Skip to Content
Technical Articles

SAP API Management mini-Security Series

Background and Context

Exposing APIs securely to your ecosystem that consists of internal/external developers, vendors, suppliers and any other third-party recipients is a critical use case where API Management capabilities of SAP BTP’s Integration Suite are widely adopted.

Giving your customers and end-users an omni-channel experience where they are not required to log in multiple times and authenticate repeatedly over the network is a big part of IT simplification initiatives. But this can be a challenge given the heterogeneity in the landscapes that enterprise deal with.  For example, your frontend enterprise applications may well be authenticating to an Identity Provider that federates with Azure Active Directory or perhaps connect to Okta for certain flows where access to external systems is needed. Likewise,  you want to say, fetch Sales Order data that resides in your ECC system that may be in a different part of the corporate network, or that you have a microservice deployed in Cloud Foundry that reads data from a HANA Cloud instance that serves as a data grid.

You get the picture and I’m certain that there could be various other complexities in your setup when it comes to having a mechanism to have a secure login across all these disparate systems.

Launching the API Management mini-Security series

After having spoken with many customers, it was very clear that there is no ‘one-size-fits-all‘ approach that can be recommended to our customers, so there existed a challenge in terms of how we could create enablement guides and evangelize such know-how. That only ended up motivating us to create an end to end security series where this topic could be dealt with in great detail and explain various security and single sign-on flows. So here’s presenting API Management mini-Security series, a set of 11 videos spread over 150 minutes of learning content that explain the intricacies of the Principal propagation / SSO flows that apply to Neo and Cloud Foundry environment along with code projects, configurations and API Proxy bundles to follow along.

Who should follow the security series?

The security series targets solution architects and developers who have set up API Management tenants in their organization and are looking at best practices/guidelines to set up principal propagation from clients to API Management components to SAP Cloud Connector into their backends.

This series also has specific coverage for customers who are already proficient with this subject and are looking at ways to adapt their Neo based security / SSO patterns into Cloud Foundry accounts based on the nuances of Cloud Foundry security topology.

Pre-requites to follow along

In case you are a beginner to the topic of API Management, it may make sense to familiarize yourself with other learning resources that we’ve put up. A few ones that I can recommend would be :

Course content:

Here is a brief description of the content that is presented in each video, the links to the video themselves, and additional resources to follow along.

The video series can also be found here on youtube as part of the API Management playlist here or even here on the SAP Media Share.

Also, make a note that all the source code, configurations, proxy bundles used in the examples will be available in a GitHub project that we’ve put here.

Part 1 – Introduction to Security flows and Principal propagation

An introduction of principal propagation / SSO flows that are relevant from an API Management point of view and sets the context for how the other parts of this video series will be laid out.

Existing API Management SSO Blogs:

  • Part 1: Single sign-on from Fiori Application to SAP Gateway via SAP API Management
  • Part 2: Single sign-on from Fiori Application to SAP Gateway via SAP  API Management

Cloud Connector setup guides:

Link to video or click below

Part 2 – CF setting up OnPremise connectivity plan

This video takes you through the experience of enabling API Management in SAP Cloud Foundry environment and later enabling the on-premise connectivity via the on-premise connectivity service broker plan

Product documentation resources to enable the on-premise-connectivity Plan:

  • Initial setup to get API Management activated in SAP Cloud Foundry accounts.
  • Activating the on-Premise Connectivity plan.
  • Creating an API Provider.
  • Enable SAP API Management in Cloud Foundry Environment
Link to video or click below

Part 3a – CF Simple Passthrough with OnPremise connectivity plan

This video part discusses the solution blueprints of various ways to achieve SSO between a microservice running in SAP Cloud Foundry instance ( a simple Java Microservice secured via AppRouter as an example) and API Management’s instance running in the same Cloud Foundry Account via the OnPremise connectivity plan

Resources to build and deploy microservices in Cloud Foundry:

  • Building a Java microservice with SAP Cloud SDK to connect to an OData source.
  • Securing a Java microservice with authentication and authorization.
Link to video or click below

Part 3b – CF Authenticated Passthrough with OnPremise connectivity plan

Continuing the context set in Part 3a of this video series, this part focusses on other ways (Basic Authentication) to set up a Destination that can be used by a Java Microservice to connect to the API Management’s instance running in the same Cloud Foundry Account via the OnPremise connectivity plan.

