Skip to Content

Single sign on or principal propagation is the ability of a system to securely forward or propagate the identity of the user or principal from a sender to a receiver, in a way that the forwarded user information is kept confidential and is not changed during transit. Based on pre-established trust relationship to the sender, the receiver uses this information to logon the user without asking for the user credentials or logon again.

The diagram below shows the user principal flow from Fiori Applications to the on-premise SAP Gateway or Backend system for APIs protected via SAP Cloud Platform API Management.

To establish such a user propagation, the trust would have to established between the Fiori application account and SAP Cloud Platform API Management which is done via certificate exchanges.  On the SAP Gateway system, SAP Cloud Platform API Management is on boarded as a trusted SAML Identity Provider so that SAML assertion generated by SAP Cloud Platform API Management can be validated and processed on the SAP Backend system. The SAML assertion passed from the Fiori application is validated using the certificates imported in SAP Cloud Platform API Management account. After the assertion is validated, the user’s identity is read and then a short lived SAML assertion is generated from SAP Cloud Platform API Management.   The SAML response containing the SAML assertion can then be base64 encoded and passed in the following format authorization header to the SAP Gateway OData APIs.

 

Header Name

Format

Authorization

SAML2.0 base64_encoded_saml_response

 

In SAP Cloud Platform, API Management Validate SAML Assertion Policy can be used to validate the SAML assertion passed from the Fiori application to the SAP Cloud Platform, API Management. At a high level, a SAML validation flow would consist of the following steps: –

 

  1. Raise a 401 security error in case no Authorization header is passed
  2. Read the SAML Assertion passed in the authorization header
  3. Base 64 bind Decode SAML Assertion passed from the Fiori application
  4. The SAML Assertion passed from SAP Cloud Platform, doesn’t contain the x509 signature information which is mandatory for validateSAML Assertion policy and therefore this would have to added in using a JavaScript Policy
  5. Validate SAML assertion using SAML certificates of the SAP Cloud Platform account.

In Security Best Practices package of SAP API Business Hub policy templates for API security best practices has been published which includes the policy template for validation of SAML assertion.

In this blog, we describe how user’s principal passed from the Fiori application to on-premise APIs protected is validated on the SAP Cloud Platform API Management and user’s identity passed in the SAML assertion is read and validated. This blog also covers the steps to establish trust between the SAP Cloud Platform account where Fiori application is running and SAP Cloud Platform API Management account.

In Part 2 of the blog, we would cover steps to on board SAP Cloud Platform API Management as a trusted SAML Identity Provider in SAP Gateway and generate a short lived SAML Assertion from SAP Cloud Platform API Management which is then passed to the SAP Gateway.

Configuration on SAP Cloud Connector for On-Premise connectivity

Note: – This step is an optional Step and is required in case the SAP Backend is available on premise, and SAP Cloud connector is used for the On Cloud to on premise connectivity

The configuration described in SAP Help document can be followed to Install/Configure SAP Cloud connector and then create an Access Control to the SAP Backend system.

  • While creating the Access control, the principal type should be set to None so, that the SAML assertion passed by the SAP API Gateway is passed as is by SAP Cloud Connector.

 

Note: -  The white-listed resource paths in the Access control setting of Cloud Connector as case sensitive so ensure the resource path are maintained in the same case as the value entered in the API Proxy target endpoint paths.

Configuring trust between SAP Cloud Platform account and SAP API Cloud Platform API Management account

Enable Principal Propagation

  • Logon to your SAP Cloud Platform account
  • From the hamburger icon, click on the Trust tab under Security and then click on the Edit button under Local Service Provider tab

 

  • Select the option Enabled for the Principal Propagation and then click on the Save button to confirm the changes

 

 

Certificate download from SAP Cloud Platform account

  • From the hamburger icon, click on the Trust tab under Security and then click on the Edit button under Local Service Provider tab

 

  • From the Configuration Type select the type Custom
  • Copy the content Signing Certificate and then save the content locally in a file (say cert.pem). This certificate would have to imported into trust store of SAP API Cloud Platform API Management and would be used to validate the SAML assertion. After copying the certificate information into a local file, select the Cancel

 

  • Add —–BEGIN CERTIFICATE—– as the first line in the certificate file and —–END CERTIFICATE—– as the end line to the certificate file copied so that the content looks as follows

 

 

 

Upload Certificate to SAP Cloud Platform, API Management

 

  • Click on the link Access API Portal to open API Portal.

 

  • Click on Certificate tab and then click on Create button

  • In the Create Certificate screen, from the drop down select Trust Store and then select the option New Store. Enter the store name and name details as provided in the table below. This information would have to be used in the “ValidateSAMLAssertion” Policy.Using the Browse button upload the cert.pem file generated in section Certificate download from SAP Cloud Platform tenant and then click on the Create button

Store Name

samlroot

Name

saml

 

 

 

Copy UserPropagationViaSAML policy template to your API Management

  • Navigate to Discover to discover all the APIs and Policy templates published by SAP and select partners in SAP API Business Hub.

 

  • Click on ALL tab and search for Security Best Practices and Open the Security Best Practices from the search result.

 

  • Navigate to the Artifacts tab and click on Actions button associated with policy template Principal_Propagation_via_SAML and select Copy

  • Policy template Principal_Propagation_via_SAML is copied to your API Management tenant, go to Policy Template tab under Develop and verify.

Create an API Provider to the SAP Gateway System

  • Navigate to SAP Cloud Platform, API Management API Portal tenant ( https://yourapimanagement/shell/develop )
  • Click on the Tab API Provider and then click Create to create a new API Provider. In the host enter the value of the virtual host and port used in the section SAP Cloud connector Access control section. Use SSL flag should be checked and On Premise flag should be set to true.

 

Create an API Proxy to connect to SAP Gateway OData API

  • Click on the Tab API Proxy and then click Create button to create a new API Proxy. In the create Proxy screen, select the API Provider created in previous section and then provide the base Path of the APIs. Enter details like the proxy name, title, base path etc and then click Create.

 

 

  • Click on the Save and Deploy button to save the API Proxy.

 

Apply User Propagation via SAML policy template

  • Click on the Edit button and then from the button select the option Policies to open the Policy Designer
  • Click on the Policy template and then click on the Apply button

 

  • From the Apply Template dialog, select copied policy template Principal_Propagation_via_SAML then click Apply button

 

  • From the scripts section, select the js file and then replace the value (PROVIDE_YOUR_SAML_ROOT_CERTIFICATE_DETAILS) of samlRootCert with the value of the SAML root certificate which was download from SAP Cloud Platform Account in section Certificate download from SAP Cloud Platform account
Copy only the base64 encoded certificate content minus the header -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

  • Click on Update to save the Policy changes

 

  • Click on the Save to persist the API Proxy changes.

 

With this we have completed steps to validate SAML assertion passed from the Fiori applications. In the Part 2 of the blog, we will cover the steps to generate a short lived SAML assertion for user’s identity and pass it to SAP Gateway.

 

Further Reads

Accelerate digital application development

Enhanced features of SAP Cloud Platform API Management  

Monitoring and Governing 3rd Party APIs

API Security Best Practices

For more blogs on SAP Cloud Platform API Management visit us at SAP Community

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Rajesh Kannan K

    Hi Divya,

    This is very much useful for propagating the user from Fiori to GW system,

    Can you please tell how to send request from 3rd party application (instead of FIORI) to API GW to SAP NGW system with SAML assertion?

    preciously, how to use on boarded 3rd party application  as a trusted SAML Identity Provider so that SAML assertion generated by 3rd party application can be validated and processed on the SAP Cloud Platform API Management??

     

    Thanks,

    Rajesh Kannan K

    (0) 
    1. Divya Mary Post author

      Hi Rajesh,

      Thanks for the feedback.

      Principal Propagation via SAML is a generic policy template and can be used to validate SAML assertion generated from 3rd party application as well. This policy template can be copied into your tenant and then adjusted based on your 3rd application.  At a high level, the steps for validating the SAML assertion generated by a 3rd party application would be as follows:-

      1. Upload the root certificate which is used by 3rd party application for signing SAML assertion in SAP Cloud Platform API Management. This way trust between 3rd party application and SAP Cloud Platform API Management would be established.
      2. Read the SAML assertion passed by 3rd party application using an Extract Variable Policy. In case of Fiori application, SAML assertion is passed in authorization header.
      3. Base64 decode the passed assertion using a JavaScript/Python Policy in case SAML assertion is passed in base64 encoded format else this step can be skipped/removed.
      4. Validate SAML assertion using SAML certificates of Step 1) using Validate SAML Assertion policy.

      Thanks and Best Regards,

      Divya

      (0) 
      1. Rajesh Kannan K

        Hi Divya,

         

        Thank you so much for your response

         

        I have already learnt about the above policies from your post,

        My concern is how to do the initial configuration to onboard 3rd party system (let say Microsoft application) as IDP ?

         

        1. Do we need to add  3rd party app as trusted identity provider  in our HCP acount (either manually or through IDP metadata?
        2. Do we need to give our HCP SP metadata to third party so that they can identify the consumer service?
        3. Any other initial configuration required?

         

        Thanks and Best Regards,

        Rajesh Kannan K

         

         

        (0) 
        1. Divya Mary Post author

          Hi Rajesh,

          For SSO, the initial configurations that you have described (in point 1 & 2) would have to be done. Sharing a blue print which describes this flow in details.

          Best Regards,

          Divya

          (0) 

Leave a Reply