Technical Articles
SAP API Management mini-Security Series
Background and Context
Exposing APIs securely to your ecosystem that consists of internal/external developers, vendors, suppliers and any other third-party recipients is a critical use case where API Management capabilities of SAP BTP’s Integration Suite are widely adopted.
Giving your customers and end-users an omni-channel experience where they are not required to log in multiple times and authenticate repeatedly over the network is a big part of IT simplification initiatives. But this can be a challenge given the heterogeneity in the landscapes that enterprise deal with. For example, your frontend enterprise applications may well be authenticating to an Identity Provider that federates with Azure Active Directory or perhaps connect to Okta for certain flows where access to external systems is needed. Likewise, you want to say, fetch Sales Order data that resides in your ECC system that may be in a different part of the corporate network, or that you have a microservice deployed in Cloud Foundry that reads data from a HANA Cloud instance that serves as a data grid.
You get the picture and I’m certain that there could be various other complexities in your setup when it comes to having a mechanism to have a secure login across all these disparate systems.
Launching the API Management mini-Security series
After having spoken with many customers, it was very clear that there is no ‘one-size-fits-all‘ approach that can be recommended to our customers, so there existed a challenge in terms of how we could create enablement guides and evangelize such know-how. That only ended up motivating us to create an end to end security series where this topic could be dealt with in great detail and explain various security and single sign-on flows. So here’s presenting API Management mini-Security series, a set of 11 videos spread over 150 minutes of learning content that explain the intricacies of the Principal propagation / SSO flows that apply to Neo and Cloud Foundry environment along with code projects, configurations and API Proxy bundles to follow along.
Who should follow the security series?
The security series targets solution architects and developers who have set up API Management tenants in their organization and are looking at best practices/guidelines to set up principal propagation from clients to API Management components to SAP Cloud Connector into their backends.
This series also has specific coverage for customers who are already proficient with this subject and are looking at ways to adapt their Neo based security / SSO patterns into Cloud Foundry accounts based on the nuances of Cloud Foundry security topology.
Pre-requites to follow along
In case you are a beginner to the topic of API Management, it may make sense to familiarize yourself with other learning resources that we’ve put up. A few ones that I can recommend would be :
- Open SAP Course to Simplify Integration with SAP Cloud Platform Integration Suite.
- Open SAP Course for SAP Cloud Platform API Management.
- Developer Tutorial to Get Started with SAP API Management.
Course content:
Here is a brief description of the content that is presented in each video, the links to the video themselves, and additional resources to follow along.
The video series can also be found here on youtube as part of the API Management playlist here or even here on the SAP Media Share.
Also, make a note that all the source code, configurations, proxy bundles used in the examples will be available in a GitHub project that we’ve put here.
Part 1 – Introduction to Security flows and Principal propagation
An introduction of principal propagation / SSO flows that are relevant from an API Management point of view and sets the context for how the other parts of this video series will be laid out.
Existing API Management SSO Blogs:
- Part 1: Single sign-on from Fiori Application to SAP Gateway via SAP API Management
- Part 2: Single sign-on from Fiori Application to SAP Gateway via SAP API Management
Cloud Connector setup guides:
- Principal Propagation focussing on Cloud Connector setup
Link to video or click below
Part 2 – CF setting up OnPremise connectivity plan
This video takes you through the experience of enabling API Management in SAP Cloud Foundry environment and later enabling the on-premise connectivity via the on-premise connectivity service broker plan
Product documentation resources to enable the on-premise-connectivity Plan:
- Initial setup to get API Management activated in SAP Cloud Foundry accounts.
- Activating the on-Premise Connectivity plan.
- Creating an API Provider.
- Enable SAP API Management in Cloud Foundry Environment
Link to video or click below
Part 3a – CF Simple Passthrough with OnPremise connectivity plan
This video part discusses the solution blueprints of various ways to achieve SSO between a microservice running in SAP Cloud Foundry instance ( a simple Java Microservice secured via AppRouter as an example) and API Management’s instance running in the same Cloud Foundry Account via the OnPremise connectivity plan
Resources to build and deploy microservices in Cloud Foundry:
- Building a Java microservice with SAP Cloud SDK to connect to an OData source.
- Securing a Java microservice with authentication and authorization.
Link to video or click below
Part 3b – CF Authenticated Passthrough with OnPremise connectivity plan
Continuing the context set in Part 3a of this video series, this part focusses on other ways (Basic Authentication) to set up a Destination that can be used by a Java Microservice to connect to the API Management’s instance running in the same Cloud Foundry Account via the OnPremise connectivity plan.
