Update documentation for adding SAP IAS as OIDC Provider (#2613)

* Update sap-public-oidc-provider.md * Update sap-public-oidc-provider.md * remove unknown claims these claims are not needed in IAS even if they are there, but the mapping should be done based on standard OIDC claims. Using scopes: - email - profile ensures, that standard claims are returned --------- Co-authored-by: Markus Strehle <11627201+strehle@users.noreply.github.com>
cloudfoundry · Dec 19, 2023 · ee33241 · ee33241
1 parent 40c5744
commit ee33241
Showing 1 changed file with 32 additions and 14 deletions.
diff --git a/docs/OIDC-Provider-Examples/sap-public-oidc-provider.md b/docs/OIDC-Provider-Examples/sap-public-oidc-provider.md
@@ -4,33 +4,51 @@ SAP IAS can be setup as an [OIDC provider](https://help.sap.com/viewer/6d6d63354
 In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the
 external OIDC provider with a public client.
 
-1. Create an OIDC application and set it with [type public](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/a721157cd40544eb9bad40085cf8ec15.html).
-   Register the "Redirect URIs" in the application section "OpenID Connect Configuration"
-
-   Add following URI in list field:
-   `http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1ae324ee3b2d4a728650eb022d5fd910.html).
+1. Create an OIDC application and set it with [type public](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/a721157cd40544eb9bad40085cf8ec15.html)
+   * in Trust / OpenID Configuration / Grant Types / Authorization Code Flow / Enforce PKCE (S256)
+3. Register the "Redirect URIs" in the application section "OpenID Connect Configuration"
+   * Add following URI in list field:
+   `https://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1ae324ee3b2d4a728650eb022d5fd910.html).
+   * E.g. for a UAA part of a CF-Deployment, this is `https://login.cf.<domain>/login/callback/{origin}`
+   * `{origin}` - is the id you of the OIDC provider you will use in UAA in the next step
 
-2. Copy client id.
+2. Go to "Client Authentication" section and check "Allow Public Client Flows".
+   * This will generate the "client id" on the top of the page
+   * Copy "client id", to use for the uaa configuration.
 
-3. Minimal OIDC configuration needs to be added in login.ym.
-   Read configuration refer to '[https://<tenant ID>.accounts.ondemand.com/.well-known/openid-configuration](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/c297516bae4547eb82eeed80fea2b937.html)' for discoveryUrl and issuer
+4. Minimal OIDC configuration needs to be added in `uaa.yml` or `login.yml` (depending on the setup).
+   Read configuration refer to '[https://<tenant ID>.accounts.ondemand.com/.well-known/openid-configuration](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/c297516bae4547eb82eeed80fea2b937.html)' for discoveryUrl and issuer. E.g. in the example below `ias.public` was selected as `{origin}`
 
         login:
           oauth:
             providers:
               ias.public:
                 type: oidc1.0
-                discoveryUrl: https://trailaccount.accounts.ondemand.com/.well-known/openid-configuration
-                issuer: https://trailaccount.accounts.ondemand.com
+                discoveryUrl: https://<ias_tenant_id>.accounts.ondemand.com/.well-known/openid-configuration
+                issuer: https://<ias_tenant_id>.accounts.ondemand.com
                 scopes:
                   - openid
                   - email
                   - profile
                 linkText: Login with IAS-Public
                 showLinkText: true
-                relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123
+                relyingPartyId: <client_id>
+                addShadowUserOnLogin: true
+
+6. Ensure that the scope `openid`, `email` and `profile` is included in the `scopes` property. Then UAA shadow user (if addShadowUserOnLogin=true) is created with all properties. 
 
-4. Ensure that the scope `openid`, `email` and `profile` is included in the`scopes` property. Then UAA shadow user (if addShadowUserOnLogin=true) is created
-   with all properties. 
+7. Restart UAA.
+   * You may see `Login with IAS-Public` link on your login page.
+   * Or if the link is not displayed, you need to enter the `{origin}` manually and then login against it
 
-5. Restart UAA. You will see `Login with IAS-Public` link on your login page.
+9. (optional) For CF Login, use `cf login --sso` and select the provider.
+    * Trying to login with User/Pass requires a confidential OAuth Client, creating a Secret in the Client Authentication tab, adding it as `relyingPartySecret` property and disabling "Enforce PKCE"
+
+8. (Optional) Use e-mail for Login Id instead of P-user
+   1. In IAS Admin Page, under "Trust / Single Sign-on / Subject Name Identifier / Basic Configuration"
+      * Select "Select a basic attribute" : "Email"
+   2. In `uaa.yml` append the following configuration, to the `login.oauth.providers.{origin}` section (at the same level as the other properties from the example above):
+      ```
+      attributeMappings:
+          user_name: "email"
+      ```