Integration User for Odata services in SAP Cloud for Customer
Dear Community members,
Note: Current post strictly provides steps for SAP Cloud for Customer (SAP Sales Cloud and SAP Service Cloud).
With the 1911 release of SAP Cloud for Customer, SAP has provided capability to use integration or technical user for Odata services.
With A2X services being deprecated from February 2020, customers and partners are requested to move their A2X and SOAP services to Odata. But with Odata services we have had to use basic authentication with a Business User. This causes concerns when the password expires, leading to failure of the integration.
You can read more on this here.
Below, we will see how we can use a technical user for basic authentication and Certificate based authentication for Odata services.
Create a new Communication system. Maintain the host name.
Create Communication arrangement for standard Communication Scenario: OData Services for Business Objects
Select the services which you wish to enable under technical data. In the next image you can see that the technical user is generated.
The technical user created above can be used for basic authentication as well.
Further, we have similar steps as with SOAP services.
Click on edit credentials and create and download a key pair. (a *.p12 extension file will be downloaded)
Add the key pair file to your CPI tenant under manage keystore.
Configure the Odata adapter as follows.
Maintain the address of the service you wish to call, and the alias saved in the previous step.
Select authentication method as Client Certificate or Basic authentication.
Note: CSRF token is not needed as we are using a technical user.
In case of Client certificate, provide the name of the *.p12 file which you saved in keystore.
In case of Basic authentication, deploy a credential artifact in CPI with the technical user created above, and provide the credential name.
Download the edmx file from the metadata URL.
and configure the request query.
Using a technical user provides better security and prevents failure of integrations due to expiration of password.
You can get more details on this here.
For certain services like: accounthierarchylist, businesspartnerrelationship… if you use CSRF token, you’ll get error “Inconsistent Authorization: Re-activate Communication Arrangement.” This is an authorization error. In Odata services authorization occurs via a workcenter view which is also assigned to the access user. And because such services don’t have WoCview assigned due to which reading metadata causes issue.
To resolve this error, remove the CSRF fetch as it is not needed with a communication user, or assign a workcenter view which can accessed by the access user (in case of business user).