Part 1 : Single sign on from Fiori Application to SAP Gateway via SAP Cloud Platform API Management
Single sign on or principal propagation is the ability of a system to securely forward or propagate the identity of the user or principal from a sender to a receiver, in a way that the forwarded user information is kept confidential and is not changed during transit. Based on pre-established trust relationship to the sender, the receiver uses this information to logon the user without asking for the user credentials or logon again.
The diagram below shows the user principal flow from Fiori Applications to the on-premise SAP Gateway or Backend system for APIs protected via SAP Cloud Platform API Management.
To establish such a user propagation, the trust would have to established between the Fiori application account and SAP Cloud Platform API Management which is done via certificate exchanges. On the SAP Gateway system, SAP Cloud Platform API Management is on boarded as a trusted SAML Identity Provider so that SAML assertion generated by SAP Cloud Platform API Management can be validated and processed on the SAP Backend system. The SAML assertion passed from the Fiori application is validated using the certificates imported in SAP Cloud Platform API Management account. After the assertion is validated, the user’s identity is read and then a short lived SAML assertion is generated from SAP Cloud Platform API Management. The SAML response containing the SAML assertion can then be base64 encoded and passed in the following format authorization header to the SAP Gateway OData APIs.
|
Header Name |
Format |
|
Authorization |
SAML2.0 base64_encoded_saml_response |
In SAP Cloud Platform, API Management Validate SAML Assertion Policy can be used to validate the SAML assertion passed from the Fiori application to the SAP Cloud Platform, API Management. At a high level, a SAML validation flow would consist of the following steps: –
- Raise a 401 security error in case no Authorization header is passed
- Read the SAML Assertion passed in the authorization header
- Base 64 bind Decode SAML Assertion passed from the Fiori application
- The SAML Assertion passed from SAP Cloud Platform, doesn’t contain the x509 signature information which is mandatory for validateSAML Assertion policy and therefore this would have to added in using a JavaScript Policy
- Validate SAML assertion using SAML certificates of the SAP Cloud Platform account.
In Security Best Practices package of SAP API Business Hub policy templates for API security best practices has been published which includes the policy template for validation of SAML assertion.
In this blog, we describe how user’s principal passed from the Fiori application to on-premise APIs protected is validated on the SAP Cloud Platform API Management and user’s identity passed in the SAML assertion is read and validated. This blog also covers the steps to establish trust between the SAP Cloud Platform account where Fiori application is running and SAP Cloud Platform API Management account.
In Part 2 of the blog, we would cover steps to on board SAP Cloud Platform API Management as a trusted SAML Identity Provider in SAP Gateway and generate a short lived SAML Assertion from SAP Cloud Platform API Management which is then passed to the SAP Gateway.
Configuration on SAP Cloud Connector for On-Premise connectivity
Note: – This step is an optional Step and is required in case the SAP Backend is available on premise, and SAP Cloud connector is used for the On Cloud to on premise connectivity
The configuration described in SAP Help document can be followed to Install/Configure SAP Cloud connector and then create an Access Control to the SAP Backend system.
- While creating the Access control, the principal type should be set to None so, that the SAML assertion passed by the SAP API Gateway is passed as is by SAP Cloud Connector.
Note: - The white-listed resource paths in the Access control setting of Cloud Connector as case sensitive so ensure the resource path are maintained in the same case as the value entered in the API Proxy target endpoint paths.
Configuring trust between SAP Cloud Platform account and SAP API Cloud Platform API Management account
Enable Principal Propagation
- Logon to your SAP Cloud Platform account
- From the hamburger icon, click on the Trust tab under Security and then click on the Edit button under Local Service Provider tab
- Select the option Enabled for the Principal Propagation and then click on the Save button to confirm the changes
Certificate download from SAP Cloud Platform account
- From the hamburger icon, click on the Trust tab under Security and then click on the Edit button under Local Service Provider tab
- From the Configuration Type select the type Custom
- Copy the content Signing Certificate and then save the content locally in a file (say cert.pem). This certificate would have to imported into trust store of SAP API Cloud Platform API Management and would be used to validate the SAML assertion. After copying the certificate information into a local file, select the Cancel
- Add —–BEGIN CERTIFICATE—– as the first line in the certificate file and —–END CERTIFICATE—– as the end line to the certificate file copied so that the content looks as follows
Upload Certificate to SAP Cloud Platform, API Management
- Logon to your SAP Cloud Platform, API Management account (say https://account.hanatrial.ondemand.com/cockpit).