Link to video or click below

Part 3c – CF OAuthUserTokenExchange with OnPremise connectivity plan

Continuing the context set in Part 3a & 3b of this video series, this part focusses on OAuth User Token Exchange mechanism to set up a Destination that can be used by a Java Microservice to connect to the API Management’s instance running in the same Cloud Foundry Account via the OnPremise connectivity plan.

Resources to set up User Token exchange mechanism in SAP Cloud Foundry:

  • Exchanging User JWTs via OAuth2UserTokenExchange Destinations.
  • APIs to interact with Destination Services in SAP Cloud Foundry from the API Business Hub.
Link to video or click below

Part 3d – CF OAuth2SAMLBearer with OnPremise connectivity plan

Continuing the context set in Part 3a, 3b & 3c of this video series, this part focusses on OAuth2SAMLBearer mechanism to set up a Destination that can be used by a Java Microservice to connect to the API Management’s instance running across Cloud Foundry Accounts via the OnPremise connectivity plan.

Resources to set up OAuth2SAMLBearerAssertion mechanism in SAP Cloud Foundry:

  • Setting up Trust between Accounts and Destination settings for OAuth2SAMLBearer Assertion mechanism.
  • Destination attributes needed for OAuth2SAMLBearerAssertion.
Link to video or click below

Part 4 – Neo OAuthToSAMLBearer flow OnPremise connectivity

This video part describes the usage of OAuth2SAMLBearerAssertion Destination type in Neo to connect into API Management instances when connecting from Apps that are deployed within SAP BTP environment for e.g. Fiori apps, Java Services, etc.

Resources to set up OAuth2SAMLBearerAssertion mechanism in Neo environments:

  • Understanding OAuth SAML Bearer assertion flows in Neo.

Deploying a Fiori App in Neo to demonstrate SSO flows:

  • Using WebIDE to build a simple Fiori App in Neo.
Link to video or click below

Part 5 – Neo SAML Assertion flow with OnPremise connectivity

This video part describes the procedure to attach SAML Assertions from the API Management layer in Neo environment to a backend via API Management’s OnPremise connectivity component

Resources to set up a SAML based flow to establish Single Sign-On:

  • Policy Template in API Business Hub for SAML Verification and Generation flows.
Link to video or click below

Part 6 – CF SAML Assertion Flow with OnPremise connectivity plan

This video part explains the process to authenticate to the SAP’s OnPremise connectivity component via the SAML2 Grant flow where a SAML Token is exchanged for a JWT token that is used eventually to authenticate to the Cloud Foundry component to establish Single Sign-On.

Resources to set up a SAML flow from API Management tenant running in CF by directly authenticating to XSUAA:

  • Blog series to learn more about conducting a JWT based verification scheme in API Management.
  • Policy template from API Business Hub to orchestrate the SAML2Grant exchange for OAuth token
Link to video or click below

Part 7 – CF Client Credentials flow for principal propagation

This video part explains the process to authenticate to the SAP’s OnPremise connectivity component via the Client Credentials grant type.

Resources to set up a Client Credentials flow from API Management tenant running in CF by directly authenticating to XSUAA:

  • Policy template from API Business Hub to orchestrate the Client credentials flow for OAuth token
Link to video or click below

Part 8 – NEO to CF OAuth2SAMLBearer principal propagation

The final video part of this series explains the process by which an application that is deployed in the Neo environment can connect to an API Management instance that is running in SAP Cloud Foundry tenant using the OAuth2SAMLBearerAssertion flow.

