Skip to Content

Single sign on or principal propagation is the ability of a system to securely forward or propagate the identity of the user or principal from a sender to a receiver, in a way that the forwarded user information is kept confidential and is not changed during transit. Based on pre established trust relationship to the sender, the receiver uses this information to logon the user without asking for the user credentials or logon again.

The diagram below shows the user principal flow from Fiori Applications to the on-premise SAP Gateway or Backend system for APIs protected via SAP Cloud Platform API Management.

 

In SAP Cloud Platform, API Management Generate SAML Assertion Policy can be used to generate a short lived SAML assertion which can then be passed to the SAP Backend to establish an SAML IdP Initiated flow. At a high level, a SAML IdP Initiated flow would consist of the following steps: –

  1. Set fields like SAML Issuers, SAML Audience, Recipient that can be used in SAML assertion using JavaScript.
  2. Generate SAML Assertion using SAML Assertion Policy
  3. Remove xml root tags <?xml …> from the generated SAML Assertion
  4. Generate SAML Response which embeds generated SAML Assertion
  5. Generate base 64 bin encoded value of generated SAML Response
  6. Set Authorization header to outgoing request to target endpoint.

In Security Best Practices package of SAP API Business Hub policy templates for API security best practices has been published which includes the policy template for validation of SAML assertion.

In Part 1 blog we have described how the user’s principal passed from the Fiori application to the on-premise APIs protected is validated on the SAP Cloud Platform API Management and user’s identity passed in the SAML assertion is read.

In this blog, we have covered the steps to on board SAP Cloud Platform API Management as a trusted SAML Identity Provider in SAP Gateway and generate a short lived SAML Assertion from SAP Cloud Platform API Management which is used for passing user’s identity to SAP Gateway.

Generate Certificate for Signing SAML Assertion

Note: - This is an optional step, in case you already a X509 certificate with private key which can be used for SAML assertion signing, then this step can be skipped. For the certificate generation, in the blog we have used Open SSL.
  • Create a new folder in your file system to place the x509 certificate.
  • In the cmd prompt navigate to the certificate folder and then use the openssl commands to generate the certificates
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 730
  • Enter the password when prompted say abcd. This password should be used in section Upload JAR to SAP Cloud Platform, API Management

 

Generate JAR containing Certificate

  • In the folder in which certificate is generated create folder named META-INF
  • Create a file named descriptor.properties with the following content
certFile=cert.pem
keyFile=key.pem
  • In the cmd prompt enter the following command to generate the jar file with the certificate
jar -cf idpKeystore.jar cert.pem key.pem
  • Add in the descriptors file to the generated jar using the command
jar -uf idpKeystore.jar META-INF/descriptor.properties

 

Generate SAML IdP Metadata

Note: - This is an optional step for SAP Gateway based Backend because in SAP NetWeaver the SAML IdP can be manually configured however creation of the SAML IdP Metadata eases the no of configurations required.
For the SAML IdP metadata generation, in the document we have used an online SAML Metadata generation tool.

The following fields are important and the samlHelper.js file of the UserPropagationWithSAML policy template would have to be modified based on this values: –

  • EntityId: – This would map to the issuer field of the SAML policy ( sapapim.issuer context variable in samlHelper.js file of the API Proxy) template. Provide a url say api.gateway
  • NameId: – from the drop down select the option per your flow. In this example, we had used the default flow of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • SP x509 certificate field paste the content of the cert.pem file which was generated in Section Certificate Generation for Signing SAML Assertion.
Copy only the base64 encoded certificate content minus the header -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
  • Provide HTTP redirect url to (https://apimgmtproxy/saml/sso ), Single Logout Url (optionally) and then click on the option BUILD SP METDATA (which would appear after scrolling to the end of the website)

 

Configuration on the SAP Backend (SAP Gateway) Side

Note: - The screenshot might vary based on the NetWeaver version, in this document the configuration was done on a NetWeaver 7.40 system.

Activation of the SAML Service Provider

Note: - This configuration can be skipped if SAML has been already activated in the SAP Gateway.
  • Logon to the SAP Gateway system and then execute transaction saml2
  • Enable SAML 2.0 authentication on the SAP Gateway client

 

  • In the next screen provide the Provider Name say GatewayS. This name should be mapped to Audience field in the SAML Assertion (audience context variable of samlHelper.js file in the API Proxy).

