Hi everyone,

our openSAP course Developing Java-Based Apps on SAP Cloud Platform* (Update Q1/2017) started two weeks ago, on Wednesday, April 5th 2017, and ends on Thursday, May 18th 2017. It’s a 5 week course followed by another week for the final exam. New in this update is among others a System Preparation week which opened 1 week before the actual course start. The document openSAP course guide – Developing Java-Based Apps on SAP Cloud Platform* (Update Q1/2017) – overview gives an overview over the course and has the links to all the week guides. This blog post you are reading just now will guide you through week 3 of the course and provide you with additional material, explanations or FAQ around the topic of the week. Depending on the feedback and questions inside the forum of the course I might also add additional material (e.g. videos) during and after the course to address the frequently asked questions so that you have a one-stop-shop of additional materials for this course. I hope you will enjoy the week!

Content Week 3

The topic for week 3 is Security and Identity Management, and this is the content you can look forward to:

  • Unit 1: Authentication and Authorization
  • Unit 2: Protecting Against CSRF Attacks
  • Unit 3: Working with the Authorization Management Platform API
  • Unit 4: Working with Multiple Identity Providers
  • Unit 5: Group Management
  • Unit 6: Federated Authorization with Groups


Table of Contents


Unit 1 – Authentication and Authorization

See the video here: https://open.sap.com/courses/hcp2-1/items/7v7ZBUYSgBcmytwXj7Tffh

What you will learn

  • Authentication in the ESPM scenario is delegated to the identity provider.
  • We will use the local identity provider in the HCP SDK for testing purposes in the upcoming exercises.
  • The ESPM application requires users in the role of a “Retailer” to authenticate in order to manage sales orders.
  • Consumers can access the Web shop anonymously.



Unit 2 – Protecting Against CSRF Attacks

See the video here: https://open.sap.com/courses/hcp2-1/items/Qt1fvdJ1TiC54mps13KF8

What you will learn

  • CSRF is (still) a serious Web attack.
  • Protection against it is YOUR responsibility.
  • HCP offers a protection mechanism based on a token (a nonce value) generated on each request and stored in the session.



Unit 3 – Working with the Authorization Management Platform API

See the video here: https://open.sap.com/courses/hcp2-1/items/3c4XZpiZqlZxes4FFW9NK1

What you will learn

  • Platform APIs provide programmatic access to core platform functions, such as user-to-role assignments using the Authorization Management API.
  • Platform APIs enable services and (SaaS) applications to integrate deeply with the platform.
  • The platform API consumer needs to obtain a valid OAuth access token from HCP to call the API.



Unit 4 – Working with Multiple Identity Providers

See the video here: https://open.sap.com/courses/hcp2-1/items/40gvK9h1lO8srOqzLqPWDW

What you will learn

  • To manage different user groups of your application (e.g. internal and external users), multiple identity providers can be configured in your HCP account.
  • Selection of an identity provider other than the default is done with the URL query parameter saml2idp.



Unit 5 – Group Management

See the video here: https://open.sap.com/courses/hcp2-1/items/Z6OFYKJZS2GB0QHnrnpQ1

What you will learn

  • Groups are collections of roles that allow the definition of business-level functions within your account.
  • They are similar to the actual business roles existing in an organization, such as “manager”, “employee”, “external“, and so on.
  • They simplify administration of authorizations and help you to get better alignment between technical Java EE roles and organizational roles.



Unit 6 – Federated Authorization with Groups

See the video here: https://open.sap.com/courses/hcp2-1/items/6cM1NlaHPv67kq9uugYgGC

What you will learn

  • Assertion-based groups are groups determined by values of attributes in the SAML 2.0 assertion.
  • They provide an approach to scale the authorization management of large groups of users.
  • With federated authorization management, changes in users’ profiles at the identity provider that have an impact on their cloud authorizations become effective with the next login, and do not require any further role synchronization.



All the best,


*) Please note: SAP has announced that SAP HANA Cloud Platform is being renamed to SAP Cloud Platform. You can read more about the reasons behind the change and what you can expect in the official SAP Press Release.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply