Skip to Content

User Propagation

Use Cases:

UseCaseLatest.PNG

Note

  • When accessing the service document directly from the Gateway Management Cockpit, the security profile Name must be same as the Service Namepace of the service. For example, if the Service Namespace is SAP_SSO2, the security profile Name must be SAP_SSO2.
  • For onboarded applications (SAP Mobile Platform applications that have an endpoint using the Integration Gateway service as back-end URL, with the internal option enabled), the security profileName and the Service Namespace of the service need not be same.

In this Blog we will be showcasing how an user can Propagate his Credentials which he has configured in the SMP server to IGW which internally gets Propagated to the Back End Service for Authentication.

In this Blog we will be covering Basic Authentication and MYSPASSO2 Based user Propagation.

This Blog will guide the Admin/developer on what configurations one has to do in SMP Admin Cockpit , IGW and in the Custom Script to Enable User Propagation.

Use Case – 1

Basic Authentication

Admin has to configure the http/https security profile from smp Admin cockpit with the back end system’s url from where user will get the data with basic authentication, As shown below.

by setting up the below mentioned configuration, SMP will propagate the user credentials while making a call in the business oriented URL via request object as a header.

The Request Object is retrieved in the Script processor and is added to http header which is used while making a call to the back end web service.

NOTE: Credentials should be the Authorization Details of the Back end System.

Steps to Configure Basic Authentication Propagation

SMP ADMIN Cockpit Steps

1) Log on to the SMP Admin Cockpit https://localhost:8083/Admin and go to the Settings-> Security Profile tab.

2) Create a security profile with Authentication type as HTTP/HTTPS Authentication and provide the URL of the Back end System from where the Data/web-service is hosted. i.e. in my case i am using a SAP ABAP system’s URL where my web service is hosted and the service has Basic Authentication enabled for the same and click on Save as Shown Below.

SP-Basic.JPGBasic Auth.PNG

   The Security Profile Created above can be assigned to the application which is created in the SMP Cockpit.

IGW Steps

1)      create a Content Bundle from Design Time Eclipse Editor by using the Web service generated from the back end, which was used to create security profile in previous step. and add the below mentioned code in the script either in first or second methods of Script Processor

the below mentioned code will fetch odata context from exchange headers and retrieve http request object from the odata context object and from the request object fetchs the Authorization header and finally add it to message header which will be passed to Web Service call as http client header.

function processRequestData(message) {

importPackage(com.sap.gateway.ip.core.customdev.util);
importPackage(java.util);
importPackage(com.sap.gateway.core.ip.component.commons);
importPackage(com.sap.gateway.ip.core.customdev.logging);
importPackage(org.apache.olingo.odata2.api.processor);

var headers = message.getHeaders();
var context = headers.get(“ODataContext”);
var request = context.getParameter(“~httpRequestObject”);
var Auth = request.getHeader(“Authorization”);

if(Auth!=null)
message.setHeader(“Authorization”,Auth);

return message;

}

2) once the bundle is created with the above mentioned code in custom script,deploy the Bundle from Design Time with the Service Name Space as the Security profile Name which was created in SMP ADMIN Cockpit Steps.

    Basic Auth1.PNG

3) now open the service document and fire the call to the entity set in the business oriented URL i.e. http://localhost:8080/gateway/odata/SAP_BASIC/<ServiceName>;v=1/<entitySet>

or

https://localhost:8084/gateway/odata/SAP_BASIC/<ServiceName>;v=1/<entitySet>

    Authentication challenge will be thrown by the browser as shown below.

   

    enter the user name and password, here credentials should be same as the credentials of back end System. so the user credentials entered will be propagated from SMP to Odata and inturn will be propagated to the back end system to get Authorized.

MYSAPSSO2 Authentication

Admin has to configure the http/https security profile from smp Admin cockpit with the back end system’s url from where user will get the data with MYSAPSSO2 cookie, As shown below.

Note: For MYSAPSSO2 Authentication Admin has to add SMP certificate to Back End System and in vice versa Back End Systems certificate into SMP server for Mutual Hand Shake.

Steps to Add the Back End Certificate to SMP Server is Mentioned at the End of the this Blog.

By setting up the below mentioned configuration, SMP will propagate the user credentials i.e. Corresponding Cookie in the request object as an Attribute.

The Request Object is retrieved in the Script processor and the Coockie added to http header which is used while making a call to the back end web service.

Steps to Create MYSAPSSO2 Scenario

SMP ADMIN Cockpit Steps

1) Log on to the SMP Admin Cockpit https://localhost:8083/Admin and go to the Settings-> Security Profile tab.

1) Create a security profile with HTTP/HTTPS Authentication and provide the URL of the Back end System from where the Data/web-service is hosted. i.e. in my case i am using a SAP ABAP system’s URL where my web service is hosted and the service has MYSAPSSO2 Cookie enabled for the same and click on Save as Shown Below.