 

 

  • Set the Skew Tolerance (default configuration is 120 seconds and its kept as is)

 

  • Select Identity Provider Discovery: Common Domain Cookie (set the selection mode to Automation)

Adding SAP Cloud Platform, API Management as the Trusted SAML IdP

  • Click on the Tab Trusted Providers and then click on Add button from the drop down select the option of Upload Metadata file

 

  • Click on Choose file button and then select the SAML IdP Metadata generated in section Generate SAML IdP Metadata for API Gateway and then click on Next

 

  • In the next screen, the name of the Trusted IdP Provider is shown, just click on Next

 

  • Follow the wizard till Finish button is enabled, generally no major modification is required in this wizard as most of the information is read from the SAML IdP Metadata

 

  • Click Edit and then Navigate to the Identity Federation and then click on Add to provide the details of the name mapping to be used in the SAML assertion. In this case we had selected Unspecified and then click on Ok

 

  • For the User ID Mapping Mode of the configuration Details of Name Id format, select option Mapping in USREXTID table, type SA and then click on Save

 

Note: - In this case user mapping between the external user Id as per the SAML assertion to the SAP Backend user would have to be done via the VUSREXTID table for type SA
  • Click on Enable to Activate the API Gateway SAML IdP

 

User mapping between External User (from SAML Assertion) to SAP Gateway

Note: - This is an optional configuration and required in case user id mapping mode is set to Mapping in USREXTID table, type SA
  • Logon to the SAP Gateway system and then enter the transaction sm30
  • Provide the table/view name as VUSREXTID and then click on Maintain

 

  • In the Popup, Set the External ID type to SA ( which the code for SAML Assertion based authentication) and then click on

 

  • Click on New Entries to add in new user mapping.

 

  • For SAML based authentication, the external Id is typically in the formation {IdPProvidername}::{SAMLSubjectValue}. The IdP Provider Name is the value provided in the section Adding SAP API Gateway as the Trusted SAML IdP (which in this blog is set to apimgmt.api.gateway). Therefore the External User Id would be apimgmt.api.gateway::{SCN User Id} for SAP Cloud Platform based user ids. In the User field provide the SAP Gateway user Id. Check the Activated check box and then click Save.

 

 

Note: - These steps can be repeated to maintain mapping between the external users and the SAP Gateway users.

Configuration on the SAP Cloud Platform API Management

Upload Certificate JAR to SAP Cloud Platform API Management

 

  • Click on the link Access API Portal to open API Portal.

 

  • Select the option Certificate and click on the option Create

 

 

  • In the Create Certificate dialog, from the drop down select Key Store and select the option New Store. Enter the store name and name details as provided in the table below.

Store Name

Saml

Name

Keys

 

  • Using the Browse button upload the JAR file generated in section Generate JAR containing Certificate. In the password field provide the value of the X509 Certificate private key say abcd (or the value provided in section Generate Certificate for Signing SAML Assertion)

 

Policy Changes for SAML Flows

  • Open the API & navigate to the policy designer, from the scripts section, select the samlHelper.js file and then modify the following context variables provided in the table below based on your configurations.

Context Variable

Configuration Value

Default Values

sapapim.issuer

This would have to set to the Identity Provider Name given to the SAP API Gateway in the SAML 2.0 flow

ref section Generate SAML IdP Metadata for API Gateway

apimgmt.api.gateway

sapapim.audience

This would have to be set to the SAML service provider name of the SAML 2.0 configuration on the SAP Backend.

ref section Activation of the SAML Service Provider

GatewayS

sapapim.recipient

This would have to be set to the API Proxy target Url including the API Provider host and port

In Part 1 document, ref section Configuration on SAP Cloud Connector for On-Premise Connectivity & Create an API Proxy to connect to the SAP Gateway

sapapim.username

For the initial testing of the API Proxy, this can be set to a value of the user, which has been already mapped in section User mapping between External User (from SAML Assertion) to SAP Gateway User.

