Hi everyone,

our new openSAP course Developing Java-Based Apps on SAP HANA Cloud Platform started two weeks ago, on Wednesday, September 7th 2016, and ends on Thursday, October 20th 2016. It’s a 5 week course followed by another week for the final exam. The document openSAP course guide – Developing Java-Based Apps on SAP HANA Cloud Platform – overview gives an overview over the course and has the links to all the week guides. This blog post you are reading just now will guide you through week 1 of the course and provide you with additional material, explanations or Q&A around the topic of the week. Depending on the feedback and questions inside the forum of the course I might also add additional material (e.g. videos) during and after the course to address the frequently asked questions so that you have a one-stop-shop of additional materials for this course. I hope you will enjoy the week!

Content Week 3

The topic for week 3 is Security and Identity Management, and this is the content you can look forward to:

  • Unit 1: Authentication and Authorization
  • Unit 2: Protecting Against CSRF Attacks
  • Unit 3: Working with the Authorization Management Platform API
  • Unit 4: Working with Multiple Identity Providers
  • Unit 5: Group Management
  • Unit 6: Federated Authorization with Groups

Table of Contents

Unit 1 – Authentication and Authorization

See the video here: https://open.sap.com/courses/hcp2/items/35qpaEKkWlo9j222NbKHAM

What you will learn

  • Authentication in the ESPM scenario is delegated to the identity provider.
  • We will use the local identity provider in the HCP SDK for testing purposes in the upcoming exercises.
  • The ESPM application requires users in the role of a “Retailer” to authenticate in order to manage sales orders.
  • Consumers can access the Web shop anonymously.


Unit 2 – Protecting Against CSRF Attacks

See the video here: https://open.sap.com/courses/hcp2/items/2ZLa0Qd4Dx2Zg8f9Dh6ugJ

What you will learn

  • CSRF is (still) a serious Web attack.
  • Protection against it is YOUR responsibility.
  • HCP offers a protection mechanism based on a token (a nonce value) generated on each request and stored in the session.


Unit 3 – Working with the Authorization Management Platform API

See the video here: https://open.sap.com/courses/hcp2/items/1qxV3IafbKI4Pv5qDcMySe

What you will learn

  • Platform APIs provide programmatic access to core platform functions, such as user-to-role assignments using the Authorization Management API.
  • Platform APIs enable services and (SaaS) applications to integrate deeply with the platform.
  • The platform API consumer needs to obtain a valid OAuth access token from HCP to call the API.


Unit 4 – Working with Multiple Identity Providers

See the video here: https://open.sap.com/courses/hcp2/items/2nYQJPRGZdIg35e0XHtfLj

What you will learn

  • To manage different user groups of your application (e.g. internal and external users), multiple identity providers can be configured in your HCP account.
  • Selection of an identity provider other than the default is done with the URL query parameter saml2idp.


Unit 5 – Group Management

See the video here: https://open.sap.com/courses/hcp2/items/53l6pDzwuG8KoRiCETgQsO

What you will learn

  • Groups are collections of roles that allow the definition of business-level functions within your account.
  • They are similar to the actual business roles existing in an organization, such as “manager”, “employee”, “external“, and so on.
  • They simplify administration of authorizations and help you to get better alignment between technical Java EE roles and organizational roles.


Unit 6 – Federated Authorization with Groups

See the video here: https://open.sap.com/courses/hcp2/items/2vupl2cxvG3OP64atw3KzR

What you will learn

  • Assertion-based groups are groups determined by values of attributes in the SAML 2.0 assertion.
  • They provide an approach to scale the authorization management of large groups of users.
  • With federated authorization management, changes in users’ profiles at the identity provider that have an impact on their cloud authorizations become effective with the next login, and do not require any further role synchronization.


All the best,


To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply