is composed of the subdomain of the subscribing subaccount (see screenshot) and the TENANT_HOST_PATTERN of the application router that we defined in the manifest.yml. You have to create a new route for every subaccount (tenant) that subscribes to the application.

1. Log in to the Cloud Foundry account where the application is deployed with the Cloud Foundry CLI.

2. Create a route for the consumer subaccount.

   cf map-route approuter cfapps.eu10.hana.ondemand.com --hostname consumer-tenant-ap25-approuter-product-list-ap25