- Navigate to the Services tab, search for API Management service tile and click to open API Management service.
- Click on the link Access API Portal to open API Portal.
- Click on Certificate tab and then click on Create button
- In the Create Certificate screen, from the drop down select Trust Store and then select the option New Store. Enter the store name and name details as provided in the table below. This information would have to be used in the “ValidateSAMLAssertion” Policy.Using the Browse button upload the cert.pem file generated in section Certificate download from SAP Cloud Platform tenant and then click on the Create button
|
Store Name |
samlroot |
|
Name |
saml |
Copy UserPropagationViaSAML policy template to your API Management
- Navigate to Discover to discover all the APIs and Policy templates published by SAP and select partners in SAP API Business Hub.
- Click on ALL tab and search for Security Best Practices and Open the Security Best Practices from the search result.
- Navigate to the Artifacts tab and click on Actions button associated with policy template Principal_Propagation_via_SAML and select Copy
- Policy template Principal_Propagation_via_SAML is copied to your API Management tenant, go to Policy Template tab under Develop and verify.
Create an API Provider to the SAP Gateway System
- Navigate to SAP Cloud Platform, API Management API Portal tenant ( https://yourapimanagement/shell/develop )
- Click on the Tab API Provider and then click Create to create a new API Provider. In the host enter the value of the virtual host and port used in the section SAP Cloud connector Access control section. Use SSL flag should be checked and On Premise flag should be set to true.
Create an API Proxy to connect to SAP Gateway OData API
- Click on the Tab API Proxy and then click Create button to create a new API Proxy. In the create Proxy screen, select the API Provider created in previous section and then provide the base Path of the APIs. Enter details like the proxy name, title, base path etc and then click Create.
- Click on the Save and Deploy button to save the API Proxy.
Apply User Propagation via SAML policy template
- Click on the Edit button and then from the … button select the option Policies to open the Policy Designer
- Click on the Policy template and then click on the Apply button
- From the Apply Template dialog, select copied policy template Principal_Propagation_via_SAML then click Apply button
- From the scripts section, select the js file and then replace the value (PROVIDE_YOUR_SAML_ROOT_CERTIFICATE_DETAILS) of samlRootCert with the value of the SAML root certificate which was download from SAP Cloud Platform Account in section Certificate download from SAP Cloud Platform account
Copy only the base64 encoded certificate content minus the header -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
- Click on Update to save the Policy changes
- Click on the Save to persist the API Proxy changes.
With this we have completed steps to validate SAML assertion passed from the Fiori applications. In the Part 2 of the blog, we will cover the steps to generate a short lived SAML assertion for user’s identity and pass it to SAP Gateway.
Further Reads
Accelerate digital application development
Enhanced features of SAP Cloud Platform API Management
Monitoring and Governing 3rd Party APIs
For more blogs on SAP Cloud Platform API Management visit us at SAP Community
Hi Divya,
This is very much useful for propagating the user from Fiori to GW system,
Can you please tell how to send request from 3rd party application (instead of FIORI) to API GW to SAP NGW system with SAML assertion?
preciously, how to use on boarded 3rd party application as a trusted SAML Identity Provider so that SAML assertion generated by 3rd party application can be validated and processed on the SAP Cloud Platform API Management??
Thanks,
Rajesh Kannan K
Hi Rajesh,
Thanks for the feedback.
Principal Propagation via SAML is a generic policy template and can be used to validate SAML assertion generated from 3rd party application as well. This policy template can be copied into your tenant and then adjusted based on your 3rd application. At a high level, the steps for validating the SAML assertion generated by a 3rd party application would be as follows:-
Thanks and Best Regards,
Divya
Hi Divya,
Thank you so much for your response
I have already learnt about the above policies from your post,
My concern is how to do the initial configuration to onboard 3rd party system (let say Microsoft application) as IDP ?
Thanks and Best Regards,
Rajesh Kannan K
Hi Rajesh,
For SSO, the initial configurations that you have described (in point 1 & 2) would have to be done. Sharing a blue print which describes this flow in details.
Best Regards,
Divya
Hi Divya,
Thank you so much
Regards,
Rajesh Kannan K
Hi Divya,
Greetings!!!
In case of an API (needs to be exposed in API Portal as proxy )which is being authenticated by an IdP (lets say corporate Microsoft account -AD FS) which is taking credentials from user(form based) then validating and providing SAML assertion, which has to be used by API Portal to call endpoint
In this case how the policies as to be configured to pass the credentials and to get the SAML assertion from IdP
Please advise
Hi Rajesh,
In such a scenario you would have to establish a trust relationship between the corporate idp ( say ADFS) and API Management by importing the root certificate from ADFS into SAP Cloud Platform API Management. This way the SAML assertion generated by ADFS would be trusted by SAP Cloud Platform API Management. For the validation of the SAML , SAML assertion validation policies can be used.
After this a new assertion can be generated to connect to the target endpoint for this SAML Assertion generation policy can be used. Alternatively, if your target endpoint is on premise SAP system and you are connecting via SAP Cloud Connector then the option to select principal propagation can be selected in the API Provider.
Thanks and Best Regards,
Divya
Hi Divya,
Thank you for your response
I am already aware of configuring ADFS as Idp for our SAP Cloud Platform API Management.
My question here is,
1) Lets assume an API (External – 3rd party) which is configured in such a way to use Google or another 3rd party as Idp
2) If I want to create a proxy for above mentioned API in SAP Cloud Platform API Management, how can I get the SAML assertion for my endpoint?, because we cannot able to generate SAML assertion using policy as idp is another 3rd party
3) In this case how we can get the assertion from 3rd Idp and propagate the same to enpoint (either in header or form based parameter)?
Please advise
Regards,
Rajesh Kannan K
Hi Rajesh,
This scenario might vary based on the identity provider. Sharing a blog on using Facebook as the identity provider
https://blogs.sap.com/2017/07/12/implement-facebook-login-on-sap-api-management-part-1/
Another sample approach using JavaScript approach https://github.com/SAP/cloud-api-management-samples/tree/master/authentication/saml
Thanks and Best Regards,
Divya
Hi Divya,
Thank you so much,
JavaScript based approach is the one I am looking for
Thanks & Regards,
Rajesh Kannan K
Hi Divya,
Thank you for your blog. Very usefull.
We are facing an authentication issue in the API Management and are wondering if you can let us know what is the best approach.
We have developped a java web service in our SAP Cloud Platform tenant.
We need to expose this service to an external company using API Management.
The trust IDP of our SAP Cloud Platform is a custom IDP: Windows Azure AD.
We have setup an API Provider and an API proxy. It is working so far because I have setup the policies AssignCredentials and SetBasicAuthentication with my own userid. But, of course, we cannot kepp it with these policies.
Since the external company which is going to call this service does not have an internal account within our company, how could we authenticate them to allow them to call our service ?
Regarding the API proxy check, we have tried 2 options: the checkAPIKey and the OAuthV2.0 token. Both are working fine to call the API when we are stuck with the login from the API proxy to our SCP web service.
Is the SAML assertion a valid option in this case ?
Thank you.
Pierre Mouton
Hi Pierre,
The following options exists , if you are connecting to your java application in the context of technical user then following options can be considered :-
a) Basic authentication in the context of technical user with appropriate role. The issue with this approach is that you would have update the password whenever the password expires.
b) Client certificate based authentication again in the context of the technical user.
c) Generate a short lived SAML assertion using SAML assertion policies. The advantage of this approach is that no password expiration issue and also the short lived assertion can be cached for the saml assertion validity to improve performance.
If in your scenario there is no user centric data fetch like list of product catalogs etc then you can use an OAuth token or API key based approach and connect to target java application using SAML assertion .
Thanks and Best Regards,
Divya
Hi Divya,
May I know how to use XML parsers in JavaScript?
Whenever I am using different methods, I am getting "XXXXX undefined" error
How to import the xml parsing library into SAP APIM?
Regards,
Rajesh Kannan K
Hi Rajesh,
For xml based handling the following policies can also be considered:-
Would the above approach work for your scenarios?
Thanks and Best Regards,
Divya
Hi Divya,
Thank you for your reply,
I have already completed this using XSLT policy, but still if I want to use JavaScript policy, May I know how can we install packages?
Do we need to use npm commands?, If so how ?
Please help
Regards,
Rajesh K
Hi Rajesh,
To include a Javascript library the only option is to include the library as the normal javascript in API Management and then use the includeURL tag of the JavaScript policy.
The library that you would include should not contain any client side objects like windows, etc. Also node modules or npm commands are not supported in SAP Cloud Platform API Management JavaScript flow.
Thanks and Best Regards,
Divya
Hi Divya,
Can you suggest ways to troubleshoot in backend SAP Gateway if we face 401 unauthorized after following all the steps? We looked in the SMICM logs but don't find a reason why the gateway returns unauthorized.
Thanks
Nishant