Technical Articles
Part 2 : Secure connectivity (OAuth) to SAP Cloud Platform Integration
SAP Cloud Platform Integration (Cloud Integration) supports end-to-end process integration across cloud-based and on-premise applications (cloud-cloud and cloud-on-premise integration) making cloud integration simple and reliable.
SAP Cloud Platform Connectivity policy templates available in SAP API Business Hub facilitates easy and secure inbound communications for SAP Cloud Platform Integration services ( REST/ SOAP or OData). In this two part blog series, the usage of SAP Cloud Platform Connectivity policy templates for REST service (HTTPS sender adapter) from SAP Cloud Integration is covered in detailed.
In part 1 of the blog series, the configurations on the SAP Cloud Platform Integration side is captured and in this part configuration on the SAP Cloud Platform API Management side is covered in detail.
Discover and Copy SAP Cloud Platform Connectivity policy template
From SAP Cloud Platform API Management, all the APIs and policy templates available in SAP API Business Hub can be discovered via the Discover tab.
- Logon to your SAP Cloud Platform, API Management account (say https://account.hanatrial.ondemand.com/cockpit).
- Navigate to the Services tab, search for API Management service tile and click to open SAP API Management service.
- Click on the link Access API Portal to open API Portal.
- Navigate to the Discover from the hamburger icon
- SAP API Business Hub is integrated into SAP Cloud Platform API Management and therefore all the APIs and Policy templates available in SAP API Business Hub can be easily discovered and consumed in SAP Cloud Platform API Management.
- Navigate to the All tab, search and select Connect to SAP Cloud Platform services.
- Navigate to the Artifacts tab and select Cloud_Platform_Connectivity policy template.
- Click on Copy to copy the SAP Cloud Platform Connectivity policy template into SAP Cloud Platform API Management tenant.
- Copied policy templates would be available under POLICY TEMPLATES tab of Develop view.
Create API Proxy to SAP Cloud Platform Integration service
In this section steps to manage the hello world SAP Cloud Platform Integration HTTPS adapter is captured.
- Navigate to Develop view, select tab APIS and click on Create to create an API Proxy
- Enter API Proxy details like URL ( https://{your_sap_cloud_integration_iflow_map}/http/v1/test/hello), name (say HelloworldCPI) , title, base Path ( /http/v1/test/hello) and click Create.
- Click on Save and Deploy to deploy API Proxy.
- Click on API Proxy URL to test the flow from Browser.
- You will be promoted to enter credentials to connect to SAP Cloud Platform Integration HTTPS adapter based REST service using Basic authentication.
Apply SAP Cloud Platform Connectivity policy template
In this section steps to apply SAP Cloud Platform Connectivity policy template and the necessary configuration changes has been captured.
- Click on Policies to navigate to the Policy designer view.
- Click on Edit to switch to the editable mode.
- Select Apply from the Policy Template.
- Select the newly copied CloudPlatform_Connectivity template from Apply Template dialog.
- From the Target endpoint preflow, select policy getCredential and provide OAuth client id and Secret details of the OAuth client created in part 1.
- From the Target endpoint preflow, select policy getoauthtoken and in HTTPTargetConnection->URL provide your SAP Cloud Platform Integration OAuth token endpoint as shown in part 1.
- Click on Update to save changes in the policy designer.
- Click on Save to apply the changes to the HelloworldCPI API Proxy.
Finally testing the flow
- Click on API Proxy URL to test the flow from Browser.
- Response from the SAP Cloud Platform Integration service would be directly shown in the Browser
Monitor SAP Cloud Platform Integration service usage via SAP Cloud Platform API Management
With the SAP Cloud Platform Integration service connected via SAP Cloud Platform API Management, usage of the Hello world CPI API can be monitored and governed by SAP Cloud Platform API Management.
SAP Cloud Platform, API Management also offers many out of the box API Security best practices which includes security policies for Authentication and Authorization, Traffic Management and many more.