Link to video or click below
Part 3c – CF OAuthUserTokenExchange with OnPremise connectivity plan
Continuing the context set in Part 3a & 3b of this video series, this part focusses on OAuth User Token Exchange mechanism to set up a Destination that can be used by a Java Microservice to connect to the API Management’s instance running in the same Cloud Foundry Account via the OnPremise connectivity plan.
Resources to set up User Token exchange mechanism in SAP Cloud Foundry:
- Exchanging User JWTs via OAuth2UserTokenExchange Destinations.
- APIs to interact with Destination Services in SAP Cloud Foundry from the API Business Hub.
Link to video or click below
Part 3d – CF OAuth2SAMLBearer with OnPremise connectivity plan
Continuing the context set in Part 3a, 3b & 3c of this video series, this part focusses on OAuth2SAMLBearer mechanism to set up a Destination that can be used by a Java Microservice to connect to the API Management’s instance running across Cloud Foundry Accounts via the OnPremise connectivity plan.
Resources to set up OAuth2SAMLBearerAssertion mechanism in SAP Cloud Foundry:
- Setting up Trust between Accounts and Destination settings for OAuth2SAMLBearer Assertion mechanism.
- Destination attributes needed for OAuth2SAMLBearerAssertion.
Link to video or click below
Part 4 – Neo OAuthToSAMLBearer flow OnPremise connectivity
This video part describes the usage of OAuth2SAMLBearerAssertion Destination type in Neo to connect into API Management instances when connecting from Apps that are deployed within SAP BTP environment for e.g. Fiori apps, Java Services, etc.
Resources to set up OAuth2SAMLBearerAssertion mechanism in Neo environments:
- Understanding OAuth SAML Bearer assertion flows in Neo.
Deploying a Fiori App in Neo to demonstrate SSO flows:
- Using WebIDE to build a simple Fiori App in Neo.
Link to video or click below
Part 5 – Neo SAML Assertion flow with OnPremise connectivity
This video part describes the procedure to attach SAML Assertions from the API Management layer in Neo environment to a backend via API Management’s OnPremise connectivity component
Resources to set up a SAML based flow to establish Single Sign-On:
- Policy Template in API Business Hub for SAML Verification and Generation flows.
Link to video or click below
Part 6 – CF SAML Assertion Flow with OnPremise connectivity plan
This video part explains the process to authenticate to the SAP’s OnPremise connectivity component via the SAML2 Grant flow where a SAML Token is exchanged for a JWT token that is used eventually to authenticate to the Cloud Foundry component to establish Single Sign-On.
Resources to set up a SAML flow from API Management tenant running in CF by directly authenticating to XSUAA:
- Blog series to learn more about conducting a JWT based verification scheme in API Management.
- Policy template from API Business Hub to orchestrate the SAML2Grant exchange for OAuth token
Link to video or click below
Part 7 – CF Client Credentials flow for principal propagation
This video part explains the process to authenticate to the SAP’s OnPremise connectivity component via the Client Credentials grant type.
Resources to set up a Client Credentials flow from API Management tenant running in CF by directly authenticating to XSUAA:
- Policy template from API Business Hub to orchestrate the Client credentials flow for OAuth token
Link to video or click below
Part 8 – NEO to CF OAuth2SAMLBearer principal propagation
The final video part of this series explains the process by which an application that is deployed in the Neo environment can connect to an API Management instance that is running in SAP Cloud Foundry tenant using the OAuth2SAMLBearerAssertion flow.
Link to video or click below
Summary :
The key take away from the video series should be that you are in a position to understand the various options that exist to establish single sign-on and depending on how your scenario looks, some of the described means could serve as a starting point for you to consider implementing into your solution blueprints.
Should you have any feedback, please come back to us with suggestions, improvements so that we can help you run better.
Vinayak Adkoli thank you for this series. Do you happen to know when the "apimanagement-apiportal" plan will be availabe in cf.eu10.hana.ondemand.com (AWS, Frankfurt)? Currently it is not.
Thank you!
Regards
Holger
Hi Holger Neub , Please stay tuned, it should be out by mid of next week. If it happens sooner, I'll keep you informed 🙂
Hello Vinayak Adkoli ,
Quick question. In terms of connectivity between 3rd Party(Google cloud) --> APIM(cloud Neo) --> CPI(cloud Neo) --> S4(On-Prem), how SAP APIM connects with CPI and how we can build trust relationship between these systems?
In my case Test cockpit is working fine but when 3rd party send data it fails with 401 once APIM processed it and try to send information to CPI. Do SAP have any step by step blog/documentation available for same?
Regards
Hi Sukhdeep, unfortunately, it's hard to pin-point where exactly things could be wrong. It may make sense to report a bug
Hello Vinyak Adkoli
I was trying this on the Cloud Foundry Trial account Integration Suite API On Premise API dataprovider– When I click on Test connection Step I got the message
System is up and reachable. However, the ping check responded with code : 405; Message : Method Not Allowed
When I checked the log in the cloud connector I found exception occurred with this message.
sap.core.connectivity.tunnel.client.notification.NotificationClientEventHandler#Thread-29# #Unexpected exception while establishing tunnel connection for tunnel: account:///4d66160b-e6ad-4a7c-9208-9857f24a8b9c/RCloudConn
io.netty.resolver.dns.DnsResolveContext$SearchDomainUnknownHostException: Search domain query failed. Original hostname: ‘connectivitytunnel.cf.eu10.hana.ondemand.com’ failed to resolve
Before Nov 13 in the NEO Platform the same settings were working correctly. I am not in a position to raise a oss ticket.
Best regards
Ramesh
Hi Ramesh, Can you independently verify if the Cloud Connector is setup with the CF account correctly ?
There is a new version of Cloud Connector (2.13) now available. You may want to check with that as well
Vinayak
When I tried this recently it worked fine.
https://blogs.sap.com/2021/01/10/cloud-foundry-api-portal-and-cpi-api-using-a-premise-odata-service/
Best regards
Ramesh
Hi Vinayak,
Thanks a lot for the Blog.
We are trying to implement principal propagation on API Management NEO and have followed the steps described in the part 5 of this blog. The only difference in our POC is that we don't have northbound security and we just have an hardcoded UserID as the subject of the SAML assertion.
Principal propagation is already in place between the Cloud Connector used and the backend (with client certificate) and fully tested using the Cloud Portal Service, so we know that this is working.
But after implementing all the steps described in this blog, when we call our API Proxy, we are getting an HTTP 401 response and are prompted with a Basic Authentication popup. Looking at the HTTP trace, it see can see the following:
Our current interpretation is that the SAML assertion send to the OPProxy component is somehow not considered valid.
Could you please guide us on how to confirm and fix the cause of the issue?
Many thanks in advance for your help.
Best regards,
Jérôme.
Hi Jerome, In my experience, the error you are mentioning is basically because of a) lack of a trust setup between the API Gateway and OPProxy or b) the SAML issuer / recipient / audience fields are incorrect or c) look for spaces in the values you've entered. Sometimes these are the most difficult to debug 🙁
Hi Vinayak,
Thanks a lot for your reply.
We've reviewed points a) b) and c) without positive results
We are rather confident about point a) (the trust setup)
Regarding point b), the SAML issuer value matches the name of the trusted IDP but we are unsure about the recipient & audience values:
Do these values seem correct to you?
Thanks a lot in advance for you reply. It will certainly help us reaching our goals
Best regards,
Jérôme.
Hi Jérôme ,
Did you find any solution for this error ?
@Vinayak , We are using ODP service "gwaas-<>.eu2.hana.ondemand.com" setup as API provider . What will be the "recipient " in that case ? I believe OpProxy is only when we have On-premise provider.
I tried to use something like below but didn't work giving same error PWD_WRONG
context.setVariable("sapapim.recipient", "https://<>apiportalapimgmtpeu2-<>.eu2.hana.ondemand.com/ODP/odata/SAP/XYZ_SRV;v=1/" +
Kindly guide.
Thanks,
Sambaran
Hi Sambaran,
Not yet but be ensured I'll post the solution here when finally found!
Best regards,
Jérôme.
Hi Jérome,
could you finally solve the issue with
Ciao
Lars
Hi Lars,
Yes, with the help of SAP!
The issue was caused by the value of flow variable "sapapim.recipient" that is set in the script samlhelper.js.
Ours was ending with a '/' character. After removing it, the error disappeared and the whole principal propagation process worked.
I hope it helps!
Regards,
Jérôme.
Thank you very much - You saved the day for our team!
Hi Vinayak,
I went through the Part 5 – Neo SAML Assertion flow with OnPremise connectivity
It mentions that it is for Apps deployed in the same BTP environment.
We have an existing service implemented using basic authenticaton between SF and APIM so far ( user details were validation using custom code in the API Proxy). APIM connects to Sharepoint ODATA service using OAuth2.0 over internet.
But now after recent udpate in SF, the basic authentication stopped working. So the only way forward is using OAuth2SAMLBearerAssertion between SAP SF and SAP APIM.
My requirement is SAP Successfactors would be consuming the API Management Service in the Neo SAP BTP using the OAuth2SAMLBearerAssertion destination service in SAP BTP where APIM is running. Is this scenario possible?
Regards,
MR