For the user principal propagation flow, then this value should be set to the variable saml.subject which is filled with the SAML assertion subject value received from the Fiori application. This would ensure that user’s identity is passed to the SAP Gateway

context.getVariable(“saml.subject”)

sapapim.storename

This would have to be set to the Store Name field of the Certificate Screen in section Upload Certificate JAR to SAP Cloud Platform API Management

Saml

sapapim.keyname

This would have to be set to the Name field of the Certificate Screen in section Upload Certificate JAR to SAP Cloud Platform API Management

Keys

 

 

  • Click on Update and then in the next screen click on Save to persist the API Proxy changes.

 

Testing the Flow from Fiori Application

In this blog the details of building applications using SAP Cloud Platform Web IDE is not covered as there are lot of articles available on how to consume OData services to build Fiori like applications. At the end you will have a Fiori Application which talks to the OData service from SAP Gateway. In this section we capture the steps required to connect the Fiori application to SAP Gateway OData API managed via SAP Cloud Platform API Management using user principal propagation.

  • Logon to the SAP Cloud Platform account of the Fiori application ( say https://account.hanatrial.ondemand.com/cockpit )
  • Navigate to the Connectivity and then click on Destinations and then click on the destination file used is used in the Fiori application to connect to the SAP Gateway OData API .

  • Change the URL field of the import destination to point to your SAP Cloud Platform API Management Proxy host, set the Authentication type to AppToAppSSO and then click on the Save button

 

  • Launch the fiori application and If all the configurations step are proper then user would be logged in using the SAP ID and this credential would then be used to fetch data from SAP Gateway

 

Further Reads

Enhanced features of SAP Cloud Platform API Management  

Monitoring and Governing 3rd Party APIs

API Security Best Practices

Accelerate digital application development

For more blogs on SAP Cloud Platform API Management visit us at SAP Community

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Ashwin Katkar

    Hi Divya,

     

    At step  Generate SAML IdP Metadata i am trying to generate the Metadata file but everytime i am getting error “

    Below is the configuration which i am doing. Can you please suggest what i am missing here.

    (0) 
    1. Divya Mary Post author

      Hi Ashwin,

      This error looks more like an issue with the certificate content. Can you re-try by providing the root certificate binary content ( without the private key)  and without — BEGIN CERTIFICATE — and — END CERTIFICATE — tags.

      Thanks,

      Divya

      (0) 
  2. Ashwin Katkar

    Hi Divya,

    Now i am able to generate the IdP and completed next steps. Issue was Single Sign On Service Endpoint.

    I am at Configuration on the SAP Cloud Platform API Management and getting error while setting KeyStore.

    (0) 
    1. Divya Mary Post author

      Hi Ashwin,

      In the help documentation we have captured steps for uploading certificate in key store.

      Based on the error, it looks like there might some issue with the way jar has been created. If you continue to face issue kindly raise an incident on the component OPU-API-DT .

      Thanks and Best Regards,

      Divya

       

      (0) 
  3. Maicon Rosa

    Hi Divya

    My scenario is as follow:

    PORTAL(subaccount CEN_PORTAL) –> APIM((subaccount CEN_APIM) –> JavaService using REST(subaccount(CEN_PERS) and using ApptoAppSSO.

    I am using the policies and steps described in the blog, ignoring the steps related to gateway, I included the key and certificates of CEN_PERS in trust of CEN_APIM and updated it in my keyinfo.js.

    But testing from portal, I am getting the error 401- Unauthorized when connecting from CEN_APIM to CEN_PERS and could not figure out the issue yet.

    Is there any other configuration required when connecting to a subaccount? It cannot be basic authentication.

    Thanks in advance,

    Maicon.

    (0) 
    1. Divya Mary Post author

      Hi Maicon,

      In case you are interested in authenticating to a Java based REST service running on SAP Cloud Platform using then you would have to establish trust between SAP Cloud Platform API Gateway and SAP Cloud Platform sub account where your service is running. For this following would have to be done:-

      a) In sub account where your service is running you would have to on-board SAP Cloud Platform API Management as an identity provider ( for IdP initiated flow ).

      b) Create SAML IdP metadata as described in this blog and then navigate to SAP Cloud Platform sub account Trust configuration and import in SAML Identity Provider xml.

      c) Adjust Audience field in SAML javascript policy for SAP Cloud Platform. In case you are using Default Service provider then this would be https://netweaver.ondemand.com  and in case you are using custom identity provider then it would be the Local Provider Settings value as you would see in your trust configuration for Local Service Provider.

      Thanks and Best Regards,

      Divya

      (0) 

Leave a Reply