Further Reads
- API Security Best Practices blog series.
- Monitor and Analytics blog.
- Enchanced developer experience blog.
- Connecting and Exposing APIs from SAP Cloud Platform Integration blog.
For more blogs on SAP Cloud Platform API Management visit us at SAP Community
Hi Mary,
thanks for this blog.
I am still trying to figure out what is the usage of it? At first you protect the Cloud Integration endpoint by oauth, only to remove it later on through APIM and making this service public as anyone can now call it without authentication.
Also it seems that even when protecting the Cloud Integration endpoint by oauth, it seems that at the same time it can still be called with basic authentication as you showed in you blog. Is there a way to restrict authentication to only oauth?
Thanks and regards,
Tobias
Hi Tobias,
Idea of this blog was to showcase connectivity from SAP Cloud Platform API Management to Cloud Integration via OAuth based authentication. Once connectivity is established then you can add in following features from SAP Cloud Platform API Management :-
Based on your scenarios and use cases you would be able to decide how to provide access to your end user from SAP Cloud Platform API Management like api key based access. Application developer can log on to Developer Portal, register via self service and once their registration is approved by API owner, developer's would be able to subscribe to published APIs and get API key. This way you won't have to create a OAuth client for these developer on SAP Cloud Platform cockpit and all these activity can then be done by SAP Cloud Platform API Management.
It may not be able to restrict authentication to only oauth on CPI , however by managing this endpoint from SAP Cloud Platform API Management and using the oAuth policy you would be able to restrict it at API Management layer.
Thanks and Best Regards,
Divya
Hi Divya,
Informative blog, thanks. There is a slight error on the API business hub screenshot, as it points to the Sucessfactors policy (the step annotated with number 4) instead of SAP Cloud Platform Connectivity.
Kind regards,
Jeroen
Hi Jeroen,
Thanks for the feedback. The screenshot has been updated to point to the correct template.
Thanks and Best Regards,
Divya
Hi Divya,
Thanks for the interesting blog series on OAuth for CPI. From these 2 blogs I understand that we cannot enforce OAuth on iflows without API-Management. Because without API Management policies I can still invoke the iflow with the iflow endpoint. Is that understanding correct? Please clarify
Regards,
Vishal
Hi Vishal,
OAuth is supported by default by CPI and no special enforcement is required on the CPI side for it.
In the first part of the blog series it was showcased how to use OAuth with CPI endpoint. In the second part, it was shown how to leverage this configuration from API Management as well.
So to enable OAuth for CPI iflows, the first part of the blog series would be sufficient.
Thanks and Best Regards,
Divya
Hi Divya,
Thanks for your response.
The point that I am trying to make is that the consumer/sender can call the iflow endpoint(from Part1) lets say https://*.ap1.hana.ondemand.com/http/v1/test/hello with Basic Auth only.
CPI will still execute the request successfully. In that sense CPI is not really enforcing OAuth on consumer/sender. Hence I understand that API-M is must to enforce OAuth on the consumer/sender before the request reaches and processed successfully in iflow. Can you please clarify?
I think I have rephrased my query a bit 🙂
Regards,
Vishal
Hi Vishal,
SAP Cloud Platform Integration supports Basic Authentication, SAML and OAuth based authentication. Therefore while connecting to CPI you could use any of the authentication approach.
In scenario where you would like to share your SAP Cloud Platform Integration endpoint with your external partners/ customers and enable authentication using only OAuth based approach. Typically in a such a scenario, your consumers would log-on to a portal ( Developer Portal) generate their own OAuth cliend id/secret and then use it to connect to SAP Cloud Platform Integration endpoint as a self service. In these scenarios, you would manage SAP Cloud Platform Integration endpoint using SAP Cloud Platform API Management and apply all the governance and access policy using API Management.
Best Regards,
Divya
I have a scenario where Target EndPoint is a non-SAP application. The Target EndPoint requires OAUTH2 authentication. How do I setup to make connection to the target from API management.