Skip to Content
Technical Articles

Dynamic Https authentication with Value mapping and Groovy script.

Introduction:

This blog post explains on how to authenticate into different cloud receiver user sub-accounts in the target system based on the information in the JSON payload of the incoming HTTPS request using dynamic value mapping with the groovy script. Please note that you will have to hold the encrypted user accounts in value mapping tables and decrypt them in groovy scripts if additional layers of security measures are required or we need to add OAuth/Mutual certificate based authentication on the sender layer to ensure that only right sending systems are accessing this service especially when the target system hosts confidential  PI data . This blog post should be used only for demo purposes and you will have to vet with your security experts to ensure that it is in line with your organisation security policies.

The blog post Dynamic Value Mapping in CPI by Sriprasad already explains on how to deal with dynamic value mapping in SAP CPI with an example.

Customer Business Scenario:

Customer have one Source system and one Target system but target system has many user sub-accounts and CPI needs to generate user account dynamically based on the data that is sent by the sender system.

Please note every sub account may have their own Private Key and Secret Key that needs to be stored and deployed in CPI securely.

Consider a scenario where we need to control the routing of the messages to different receivers based on the “sender information” available from the request payload.

For example: In case of Success Factors RBP model or S/4 HANA Authorization model where in many apps calling the same API for different processes.

Below is the input payload coming from source system.

Based on the sender information from request payload CPI need to identify the Target system sub account and update the data in that target system.

Implementation 1:

This type of scenario’s can be achieved using router condition as shown below.

Implementation 1 disadvantage:

The above architecture is not scalable if the customer wants to map the target system accounts based on the sender e-mail dynamically as we need to change the IFLOW every time customer decides to add a new e-mail or a user sub account in the target system.

Implementation 2:

If we use Value mapping when customer wants to add new account just we can add those new account keys to Value mapping without changing IFLOW, automatically groovy script will fetch those details from Value Mapping.

So this type of scenario can achieve dynamically using with Value mapping and Groovy scripting. (import com.sap.it.api.mapping.ValueMappingApi)

Step 1) Identify the key value from input payload

Step 2) Create Value mapping in CPI as shown below.

Creation of Value Mapping Artifact:

Sendername: Sender name which comes from payload

Add target system login keys: It is a combination of User key and Password with separator “ : “. (Example: abcedef:123456)

Step 3) Deploy the Value Mapping flow

Step 4) Create Iflow as shown below

Content Modifier: Create message header to define below fields, which are passing as parameters to Groovy script

Message Mapping: It is just to transform from Input message to Output message as per the business logics.

Groovy Script: It will consider above parameters as input and it will identify the target system sub-account user key and password. The user key and password are assigned to “auth” and it will be set in message header (message.setHeader(“Authorization”, “Basic ” + auth))

Use below Groovy script to complete the flow.

import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
import com.sap.it.api.ITApiFactory;
import com.sap.it.api.mapping.ValueMappingApi;
import javax.xml.bind.DatatypeConverter;

def Message processData(Message message);
{
def a = ITApiFactory.getApi(ValueMappingApi.class, null);

//format sourceAgency, sourceIdentifier, sourceValue, targetAgency, targetIdentifier
def map = message.getHeaders();
def srcAgency = map.get("SrcAgency").toString();
def trgAgency = map.get("TrgAgency").toString();
def srcIdentifier = map.get("SrcIdentifier").toString();
def trgidentifier = map.get("TrgIdentifier").toString();
def sourceValue = map.get("Key");
def mappedValue = a.getMappedValue(srcAgency, srcIdentifier, sourceValue, trgAgency, trgidentifier);
def messageLog = messageLogFactory.getMessageLog(message);

messageLog.setStringProperty("Mapped Value", mappedValue);

String[] str = mappedValue.split(";");
String user = str[0];
String password = str[1]def credentials = user + ":" + password;

def byteContent = credentials.getBytes("UTF-8");
def auth = DatatypeConverter.printBase64Binary(byteContent);

message.setHeader("Authorization", "Basic " + auth);
return message;

}

 

Step 5) Configure the target channel as shown below. In run time Authentication will be consider from message header.

Conclusion: Using value mapping and groovy script we can achieve dynamic http login in the target system based on the incoming payload from the sender system.

1 Comment
You must be Logged on to comment or reply to a post.