Product Information
Cloud Integration – Partner Directory – Partner Dependent User Credential Selection
Partner Directory – Partner Dependent User Credential Selection
In the previous blog Partner Directory – Step-by-Step Example we developed a scenario where the connection from the integration flow to the receiver partners was done via HTTPS with client-certificate authentication. In this blog, we change the authentication method to BASIC. The consequence is that the user credentials must be dynamically selected from the Partner Directory for the called receivers.
We describe how the integration flow of the previous blog must be changed and which additional Partner Directory entries are necessary.
Scenario
The following diagram describes the changed scenario.
Diagram 1: Scenario
The SOAP Receiver Channel now uses BASIC authentication instead of client-certificate authentication to connect to the receiver partners and the Partner Directory contains User Credential Parameters for the receiver partners “Receiver_1” and “Receiver_2”.
Precondition
For building this scenario, you need two communication users which are registered in the SAP Cloud ID service. As communication users, you could also use your Tenant Administrator or Integration Developer user.
Configuration Steps
We enumerate the necessary steps to change the scenario of the previous blog.
Step 1: Assign receiver_1.send/receiver_2.send Role to Communication User in Receiver Tenant
The receiver iflows of the receivers “Receiver_1” and “Receiver_2” are protected by the roles “receiver_1send” and “receiver_2.send” (see previous blog). Assign the role “receiver_1.send” to the communication user of the receiver “Receiver_1” and the role “receiver_2.send” to the communication user of the receiver “Receiver_2” in the SAP BTP Cockpit of the receiver tenant for the worker node application (typically “iflmap”).
Step 2: Change Receiver Channel
In the Partner Directory integration flow, change the receiver channel, as shown in the following screen shot.
Screen Shot 1: Receiver Channel with BASIC Authentication and Dynamic Credential Selection
Change in the “Connection” tab the “Authentication” to “Basic”.
Enter in the “Credential Name” “$property.RECEIVER_CREDENTIAL”, so that during the execution the credential alias is dynamically read from the exchange property “RECEIVER_CREDENTIAL”.
Step 3: Adapt Script Step
Enhance the script step of the Partner Directory integration flow. The following Groovy Script contains the enhancement.
import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
import com.sap.it.api.pd.PartnerDirectoryService;
import com.sap.it.api.ITApiFactory;
def Message processData(Message message) {
def service = ITApiFactory.getApi(PartnerDirectoryService.class, null);
if (service == null){
throw new IllegalStateException("Partner Directory Service not found");
}
def map = message.getProperties();
// Partner Authorization
def headers = message.getHeaders();
def user = headers.get("SapAuthenticatedUserName");
if (user == null){
throw new IllegalStateException("User is not set in the header 'SapAuthenticatedUserName'")
}
def senderPid = service.getPartnerIdOfAuthorizedUser(user);
if (senderPid == null){
throw new IllegalStateException("No partner ID found for user "+user);
}
def senderId = map.get("SENDER_ID");
if (senderId == null){
throw new IllegalStateException("Sender ID is not set in the property 'SENDER_ID'")
}
// compare the two sender partner IDs!
if (!senderId.equals(senderPid )){
throw new IllegalStateException("User "+user+" is not authorized to send messages with ID "+senderId);
}
// RECEIVER_ADDRESS determination
def receiverId = map.get("RECEIVER_ID");
if (receiverId == null){
throw new IllegalStateException("Receiver ID is not set in the property 'RECEIVER_ID'")
}
def parameterValue = service.getParameter("ADDRESS", receiverId , String.class);
if (parameterValue == null){
throw new IllegalStateException("ADDRESS parameter not found in the Partner Directory for the partner ID "+receiverId);
}
message.setProperty("RECEIVER_ADDRESS", parameterValue );
message.setProperty("RECEIVER_CREDENTIAL", "pd:"+receiverId+":USER:UserCredential" );
return message;
}The only enhancement is the insertion of the second last line
message.setProperty("RECEIVER_CREDENTIAL", "pd:"+receiverId+":USER:UserCredential" )which sets the Partner Directory URI
"pd:"+receiverId+":USER:UserCredential"to the exchange property “RECEIVER_CREDENTIAL”.
With an URI of the format
pd:<partner ID>:<parameter ID>:UserCredentialyou can reference a User Credential created via the Partner Directory OData API (see next step).
Step 4: Create User Credential Parameters via the Partner Directory OData API
Use the Partner Directory OData API to create User Credential parameters. See also “Step 3: Adding Partner Information to the Partner Directory“ of the previous blog.
Use the address
https://<tmn>/api/v1/UserCredentialParametersand the request message body
{"Pid":"Receiver_1","Id":"USER","User":"<communication user of Receiver_1>", "Password":"<password of communication user>"}for creating a User Credential entry for receiver “Receiver_1”.
Additionally, create a User Credential entry for the receiver “Receiver_2” with the request body
{"Pid":"Receiver_2","Id":"USER","User":"<communication user of Receiver_2>", "Password":"<password of communication user>"}Further, supported OData Requests for User Credential Parameters are described in Requests for UserCredentialParameter.
You should see the created entries in the SAP Cloud Integration Cockpit. See the following screen shot.
The names of the user credential entries created by the OData API have the format
pd:<partner ID>:<parameter ID>:UserCredentialwhich is the same format as you used in the script for the exchange property “RECEIVER_CREDENTIAL”.
In principle, you can also use the editor in the SAP Cloud Integration WEBUI to create these entries (“Add” button shown in the above screen shot).
Call the Integration Flow
Now you can call the integration flow in the same way as described in the previous blog in the chapters “Step 5: Call the Integration Flow“ and “Step 6.3 Calling the Partner Directory Integration Flow with OAuth Sender”.