How to Access SAP Cloud Logging Service Dashboards Using IAS SAML Authentication

How to Access SAP Cloud Logging Service Dashboards Using IAS SAML Authentication
Estimated read time 8 min read

Japanese version

Introduction

SAP Cloud Logging Service (CLS) is an OpenSearch-based observability service that allows you to centrally manage application logs and metrics.

Because CLS Dashboards provide access to application data such as logs and metrics, proper security measures such as authentication methods and access control are essential.

Although CLS Dashboards can be accessed using a Service Key, SAP recommends using SAML authentication with IAS in production environments to ensure proper user management and stronger security.

In this article, we walk through the configuration steps required to enable SAML authentication for CLS Dashboards using IAS.

Prerequisites

This guide assumes the following conditions are met:

An IAS tenant is activeSAP Cloud Logging Service is available in your SAP BTP subaccountYou have administrator privileges for both IAS and the BTP subaccount

Step 1: Create a SAML 2.0 Application in IAS

In the IAS administration application, navigate to Applications & Resources → Applications, and create a new application.

Display Name: Any nameProtocol Type: SAML 2.0

Step 2: Create a CLS Instance and Configure SAML

If you already have an existing CLS instance, you can update its parameters in the same way as during instance creation.

In this article, we describe the steps using a new CLS instance.

2-1. Create a CLS Instance

Create a CLS instance in your BTP subaccount.

Service: Cloud LoggingPlan / Runtime Environment: Choose according to your use caseInstance Name: Any name

After entering the values, click Next to proceed to the parameter configuration screen.

2-2. Configure SAML Parameters

The default parameters will be displayed. Edit the saml section as shown below.

Default parameters

Updated parameters

{
“saml”: {
“enabled”: true,
“admin_group”: “<IAS_ADMIN_GROUP_NAME>”,
“initiated”: true,
“roles_key”: “groups”,
“idp”: {
“metadata_url”: “<IAS_TENANT_URL>/saml2/metadata”,
“entity_id”: “<IAS_IDP_ENTITY_ID>”
},
“sp”: {
“entity_id”: “<CLS_SP_ENTITY_ID>”
}
}
}

saml section template

Parameter Explanation

admin_group
Users who belong to the specified IAS group are granted administrator privileges (all_access).
In this example, we use cls-admin.

idp.metadata_url
The URL from which CLS retrieves SAML metadata from IAS.
Append /saml2/metadata to your IAS tenant URL.
For example, if your IAS tenant URL is:
https://<YOUR-TENANT-NAME>.accounts400.ondemand.com

then set:
https://<YOUR-TENANT-NAME>.accounts400.ondemand.com/saml2/metadata

idp.entity_id
Open the metadata_url in a browser and set the value of ‘entityID’ found at the beginning of the XML.

sp.entity_id
The identifier for CLS as a Service Provider. In this example, we use ‘CLS-Demo’. The same value must be configured on the IAS side.

Step 3: Configure SAML Settings in IAS

In the IAS application settings, select Configure Manually and configure the SAML settings.

Entity ID: Same value as ‘sp.entity_id’ of the CLS instance

This ID uniquely identifies CLS as the Service Provider in the SAML integration.
Since we used ‘CLS-Demo’in the CLS configuration, the same value must be set here.

Endpoint Configuration

SSO Endpoint: <Dashboards URL>/_opendistro/_security/saml/acs

Single Logout Endpoint: <Dashboards URL>

Verification (Authentication)

Access the CLS Dashboards URL and confirm that authentication succeeds.

At this point, when opening dashboards or index lists, you may see a blank page or permission-related errors.

In Developer Tools, you can also confirm that HTTP 403 (Forbidden) responses are returned.

If you click View roles and identities from the user icon, you will see that only the ‘own_index’ role is assigned.

This indicates that SAML authentication is working correctly, but authorization (role assignment) has not yet been configured.

Step 4: Configure Attributes in the IAS Application

To use IAS group information for role assignment in CLS, group data must be included in the SAML assertion.

Open Attributes in the IAS application and configure the following:

Name: groupsSource: Identity DirectoryValues: All Groups

Step 5: Create a Group and Add Users

Create a user group in IAS with the same name as the ‘admin_group’ configured in Step 2.
In this example, the group name is ‘cls-admin’.

Name: Same as ‘admin_group’

Display Name: Any name

Add the target users to the group.

 

Verification (Authorization)

Access the dashboard page again and confirm that the list of dashboard is now visible.

You can also verify that the ‘all_access’ role has been assigned to the user via the ‘cls_admin’ group.

I hope this article helps you with application development and operations on SAP BTP!!

References

https://docs.opensearch.org/latest/security/authentication-backends/saml/https://help.sap.com/docs/cloud-logging/cloud-logging/prerequisiteshttps://help.sap.com/docs/cloud-logging/cloud-logging/configuration-parameters 

​ Japanese versionIntroductionSAP Cloud Logging Service (CLS) is an OpenSearch-based observability service that allows you to centrally manage application logs and metrics.Because CLS Dashboards provide access to application data such as logs and metrics, proper security measures such as authentication methods and access control are essential.Although CLS Dashboards can be accessed using a Service Key, SAP recommends using SAML authentication with IAS in production environments to ensure proper user management and stronger security.In this article, we walk through the configuration steps required to enable SAML authentication for CLS Dashboards using IAS.PrerequisitesThis guide assumes the following conditions are met:An IAS tenant is activeSAP Cloud Logging Service is available in your SAP BTP subaccountYou have administrator privileges for both IAS and the BTP subaccountStep 1: Create a SAML 2.0 Application in IASIn the IAS administration application, navigate to Applications & Resources → Applications, and create a new application.Display Name: Any nameProtocol Type: SAML 2.0Step 2: Create a CLS Instance and Configure SAMLIf you already have an existing CLS instance, you can update its parameters in the same way as during instance creation.In this article, we describe the steps using a new CLS instance.2-1. Create a CLS InstanceCreate a CLS instance in your BTP subaccount.Service: Cloud LoggingPlan / Runtime Environment: Choose according to your use caseInstance Name: Any nameAfter entering the values, click Next to proceed to the parameter configuration screen.2-2. Configure SAML ParametersThe default parameters will be displayed. Edit the saml section as shown below.Default parametersUpdated parameters{
“saml”: {
“enabled”: true,
“admin_group”: “<IAS_ADMIN_GROUP_NAME>”,
“initiated”: true,
“roles_key”: “groups”,
“idp”: {
“metadata_url”: “<IAS_TENANT_URL>/saml2/metadata”,
“entity_id”: “<IAS_IDP_ENTITY_ID>”
},
“sp”: {
“entity_id”: “<CLS_SP_ENTITY_ID>”
}
}
}saml section templateParameter Explanationadmin_groupUsers who belong to the specified IAS group are granted administrator privileges (all_access).In this example, we use cls-admin.idp.metadata_urlThe URL from which CLS retrieves SAML metadata from IAS.Append /saml2/metadata to your IAS tenant URL.For example, if your IAS tenant URL is:https://<YOUR-TENANT-NAME>.accounts400.ondemand.comthen set:https://<YOUR-TENANT-NAME>.accounts400.ondemand.com/saml2/metadataidp.entity_idOpen the metadata_url in a browser and set the value of ‘entityID’ found at the beginning of the XML.sp.entity_idThe identifier for CLS as a Service Provider. In this example, we use ‘CLS-Demo’. The same value must be configured on the IAS side.Step 3: Configure SAML Settings in IASIn the IAS application settings, select Configure Manually and configure the SAML settings.Entity ID: Same value as ‘sp.entity_id’ of the CLS instanceThis ID uniquely identifies CLS as the Service Provider in the SAML integration.Since we used ‘CLS-Demo’in the CLS configuration, the same value must be set here.Endpoint ConfigurationSSO Endpoint: <Dashboards URL>/_opendistro/_security/saml/acsSingle Logout Endpoint: <Dashboards URL>Verification (Authentication)Access the CLS Dashboards URL and confirm that authentication succeeds.At this point, when opening dashboards or index lists, you may see a blank page or permission-related errors.In Developer Tools, you can also confirm that HTTP 403 (Forbidden) responses are returned.If you click View roles and identities from the user icon, you will see that only the ‘own_index’ role is assigned.This indicates that SAML authentication is working correctly, but authorization (role assignment) has not yet been configured.Step 4: Configure Attributes in the IAS ApplicationTo use IAS group information for role assignment in CLS, group data must be included in the SAML assertion.Open Attributes in the IAS application and configure the following:Name: groupsSource: Identity DirectoryValues: All GroupsStep 5: Create a Group and Add UsersCreate a user group in IAS with the same name as the ‘admin_group’ configured in Step 2.In this example, the group name is ‘cls-admin’.Name: Same as ‘admin_group’Display Name: Any nameAdd the target users to the group. Verification (Authorization)Access the dashboard page again and confirm that the list of dashboard is now visible.You can also verify that the ‘all_access’ role has been assigned to the user via the ‘cls_admin’ group.I hope this article helps you with application development and operations on SAP BTP!!Referenceshttps://docs.opensearch.org/latest/security/authentication-backends/saml/https://help.sap.com/docs/cloud-logging/cloud-logging/prerequisiteshttps://help.sap.com/docs/cloud-logging/cloud-logging/configuration-parameters   Read More Technology Blog Posts by SAP articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author