    SP_sso2.JPG

     SAPSSO2.PNG

IGW Steps

1)  Create a Content Bundle from design time Eclipse Editor by using the Web service generated from the back end which was used to create security profile in previous step. and the add the below mentioned code in the script either in first or second methods.

the below mentioned code will fetch odata context from exchange headers and retrieve http request object from the odata context object and from the request object fetch the MYSAPSSO2 attribute and finally add it to message header which will be passed to cxf as http client header.


function processRequestData(message) {

importPackage(com.sap.gateway.ip.core.customdev.logging);
importPackage(com.sap.gateway.ip.core.customdev.util);
importPackage(org.apache.olingo.odata2.api.processor);

var headers = message.getHeaders();
var context = headers.get(“ODataContext”);
var request = context.getParameter(“~httpRequestObject”);
var MYSAPSSO2 = request.getAttribute(“MYSAPSSO2”);

if(MYSAPSSO2!=null)
message.setHeader(“mysapsso2”,MYSAPSSO2);

return message;
}

3) once the bundle is created with the above mentioned code in custom script,deploy the Bundle from Design Time with the Service Name Space as the Security profile Name which was created in previous Steps.

    SAPSSO21.PNG

   Note: Here the private Key Alias is the Alias Name of the Back End Systems Certificate which is uploaded in the SMP servers Key Store. Private Key Alias is compulsory for the SSO2 Cookie Retrieval .

4) now open the service document and fire the call to the entity set in the business oriented URL i.e.

    http://localhost:8080/gateway/odata/SAP_BASIC/<ServiceName>;v=1/<entitySet>

   or

    http://localhost:8084/gateway/odata/SAP_BASIC/<ServiceName>;v=1/<entitySet>

    Authentication challenge will be thrown by the browser as shown below.

   

    enter the user name and password, here credentials should be same as the credentials of back end System. so that SSO2 Cookie generated corresponding to the user will be propagated from SMP to Odata and in turn will be propagated to the back end system to get Authorized.

Use Case – 2

1) Create an Application in SMP Cockpit and Assign/Configure IGW service URL which we have created in UseCase 1 as Back end to the Application as Shown below.

smp App1.PNG

Backend.PNG

2) Create a New Security Profile with the Back End Url on which the webservice is hosted by Going to Authentication Tab As Shown Below or Assign an Existing Security Profile like SAP_BASIC or SAP_SSO2 which we have created already in Usecase 1  and click on the save to save the Application.

Security Profile 1.PNGSecurity Profile 2.PNG

3) Access the Application from Mobile Application to test the User Propagation.

Steps to Add the Back End Certificate to SMP Server

   1) Open File->Open Keystor fFile in portecle Tool and go the Location where the smp_keystore.jks file is Located. i.e. SMP server->Configurations  and click ok to open the Keystore.jks, Password for the keystore is “changeit”.

Certificate Upload.PNG

   2)  Go to Tools-> Import Trusted Certificate and select the Back End System’s Certificate from your system and click on import

Certificate Upload2.PNG

   3)  Click on the ok and yes buttons as shown below.

Certificate Upload3.PNG


Certificate Upload4.PNG

  4) Enter the Alias Name for the Certificate which is getting imported, this Alias Name is used while deploying the bundle from Design Time Eclipse.

5) Save the Keystore in the portecle Tools once the certificate is imported. Other wise the imported certificate will not be Reflected in SMP server’s Configurations.

Certificate Upload5.PNG

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Tejesvi DVR Post author

    hi dimiter,

    i hope your problem is solved. i see your comment has been deleted.

    if you still face the problem. pls contact me.

    thanks,

    tejesvi

    (0) 
    1. Rakshit Doshi

      Hi Tejesvi,

      This seems to be a good blog.

      Can you please share more steps on how to create the content from Eclipse Design Time and what configurations are to be made for the Gateway Cockpit Destinations?

      We are using Integration Gateway on top of NWGW. I am following the below blog.

      SMP 3.0: An End to End guide to create an OData service for a given SAP Gateway data source

      As per the blog we need to maintain a destination at Gateway Cockpit as well.

      What all configurations do we need to make at that level can you also share that.

      Thanks,

      Rakshit Doshi

      (0) 
      1. Tejesvi DVR Post author

        hi Rakshit,

        can you tell me what is the scenario you are trying i.e. exposing soap service as Odata along with user propagation. or trying out rest service etc.

        Based on the scenario you are trying i can guide you.

        if you are trying with web services then there is no Destination configuration required. but for other data sources like rest, bep, jdbc and jpa  one has to configure destination.

        the document you have pointed out talks about configuring BEP datasource.

        Tutorial: Creating an OData service based on SAP Gateway, SOAP, JDBC and JPA data sources

        pls look into the above blog for details on how to create content bundle for different Data sources.

        regards,

        Tejesvi

        (0) 
        1. Rakshit Doshi

          Dear Tejesvi,

          I am using the BEP Datasource itself. We have created RFC’s and then created OData Services on NWGW and then given the url inside eclipse and deployed from there. It does require a destination.

          How do we configure SSO for that.

          Do you have any idea in that stream.

          Thanks,

          Rakshit Doshi

          (0) 
        2. Rakshit Doshi

          Dear Tejesvi,

          How do we handle this SSO configuration in the destination based scenario in which the services require destination,

          Thanks,

          Rakshit Doshi

          (0) 
              1. Tejesvi DVR Post author

                hi Rakshit,

                this blog is related to web service to odata propagation and you have doubts on destination creation for ODC.

                so pls don’t post comments here.

                regards,

                Tejesvi

                (0) 
              2. Michael Appleby

                Hi Rakshit Doshi,

                Please create a Discussion marked as a Question.  Not only so others may benefit from your solution once it is found, but also because you will have more folks looking to provide a solution when your issue has the greater visibility of a Discussion.  Also suggest that you visit the Getting Started link at the top right of each SCN page for help with creating a good Discussion.

                Thanks, Mike (Moderator)

                SAP P&I Technology RIG

                (0) 

Leave a Reply