Skip to content

Latest commit

 

History

History
173 lines (105 loc) · 8.17 KB

prerequisites-41d8559.md

File metadata and controls

173 lines (105 loc) · 8.17 KB

Prerequisites

To create instances of SAP Cloud Logging, you must configure entitlements for SAP Cloud Logging, and integrate SAP Cloud Identity Services - Identity Authentication SAML 2.0 with SAP Cloud Logging.

Configure Entitlements for SAP Cloud Logging

To create a service instance of SAP Cloud Logging, you need:

Once you have these three prerequisites, the service is available in the Service Marketplace.

Integrate SAP Cloud Identity Services - Identity Authentication SAML 2.0 with SAP Cloud Logging

Caution:

Ensure that you consider the SAP BTP Security Recommendation BTP-CLS-0001.

This explains how to integrate with SAP Cloud Identity Services - Identity Authentication SAML 2.0. It results in changes in the Identity Authentication tenant and a corresponding SAML configuration to be used for creating or updating SAP Cloud Logging instances. Access to the Identity Authentication administration console as an administrator is a prerequisite.

Note:

We recommend you integrate with Identity Authentication. You can also integrate with other SAML providers, but there will be no support or documentation.

Note:

You can reuse the resulting SAML configuration for multiple instances of SAP Cloud Logging.

Obtain SAML 2.0 IdP Information

Obtain SAML 2.0 Identity Provider (IdP) Information based on the Identity Authorization guide. Use the console URL to access the tenant’s administration console for the Identity Authentication service. The URL has a https://<tenantID>.accounts.ondemand.com/admin pattern.

  • Note down the idp.metadata_url information as https://<tenant ID>.accounts.ondemand.com/saml2/metadata
  • Note down the idp.entity_id. Open the metadata URL in your browser and copy the full value of the entityID field, which is located in the first line of the response.

Create a SAML 2.0 application

Create a SAML 2.0 application in your Identity Authentication account based on the Identity Authorization guide and note down the sp.entity_id value as name of the SAML 2.0 application.

Configure the SAML 2.0 application

Go to Applications & Resources, choose Applications, and select your application from the list. Then perform the following steps to configure the SAML 2.0 application within Identity Authentication:

  1. Configure a Self-Defined Attribute with Name "groups," Source "Identity Directory," and Value "All Groups."
  2. Configure Default Name ID Format to E-mail.
  3. Select SAML 2.0 Configuration and Configure Manually.

    • Set the name with value of the sp.entity_id from the Create a SAML 2.0 application step.

    • Continue with one of the following options. OPTION 1 is recommended, as it removes the need to specify the IdP SAML application's assertion/logout URL.

    • OPTION 1: Enable request signing.

      • Create a new signing certificate and private key in PKCS8 format.

        # generate a certificate and a private key in PKCS8 format with a reasonable validity
openssl req -x509 -newkey rsa:2048 -keyout private.key -out cert.pem -nodes -days <validity>
# add a password (encrypted)
openssl pkcs8 -topk8 -v1 PBE-SHA1-3DES -in private.key -out private_pkcs8.key
# encode key to base64 format
printf "%s" "$(< private_pkcs8.key)" | base64

      • Enable request signing in Identity Authentication by setting Require signed authentication requests to ON, going to the Signing Certificate section, clicking Add, and uploading the certificate.

      • Make sure to provide a signing key to the sp.signature_private_key field and set the sp.signature_private_key_password field if the signing key is encrypted. The signing certificate in your Identity Authentication SAML 2.0 application can expire, and Identity Authentication rejects login attempts with the error message, "The digital signature of the received SAML2 message is invalid."

    • OPTION 2: ⚠️ This step can only be done after an SAP Cloud Logging instance has been created and has to be repeated for each new service instance.

      • Set Assertion Consumer Service Endpoint to the OpenSearch Dashboards URL plus/_opendistro/_security/saml/acs.
      • Set Single Logout Endpoint: Set binding to HTTP_REDIRECT and the URL must be the OpenSearch Dashboards URL without any path.
      • To store the configuration, click Save .

Create a Group and Assign Users

  • Create a group that you intend to use for administrative access to SAP Cloud Logging instances and provide the name of this group as the input value for admin_group during the SAML configuration. This group gets administrative access in OpenSearch. It has permission to modify the security module.

    Note:

    The login procedure forwards Identity Authentication group names to OpenSearch as backend roles. Backend roles can map to OpenSearch roles that grant permissions to the users assigned to the respective Identity Authentication groups. The configuration parameter admin_group is mapped automatically to the "all_access" role

  • Add users to the group who should have admin access. Users can be added or removed at any time.

Compose SAML Configuration Parameters

Compose SAML configuration parameters to be used for service instance creation or updates:

SAML Configuration Template

Parameterization

 
"saml": {
     "enabled": true,
     "initiated": true,
     "idp": {
        "metadata_url": "",
        "entity_id": ""
      },
      "admin_group": "",
     "roles_key": "groups",
     "sp": {
        "entity_id": "",
        "signature_private_key": "",
        "signature_private_key_password": ""
     }
  }

Set IdP information idp.metadata_url (e.g.: https://myaccount.accounts.ondemand.com/saml2/metadata) and idp.entity_id (e.g. https://myaccount.accounts.ondemand.com) from Obtain SAML 2.0 IdP Information step.

Set sp.entity_id from Create a SAML 2.0 application step (Do not confuse with idp.entity_id)

Set admin_group from Configure a SAML 2.0 application step.

Set sp.signature_private_key and sp.signature_private_key_password if you selected OPTION 1 in the Configure SAML 2.0 application step.

See Configuring Applications in Identity Authentication Service.