Learn how to add multitenancy to your application and make it available for other subaccounts using the SaaS Provisioning service and the SAP Authorization and Trust Management service.
You’ve created an application in your subaccount that is secured by the SAP Authorization and Trust Management service. You now want to make that application available to other subaccounts (tenants). You’ll use the SaaS Provisioning service to make your application available to a consumer subaccount within your global trial account.
You declare your application security descriptor with JSON syntax and store it in a flat file on the filesystem. The standard name for this file is xs-security.json.
-
Enable multitenancy in the application security descriptor file.
-
Go to the folder where the
xs-security.jsonfile is stored. -
Change the value of the
tenant-modeparameter toshared. -
Under the
scopeselement, add access to the SaaS Provisioning service to call the product list callback API directly. You’ll implement the callbacks in Step 3."scopes": [ { "name": "$XSAPPNAME.read", "description": "With this scope, USER can read products." }, { "name": "$XSAPPNAME.Callback", "description": "With this scope set, the callbacks for tenant onboarding, offboarding and getDependencies can be called.", "grant-as-authority-to-apps": [ "$XSAPPNAME(application,sap-provisioning,tenant-onboarding)" ] } ], -
Save the file.
-
-
Update the manifest.
In this step, you need to complete the following tasks:
-
Add a new routing pattern.
-
Add the service binding for the SaaS Provisioning service.
-
Go to your application folder and open the
manifest.ymlfile. -
For the application router, add the
TENANT_HOST_PATTERNparameter under theenvparameter.This parameter specifies a generic route for all tenants to call the application over the approuter.
env: destinations: > [ {"name":"hw-dest", "url":"https://product-list-ap25.cfapps.eu10.hana.ondemand.com", "forwardAuthToken": true} ] TENANT_HOST_PATTERN: "^(.*)-approuter-product-list-ap25.cfapps.eu10.hana.ondemand.com"The value of the
TENANT_HOST_PATTERNparameter must be in lowercase. -
Add the service binding for the SaaS Provisioning service to your application.
Adding the service binding of the SaaS Provisioning service in the
manifest.ymlfile will automatically bind the service instance to your application, when deploying it.services: - xsuaa-service-tutorial - saas-registry-tutorial
-
-
Implement the subscribe/unsubscribe endpoints.
To enable other subaccounts to subscribe to your application, you need to implement an endpoint for the SaaS registration manager to subscribe/unsubscribe.
-
Go to the
myappfolder and open theindex.jsfile. -
Add the following lines of code after the
checkReadScopefunction. (Replace theap25string with the string that you used when deploying your application security model. Adapt the region code if your trial isn’t in the eu10 region.)app.put('/callback/v1.0/tenants/*', function (req, res) { var consumerSubdomain = req.body.subscribedSubdomain; var tenantAppURL = "https:\/\/" + consumerSubdomain + "-approuter-product-list-ap25." + "cfapps.eu10.hana.ondemand.com/products"; res.status(200).send(tenantAppURL); }); app.delete('/callback/v1.0/tenants/*', function (req, res) { // Implement here any offboarding proces that's triggered when user deletes a subscription to the application res.sendStatus(200); });Return the HTTP
200 OKsuccess status response if the offboarding process was successful.If the offboarding failed, return the relevant error code and an accompanying message.
It’s highly recommended to use a response object that contains both the error code and a user-friendly, customer-oriented error message and technical details about the error in the following format:
{ "code":<The relevant response code, e.g., 500, 400>, "messageForCustomer":"<A customer-facing message. Please write in a user-friendly format, as clearly as possible>", "errorDetails":"<Specify here additional technical details about the error>" } -
To be able to read the body of those calls, add the body parser module at line 9 of the
index.jsfile.const bodyParser = require('body-parser') app.use(bodyParser.json()) -
Add the body parser module as a dependency to the
product list/myapp/package.jsonfile."dependencies": { "express": "^4.17.1", "@sap/xsenv": "^2.2.0", "@sap/xssec": "^3.0.0", "passport": "^0.4.1", "body-parser": "^1.19.0" }
-
-
Create a SaaS configuration file.
To make your multitenant application endpoints available for subscription to consumer subaccounts, you need to register the application in the Cloud Foundry environment by using the SaaS Provisioning service.
To register your application, you need a configuration file called
config.json. In this file, you specify the subscription URL, the name, and description of your application. Thexsappnamemust be the same as thexsappnamein thexs-security.jsonfile.-
Go to your application folder and create the
config.jsonfile. -
Insert the following lines.
{ "xsappname":"product-list", "appUrls": { "onSubscription" : "https://product-list-ap25.cfapps.eu10.hana.ondemand.com/callback/v1.0/tenants/{tenantId}" }, "displayName" : "Product List MTA", "description" : "Product list MTA sample application", "category" : "Custom SaaS Applications" }
-
-
Delete the old service instance of the SAP Authorization and Trust Management service.
When you change the tenant mode from
dedicatedtosharedlike you did in step 1, it’s not enough to update the service instance. You have to first unbind and delete the old service instance, to be able to later recreate it with the updated tenant mode settings.-
Unbind the existing service instance from your application.
cf unbind-service <APP_NAME> <SERVICE_INSTANCE>cf unbind-service product-list xsuaa-service-tutorial -
Unbind the existing service instance from the application router.
cf unbind-service <APP_NAME> <SERVICE_INSTANCE>cf unbind-service approuter xsuaa-service-tutorial -
Delete the existing service instance.
cf delete-service <SERVICE_INSTANCE>cf delete-service xsuaa-service-tutorial
-
-
Create service instances and redeploy your application.
-
Log in to your Cloud Foundry account with the Cloud Foundry CLI.
-
Go to your application folder and create the service instance with the
xs-security.jsonsecurity descriptor file.cf create-service <SERVICE> <PLAN> <SERVICE_INSTANCE> -c xs-security.jsoncf create-service xsuaa application xsuaa-service-tutorial -c xs-security.json -
Create the SaaS Provisioning service instance with the
config.jsonfile.cf create-service <SERVICE> <PLAN> <SERVICE_INSTANCE> -c config.jsoncf create-service saas-registry application saas-registry-tutorial -c config.json -
Redeploy the application with the updated
manifest.ymlfile.cf push
-
-
Create a route for a consumer subaccount.
Make your application reachable for consumer subaccounts by adding a new route in the Cloud Foundry CLI. The route is composed of the subdomain of the subscribing subaccount and the
TENANT_HOST_PATTERNof the application router that you defined in themanifest.ymlfile. You have to create a new route for every subaccount (tenant) that subscribes to the application.-
Log in to the Cloud Foundry account where the application is deployed with the Cloud Foundry CLI.
-
Create a route for the consumer subaccount.
cf map-route <APP_NAME> <DOMAIN> --hostname <APPLICATION_HOSTNAME>The
APPLICATION_HOSTNAMEis the combined string of the subdomain ID of the consumer subaccount and theTENANT_HOST_PATTERNfrom themanifest.ymlfile.cf map-route approuter cfapps.eu10.hana.ondemand.com --hostname consumer-tenant-ap25-approuter-product-list-ap25
-
-
Access the application with the consumer subaccount.
To access the application you need to subscribe to it. Follow these steps to subscribe to the SaaS application with the consumer subaccount and call the application URL.
-
Open the SAP BTP trial.
-
Navigate to your consumer subaccount.
-
Choose Subscriptions.
-
Choose Product List MTA.
-
Choose Subscribe.
-
Choose Go to Application.
You’ll now see the application with the message
no databecause you have to assign the role collection to your user in the consumer subaccount. -
-
Assign the role collection.
Assign the
ProductListViewerrole collection to your user. This role collection contains the necessary role to view the products in your application.-
Open the SAP BTP cockpit.
-
Navigate to your consumer subaccount.
-
Choose Security > Role Collections.
-
Choose the
ProductListViewerrole collection. -
Use the chevron at the right side to expand the role collection.
-
Go to the Users section and choose Edit.
-
Enter the e-mail address of the user that you want to assign to the role collection. Take care that your user's identity provider is SAP ID service.
-
Save your changes.
-
Clear your cache and reload the application URL.
https://consumer-tenant-ap25-approuter-product-list-ap25.cfapps.eu10.hana.ondemand.com/products
The application will now show you the products.
-
Related Information