Skip to Content

Partner Directory – Partner Dependent User Credential Selection

In the previous blog Partner Directory – Step-by-Step Example we developed a scenario where the connection from the integration flow to the receiver partners was done via HTTPS with client-certificate authentication. In this blog, we change the authentication method to BASIC. The consequence is that the user credentials must be dynamically selected from the Partner Directory for the called receivers.

We describe how the integration flow of the previous blog must be changed and which additional Partner Directory entries are necessary.

Scenario

The following diagram describes the changed scenario.

Diagram 1: Scenario

The SOAP Receiver Channel now uses BASIC authentication instead of client-certificate authentication to connect to the receiver partners and the Partner Directory contains User Credential Parameters for the receiver partners “Receiver_1” and “Receiver_2”.

Precondition

For building this scenario, you need two communication users which are registered in the SAP Cloud ID service. As communication users, you could also use your Tenant Administrator or Integration Developer user.

Configuration Steps

We enumerate the necessary steps to change the scenario of the previous blog.

Step 1: Assign receiver_1.send/receiver_2.send Role to Communication User in Receiver Tenant

The receiver iflows of the receivers “Receiver_1” and “Receiver_2” are protected by the roles “receiver_1send” and “receiver_2.send” (see previous blog). Assign the role “receiver_1.send” to the communication user of the receiver “Receiver_1” and the role “receiver_2.send” to the communication user of the receiver “Receiver_2” in the SAP Cloud Platform Cockpit of the receiver tenant for the worker node application (typically “iflmap”).

Step 2: Change Receiver Channel

In the Partner Directory integration flow, change the receiver channel, as shown in the following screen shot.

Screen Shot 1: Receiver Channel with BASIC Authentication and Dynamic Credential Selection

Change in the “Connection” tab the “Authentication” to “Basic”.

Enter in the “Credential Name” “$property.RECEIVER_CREDENTIAL”, so that during the execution the credential alias is dynamically read from the exchange property “RECEIVER_CREDENTIAL”.

Step 3: Adapt Script Step

Enhance the script step of the Partner Directory integration flow. The following Groovy Script contains the enhancement.

import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
import com.sap.it.api.pd.PartnerDirectoryService;
import com.sap.it.api.ITApiFactory;
def Message processData(Message message) {
       def service = ITApiFactory.getApi(PartnerDirectoryService.class, null); 
       if (service == null){
          throw new IllegalStateException("Partner Directory Service not found");
       }
       def map = message.getProperties();
       // Partner Authorization
       def headers = message.getHeaders();
       def user = headers.get("SapAuthenticatedUserName");
       if (user == null){
          throw new IllegalStateException("User is not set in the header 'SapAuthenticatedUserName'")      
       }

       def senderPid = service.getPartnerIdOfAuthorizedUser(user);
       if (senderPid == null){
		   throw new IllegalStateException("No partner ID found for user "+user);
       }

       def senderId = map.get("SENDER_ID");
       if (senderId == null){
          throw new IllegalStateException("Sender ID is not set in the property 'SENDER_ID'")      
       }
 
        // compare the two sender partner IDs!
	if (!senderId.equals(senderPid )){
	    throw new IllegalStateException("User "+user+" is not authorized to send messages with ID "+senderId);
	}
       

        // RECEIVER_ADDRESS determination
        def receiverId = map.get("RECEIVER_ID");
        if (receiverId == null){
          throw new IllegalStateException("Receiver ID is not set in the property 'RECEIVER_ID'")      
        }

        def parameterValue = service.getParameter("ADDRESS", receiverId , String.class);
        if (parameterValue == null){
            throw new IllegalStateException("ADDRESS parameter not found in the Partner Directory for the partner ID "+receiverId);      
        }

        message.setProperty("RECEIVER_ADDRESS", parameterValue );

        message.setProperty("RECEIVER_CREDENTIAL", "pd:"+receiverId+":USER:UserCredential" );

        return message;
}

The only enhancement is the insertion of the second last line

message.setProperty("RECEIVER_CREDENTIAL", "pd:"+receiverId+":USER:UserCredential" )

which sets the Partner Directory URI

"pd:"+receiverId+":USER:UserCredential"

to the exchange property “RECEIVER_CREDENTIAL”.

With an URI of the format

pd:<partner ID>:<parameter ID>:UserCredential

you can reference a User Credential created via the Partner Directory OData API (see next step).

Step 4: Create User Credential Parameters via the Partner Directory OData API

Use the Partner Directory OData API to create User Credential parameters. See also “Step 3: Adding Partner Information to the Partner Directory“ of the previous blog.

Use the address

https://<tmn>/api/v1/UserCredentialParameters

and the request message body

{"Pid":"Receiver_1","Id":"USER","User":"<communication user of Receiver_1>", "Password":"<password of communication user>"}

for creating a User Credential entry for receiver “Receiver_1”.

Additionally, create a User Credential entry for the receiver “Receiver_2” with the request body

{"Pid":"Receiver_2","Id":"USER","User":"<communication user of Receiver_2>", "Password":"<password of communication user>"}

Further, supported OData Requests for User Credential Parameters are described in Requests for UserCredentialParameter.

You should see the created entries in the SAP Cloud Integration Cockpit. See the following screen shot.

The names of the user credential entries created by the OData API have the format

pd:<partner ID>:<parameter ID>:UserCredential

which is the same format as you used in the script for the exchange property “RECEIVER_CREDENTIAL”.

In principle, you can also use the editor in the SAP Cloud Integration Platform Cockpit to create these entries (“Add” button shown in the above screen shot).

Call the Integration Flow

Now you can call the integration flow in the same way as described in the previous blog in the chapters “Step 5: Call the Integration Flow“ and “Step 6.3 Calling the Partner Directory Integration Flow with OAuth Sender”.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply