Technical Articles
Configuring OAuth 2.0 between SAP Hybris Cloud for Customer and SAP Cloud Platform
Summary
This blog describes the steps necessary to configure user-propagation (a.k.a. Single-Sign-On or SSO) between an extension app running on SAP Cloud Platform (SCP) and SAP Hybris Cloud for Customer (C4C) based on the User ID of the user logged in to SCP.
SAP Hybris Cloud for Customer supports OAuth 2.0 SAML Bearer Assertion Flow.
For more up-to-date information on this topic, please refer to this online help page.
Prerequisites
- The OAuth 2.0 based authentication between SCP and C4C requires the same user-id to exist in both SAP Cloud Platform and SAP Hybris Cloud for Customer.
- In C4C:
- An OAuth Identity Provider is configured.
- An OAuth client is registered to be used by the destination created in SCP.
- In SCP:
- A destination pointing to the OAuth client registered in C4C.
- The App uses the destination created in the previous step.
Configuring SAP Hybris Cloud for Customer
Capturing the required information from SAP Cloud Platform
In order to configure the OAuth Identity Provider in C4C, you will need some information from the respective SCP tenant. Hence, in a separate browser window, go to SAP Cloud Platform Cockpit and open Trust under Security.
Then follow the steps below:
- Temporarily change the Configuration Type to “Custom”.
- Copy “Local Provider Name” to provide as the value for “Issuing Entity Name” while configuring the OAuth 2.0 Identity Provider in C4C.
- Copy the text under “Signing Certificate” and save it as a .cer certificate file.
The Certificate file mentioned above should have the following format:
-----BEGIN CERTIFICATE-----
<The text copied from the Signing Certificate box in Trust Management screen in SCP>
-----END CERTIFICATE-----
Make sure to click on Cancel to discard any changes you might have made in the “Trust Management” screen.
Creating an OAuth Identity Provider
Open Configure OAuth 2.0 Identity Provider under ADMINISTRATOR à COMMON TASKS and click on New OAuth 2.0 Provider.
Then follow the steps below:
- Set “Issuing Entity Name” to the value of “Local Provider Name” copied from Trust Management screen in SCP Cockpit.
- Set the .cer certificate file created in the previous topic, to “Primary Signing Certificate”.
- Marking Email Address in the above screen has no effect. Hence, leave it as is.
After successful configuration, OAuth 2.0 Identity Provider should be listed as active.
Registering an OAuth 2.0 Client
Open OAUTH2.0 CLIENT REGISTRATION tab under ADMINISTRATOR and click on New.
Then follow the steps below:
- Client ID is automatically generated.
- Enter a value under Client Secret.
- Provide a suitable description for your client registration.
- Choose the previously defined OAuth 2.0 Identity provider, as the Issuer Name.
- By default, OAuth token will be valid for 3600 seconds (i.e. 1 hour). Feel free to change this value, if you need.
- Under scope, select the desired value(s). UWC:CC_HOME should work for most.
Configuring SAP Cloud Platform
Capturing the required information from SAP Hybris Cloud for Customer
In C4C, go to ADMINISTRATOR à COMMON TASKS à Configure Single Sign-On. The value under Local Service Provider should be assigned to Audience in the respective SCP destination.
Defining an OAuth 2.0 destination in SAP Cloud Platform
In SAP Cloud Platform, destinations are the ports that allow access to external systems based on various options. Extension apps then refer to these destinations to connect to their desired external systems.
In order to create a new OAuth 2.0 destination pointing to your C4C tenant, in SAP Cloud Platform Cockpit, under Connectivity, choose Destinations. Then, Click on “New Destination”
Following table describes the parameters required for configuring an OAuth 2.0 destination in SCP.
| Parameter | Value |
| Name | A descriptive name uniquely identifying the newly created destination |
| Type | HTTP |
| URL |
OData Service URL e.g. https://my315537.crm.ondemand.com/sap/c4c/odata/v1/c4codata |
| Proxy Type | Internet |
| Authentication | OAuth2SAMLBearerAssertion |
| Audience | “Local Service Provider” from C4C SSO Configuration screen |
| Client Key | Generated “Client ID” of the registered OAuth 2.0 Client in C4C |
| Token Service URL | https://my<tenantID>.crm.ondemand.com/sap/bc/sec/oauth2/token |
| Token Service User | Generated “Client ID” of the registered OAuth 2.0 Client in C4C |
| Token Service Password | “Client Secret” of the registered OAuth 2.0 Client in C4C |
| Additional Parameter | Value |
| authnContextClassRef | urn:none |
| nameIdFormat | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| scope | Required scope in C4C. E.g. UIWC:CC_HOME |
Here is an example for a destination definition named “OAuth2” with standard and additional parameters:
Please note that modifications to an existing destination will take several minutes to take effect. In order to avoid possible issues, you may want to stop your app and restart it before testing your changes in the destination.
As there are several steps, it is rather easy to make mistakes while configuring the OAuth between SCP and C4C. Hence, please take your time in following the steps above.
Best,
-Mustafa.
Great Document Mustafa.
Regards,
Grayson
Hi Mustafa.
Great document – with a lot of valuable information.
You are using SCP as the platform for your extension app – but do you know if the same can be achieved when using Azure as the platform. We are using Azure as IdentityProvider for both the extension app and for C4C (set up as SSO IDP).
What I would like is when my users are authenticated to the extension app, then the app should be able to extract data via oData from C4C with the user’s credentials without the user having to sign in to C4C.
The extension app is developed in .net, and used from a browser (IE/Chrome).
Will this be possible?
Best regards
Anders Brødsgaard/Vestas Wind Systems
Hi Anders,
OAuth 2.0 being an industry standard, I don't see any issue from the C4C side to support your Azure based app. Essentially, when your non-SAP IdP is defined as an OAuth IdP in C4C, and the associated users exist on both systems (C4C and Azure), it should work - assuming that Azure supports OAuth 2.0 SAML Bearer flow.
Regards,
Mustafa.
Hi Mustafa,
Thanks for the reply!
I need to check up on the Azure capabilities, but according to their documentation “Azure AD supports the OAuth 2.0 and OpenID Connect standards that make extensive use of bearer tokens, including bearer tokens represented as JWTs.”
I’m not sure how if a JWT token differs from flow SAP is using?
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios
Regards,
Anders
Hi Anders,
JWT and SAML bearer flow are not the same. Please note that if Azure doesn't provide built-in support for OAuth 2.0 SAML Bearer flow, you can always implement it within your application.
Please refer to the sample app on C4C OData API Developer's guide - https://github.com/SAP/C4CODATAAPIDEVGUIDE/tree/master/OAuthSAMLClient. Possibly, you can also find a .net example on the Internet.
Regards,
Mustafa.
Hi Mustafa
Thanks again - I'll look into the provided example to see if I can get it working 🙂
Regards,
Anders
Hi Anders (and others finding this post):
The OAuthSAMLBearer flow C4C uses is rather arcane and you won't find common market implementations. You will have to write your own OAuth client for authenticating against C4C. SAP provides an example implementation in Java here: https://github.com/SAP/C4CODATAAPIDEVGUIDE/tree/master/OAuthSAMLClient
You would have to re-implement this in your Azure landscape. The details will depend very much on your exact architecture. Likely you will want to extend Azure AD to do the C4C authentication for your app and provide the C4C OAuth access token to your app.
Alternatively you could make the OAuth client part of your app - but that would turn OAuth on its head as it would mean your app is fully trusted.
Either way it's going to be a custom implementation.
Hi Mustafa,
Thanks for the great article shared!
I'm newbie learning cloud mechanism and finding solutions for this.
Currently I'm configuring the OAuth2.0 for consuming C4C Odata from SCP Apps following the same steps provided but encounter the error: Response returned: "401: Unauthorized" when check connection. From my side, notice that the audience url pattern with https://<tenant-id>-sso.crm.ondemand.com which is slightly different.
Also, as mentioned that prerequisites of same user-id have to exist in both C4C and SCP, can you please provide some input on how user-id will be called from html5 apps as we doesn't provide user-id in the setting?
Thanks in advance.
We also encountered the same error. We have an S-user in the Cloud Platform and we cannot create a user with the same user ID in C4C. Do the user ids need to match?
Thanks,
Jay
We changed the Cloud Elements userid to match the SCP Hana trial account. Do you have some steps in terms of testing this out? E.g. from Postman?
Thanks,
Jay
Hi Jay,
After the configurations, try to access your Web App. This should take you to the IdP's login page and after successful login (with the user configured between your app and C4C) to your Web App. If the configuration is correct, your app can make OData calls without additional authentication dialogs. These calls will be made under the same user id authenticated by the IdP.
Regards,
Mustafa.
Thanks Mustafa.
I am creating the application - HTML5 app with SAP Web IDE on HCP using C4C OData (Basic authentication)
I will use the destination with Oauth2.0 instead. So this should bring in the login page of the OAuth Provider. I will update this with my findings.
I appreciate your help.
Regards,
Jay
Hi Mustafa,
I was able to get the application to work with the Basic authentication. I had to make some slight code changes to make it work. It looks like the SAP UI5 version update causes some issues but I got past that.
I created a copy of the application and pointed to the OAuth destination but it did not work. When I analyze this, I see an error when the application tries to connect to the destination.
Thanks,
Jay
Hi Mustafa,
Here is the SAP UI5 working with Basic Authentication.
For the copy of the application but pointing to the destination using OAuth 2.0, it errors in the metadata call with HTTP Status 500 - internal server error:
And here is our destination:
Thanks,
Jay
Hey Jay Malla,
I have the same issue when trying to configure my destination to C4C OData with OAuth 2.0. Did you manage to find a solution to the 500 internal server errors?
Kind regards,
Jan De Roeck
Hi Jan,
The problem was with the Local Provider Name from SCP not matching the Issued To and Issued By Common Name in the C4C - Configure OAuth2.0 Identity Provider section:
Hi Mustafa,
Thanks for sharing the Informative Blog and Quite useful. This covers connectivity and authentication from SCP to C4C using IdP and OAUTH2.0.
We are trying for connectivity between C4C to SCP to consume an API for Processing.
SI Vendor is saying OAUTH2.0 between C4C -> SCP is not supported. We raised an SAP incident and SAP comes back to confirm the same.
I am little surprised though, since the screenshots above clearly shows OAUTH2.0 setup and configuration in C4C.
Could you please confirm and let me know
a) whether OAUTH2.0 connectivity supported from C4C to SCP to consume API
b) Whether this connectivity is supported for Cloud Foundary Environment
b) Is there any limitation on maintaining URL length in C4C (we are facing 84 char limit to maintain SCP Cloud Foundary domain URL in C4C).
Thanks in Advance and Regards,
Sampath Kumar N
Hi Mustafa,
Thanks for sharing the Informative Blog and Quite useful. This covers connectivity and authentication from SCP to C4C using IdP and OAUTH2.0.
We are trying for connectivity between C4C to SCP to consume an API for Processing.
SI Vendor is saying OAUTH2.0 between C4C -> SCP is not supported. We raised an SAP incident and SAP comes back to confirm the same.
I am little surprised though, since the screenshots above clearly shows OAUTH2.0 setup and configuration in C4C.
Could you please confirm and let me know
a) whether OAUTH2.0 connectivity supported from C4C to SCP to consume API
b) Whether this connectivity is supported for Cloud Foundary Environment
b) Is there any limitation on maintaining URL length in C4C (we are facing 84 char limit to maintain SCP Cloud Foundary domain URL in C4C).
Thanks in Advance and Regards,
Sampath