Skip to Content

Add Multitenancy to a Node.js Application Secured by the Authorization and Trust Management service (XSUAA)

test
0 %
Add Multitenancy to a Node.js Application Secured by the Authorization and Trust Management service (XSUAA)
Details

Add Multitenancy to a Node.js Application Secured by the Authorization and Trust Management service (XSUAA)

June 29, 2020
Created by
June 29, 2020
Learn how to add multitenancy to your application and make it available for other subaccounts using the SaaS Provisioning service and the XSUAA.

You will learn

  • How to add multitenancy to a secure Node.js application
  • How to provide the application to another subaccount with the SaaS Provisioning service
  • How to access a multitenant application from another subaccount

Prerequisites

The use case for this tutorial is that you’ve created a Node.js application in your subaccount that is secured by the XSUAA. You now want to make that application available to other subaccounts (tenants). You’ll use the SaaS Provisioning service to make your application available to a consumer subaccount within your global trial account.

See the following diagram to get an overview of the SaaS architecture.

SaaS architecture

 

IMPORTANT: This tutorial is using specific values instead of placeholders. Please make sure to adapt those values to your own values, that you used in the previous tutorial.

The specific values that are used in this tutorial are:

  • The application name of the product list application: product-list.
    • Used in the manifest.yml.
  • The application name of the application router: approuter.
    • Used in the manifest.yml.
  • The route: product-list-ap25.cfapps.eu10.hana.ondemand.com.
    • Used in the manifest.yml.
    • Partially used in the config.json.
  • The route: approuter-product-list-ap25.cfapps.eu10.hana.ondemand.com.
    • Used in the manifest.yml.
    • Partially used in the index.js
  • The XSUAA service instance name: xsuaa-service-tutorial
    • Used in the manifest.yml.
    • Used when creating the service instance.
  • The SaaS Provisioning service instance name: saas-registry-tutorial.
    • Used in the manifest.yml.
    • Used when creating the service instance.
  • The XSUAA application name: product-list
    • Used in the config.json.
    • Used in the xs-security.json.
  • The subdomain Id of the consumer subaccount: consumer-tenant-ap25.
    • Used when creating the route for the consumer subaccount.

Step 1: Enable multitenancy in the security descriptor file

To enable multitenancy, you need to change the parameter tenant-mode in the xs-security.json file to make it available for multiple tenants.

  1. Go to the product-list/security folder.

  2. Open the xs-security.json file.

  3. Change the value of the parameter tenant-mode to shared.

  4. Under scopes, add access to the SaaS Provisioning service to call the product list callback API directly. You’ll implement the callbacks in Step 3.

    "scopes": [
      		{
      			"name": "$XSAPPNAME.read",
      			"description": "With this scope, USER can read products."
      		},
      		{
      			"name": "$XSAPPNAME.Callback",
      			"description": "With this scope set, the callbacks for tenant onboarding, offboarding and getDependencies can be called.",
      			"grant-as-authority-to-apps": [
      				"$XSAPPNAME(application,sap-provisioning,tenant-onboarding)"
      			]
      		}
      	],
    
  5. Save the file.

Log on to answer question
Step 2: Update the manifest

In this step you need to complete the following tasks:

  • Add a new routing pattern
  • Add the service binding for the SaaS Provisioning service

You can either do these steps one by one or copy the complete manifest.yml at the end. Remember to adapt the routes, URLs, and the TENANT_HOST_PATTERN according to your own example.

Add a new routing pattern

Add a parameter called TENANT_HOST_PATTERN to the approuter application. The parameter specifies a generic route for all tenants to call the application over the approuter.

  1. Go to the product-list folder.

  2. Open the manifest.yml file.

  3. For the approuter application, add the parameter TENANT_HOST_PATTERN under the env parameter.

    env:
      destinations: >
        [
          {"name":"hw-dest",
           "url":"https://product-list-ap25.cfapps.eu10.hana.ondemand.com",
           "forwardAuthToken": true}
        ]
      TENANT_HOST_PATTERN: "^(.*)-approuter-product-list-ap25.cfapps.eu10.hana.ondemand.com"
    

    RESTRICTION: The value of the parameter TENANT_HOST_PATTERN has to be lowercase.

Add the service binding for the SaaS Provisioning service

Adding the service binding of the SaaS Provisioning service in the manifest.yml will automatically bind the service instance to the product-list application when deploying it.

Add the service binding for the SaaS Provisioning service to the product-list application.

services:
  - xsuaa-service-tutorial
  - saas-registry-tutorial

At the end your manifest.yml file should look like this:

applications:
# Application
- name: product-list
  instances: 1
  memory: 128M
  routes:
    - route: product-list-ap25.cfapps.eu10.hana.ondemand.com
  path: myapp
  buildpacks:
    - nodejs_buildpack  
  timeout: 180
  services:
    - xsuaa-service-tutorial
    - saas-registry-tutorial

# Application Router
- name: approuter
  routes:
    - route: approuter-product-list-ap25.cfapps.eu10.hana.ondemand.com
  path: approuter
  buildpacks:
    - nodejs_buildpack
  memory: 128M
  services:
    - xsuaa-service-tutorial
  env:
    destinations: >
      [
        {
          "name":"products-destination",
          "url":"https://product-list-ap25.cfapps.eu10.hana.ondemand.com",
          "forwardAuthToken": true
        }      
      ]
    TENANT_HOST_PATTERN: "^(.*)-approuter-product-list-ap25.cfapps.eu10.hana.ondemand.com"
Why is a regex placeholder used in the parameter TENANT_HOST_PATTERN?
×
Step 3: Implement the subscribe/unsubscribe endpoints

To enable other subaccounts to subscribe to your application, you need to implement an endpoint for the SaaS registration manager to subscribe/unsubscribe.

  1. Go to the myapp folder.

  2. Open the index.js file.

  3. Add the following lines of code after the checkReadScope function (replace the string “ap25” with the string that you used when deploying the first tutorial. Adapt the region code if your trial isn’t in the eu10 region):

      app.put('/callback/v1.0/tenants/*', function (req, res) {
      	var consumerSubdomain = req.body.subscribedSubdomain;
      	var tenantAppURL = "https:\/\/" + consumerSubdomain + "-approuter-product-list-ap25." + "cfapps.eu10.hana.ondemand.com/products";
      	res.status(200).send(tenantAppURL);
        });
    
      app.delete('/callback/v1.0/tenants/*', function (req, res) {
      	var consumerSubdomain = req.body.subscribedSubdomain;
      	var tenantAppURL = "https:\/\/" + consumerSubdomain + "-approuter-product-list-ap25." + "cfapps.eu10.hana.ondemand.com/products";
      	res.status(200).send(tenantAppURL);
      });
    
  4. To be able to read the body of those calls, add the body parser module at line 9 of the index.js file.

    const bodyParser = require('body-parser')
    app.use(bodyParser.json())
    
  5. Add the body parser module as a dependency to the product list/myapp/package.json file.

    "dependencies": {
      "express": "^4.17.1",
      "@sap/xsenv": "^2.2.0",
      "@sap/xssec": "^3.0.0",
      "passport": "^0.4.1",
      "body-parser": "^1.19.0"   
    }
    
Log on to answer question
Step 4: Create a SaaS configuration file

To make your multitenant application endpoints available for subscription to consumer subaccounts, you must register the application in the Cloud Foundry environment via the SaaS Provisioning service.

To register your application, you need a configuration file called config.json. In this file, you specify the subscription URL, the name, and description of your application. The xsappname has to be the same as the xsappname in the xs-security.json file.

  1. Go to the product-list folder.

  2. Create a config.json file.

  3. Insert the following lines:

    {
      "xsappname":"product-list",
      "appUrls": {
        "onSubscription" : "https://product-list-ap25.cfapps.eu10.hana.ondemand.com/callback/v1.0/tenants/{tenantId}"
      },
      "displayName" : "Product List MTA",
      "description" : "Product list MTA sample application",
      "category" : "Custom SaaS Applications"
    }
    
Log on to answer question
Step 5: Delete the old XSUAA service instance

When you change the tenant mode from dedicated to shared like you did in step 1, it’s not enough to update the XSUAA service instance. You have to unbind and delete the old service instance first to recreate it later with the updated tenant mode settings.

  1. Unbind the existing XSUAA service instance from the product-list

    cf unbind-service product-list xsuaa-service-tutorial
    

  2. Unbind the existing XSUAA service instance from the approuter.

    cf unbind-service approuter xsuaa-service-tutorial
    
  3. Delete the existing XSUAA service instance.

    cf delete-service xsuaa-service-tutorial
    
Log on to answer question
Step 6: Create service instances and redeploy your applications

Create the new multitenant XSUAA service instance and the SaaS Provisioning service instance and redeploy your application.

  1. Log in to your Cloud Foundry account with the Cloud Foundry CLI.

  2. Go to the product-list folder.

  3. Create the XSUAA service instance with the xs-security.json security descriptor file.

    cf create-service xsuaa application xsuaa-service-tutorial -c security/xs-security.json
    
  4. Create the SaaS Provisioning service instance with the config.json file.

    cf create-service saas-registry application saas-registry-tutorial -c config.json
    
  5. Redeploy the application with the updated manifest.yml file.

    cf push
    
Log on to answer question
Step 7: Create a route for a consumer subaccount

Make your application reachable for consumer subaccounts by adding a new route in the Cloud Foundry CLI. The route is composed of the subdomain of the subscribing subaccount (see screenshot) and the TENANT_HOST_PATTERN of the application router that we defined in the manifest.yml. You have to create a new route for every subaccount (tenant) that subscribes to the application.

subaccount subdomain
  1. Log in to the Cloud Foundry account where the application is deployed with the Cloud Foundry CLI.

  2. Create a route for the consumer subaccount.

    cf map-route approuter cfapps.eu10.hana.ondemand.com --hostname consumer-tenant-ap25-approuter-product-list-ap25
    
What parts create the final route for consumer subaccounts to access the SaaS application?
×
Step 8: Access the application with the consumer subaccount

To access the application you need to subscribe to it. Follow these steps to subscribe to the SaaS application with the consumer subaccount and call the application URL.

  1. Open the SAP Cloud Platform trial.

  2. Navigate to your consumer subaccount.

  3. Choose Subscriptions.

  4. Choose Product List MTA.

  5. Choose Subscribe.

  6. Choose Go to Application.

You’ll now see the application with the message no data because you have to assign the role collection to your user in the consumer subaccount.

Log on to answer question
Step 9: Assign the role collection

Assign your user the role collection ProductListViewer that contains the necessary role to view the products in the product list.

  1. Open the SAP Cloud Platform Cockpit.

  2. Navigate to your consumer subaccount.

  3. Choose the Security tab and choose Trust Configuration.

  4. Choose SAP ID Service.

  5. Enter your e-mail address and choose Show Assignments.

  6. Choose Assign Role Collection.

  7. Choose the ProductListViewer role collection.

  8. Clear your cache and reload the application URL.

    https://consumer-tenant-ap25-approuter-product-list-ap25.cfapps.eu10.hana.ondemand.com/products

The application will now show you the products.

Log on to answer question

Resources


Next Steps

Back to top