Link to video or click below

Summary :

The key take away from the video series should be that you are in a position to understand the various options that exist to establish single sign-on and depending on how your scenario looks, some of the described means could serve as a starting point for you to consider implementing into your solution blueprints.

Should you have any feedback, please come back to us with suggestions, improvements so that we can help you run better.

12 Comments
You must be Logged on to comment or reply to a post.
  • Vinayak Adkoli thank you for this series. Do you happen to know when the "apimanagement-apiportal" plan will be availabe in cf.eu10.hana.ondemand.com (AWS, Frankfurt)? Currently it is not.

    Thank you!

    Regards

    Holger

     

  • Hello Vinayak Adkoli ,

    Quick question. In terms of connectivity between 3rd Party(Google cloud) --> APIM(cloud Neo) --> CPI(cloud Neo) --> S4(On-Prem), how SAP APIM connects with CPI and how we can build trust relationship between these systems?

    In my case Test cockpit is working fine but when 3rd party send data it fails with 401 once APIM processed it and try to send information to CPI. Do SAP have any step by step blog/documentation available for same?

    Regards

  • Hello Vinyak Adkoli

    I was trying this on the Cloud Foundry Trial account  Integration Suite API On Premise API dataprovider– When I click on Test connection Step I got the message

    System is up and reachable. However, the ping check responded with code : 405; Message : Method Not Allowed

    When I checked the log in the cloud connector I found exception occurred with this message.

    sap.core.connectivity.tunnel.client.notification.NotificationClientEventHandler#Thread-29# #Unexpected exception while establishing tunnel connection for tunnel: account:///4d66160b-e6ad-4a7c-9208-9857f24a8b9c/RCloudConn
    io.netty.resolver.dns.DnsResolveContext$SearchDomainUnknownHostException: Search domain query failed. Original hostname: ‘connectivitytunnel.cf.eu10.hana.ondemand.com’ failed to resolve

     

    Before Nov 13 in the NEO Platform the same settings were working correctly. I am not in a position to raise a oss ticket.

    Best regards

    Ramesh

    • Hi Ramesh, Can you independently verify if the Cloud Connector is setup with the CF account correctly ?

      There is a new version of Cloud Connector (2.13) now available. You may want to check with that as well

      • Vinayak

        When I tried this recently it worked fine.

        https://blogs.sap.com/2021/01/10/cloud-foundry-api-portal-and-cpi-api-using-a-premise-odata-service/

        Best regards

        Ramesh

         

         

  • Hi Vinayak,

     

    Thanks a lot for the Blog.

    We are trying to implement principal propagation on API Management NEO and have followed the steps described in the part 5 of this blog. The only difference in our POC is that we don't have northbound security and we just have an hardcoded UserID as the subject of the SAML assertion.

    Principal propagation is already in place between the Cloud Connector used and the backend (with client certificate) and fully tested using the Cloud Portal Service, so we know that this is working.

    But after implementing all the steps described in this blog, when we call our API Proxy, we are getting an HTTP 401 response and are prompted with a Basic Authentication popup. Looking at the HTTP trace, it see can see the following:

    WWW-Authenticate:
    Basic realm="SAP HANA Cloud Platform"
    X-message-code:
    PWD_WRONG

    Our current interpretation is that the SAML assertion send to the OPProxy component is somehow not considered valid.

    Could you please guide us on how to confirm and fix the cause of the issue?

     

    Many thanks in advance for your help.

     

    Best regards,

    Jérôme.

  • Hi Jerome, In my experience, the error you are mentioning is basically because of a) lack of a trust setup between the API Gateway and OPProxy or b) the SAML issuer / recipient / audience fields are incorrect or c) look for spaces in the values you've entered. Sometimes these are the most difficult to debug 🙁

    • Hi Vinayak,

      Thanks a lot for your reply.

      We've reviewed points a) b) and c) without positive results 🙁

      We are rather confident about point a) (the trust setup)

      Regarding point b), the SAML issuer value matches the name of the trusted IDP but we are unsure about the recipient & audience values:

      • recipient is set to value https://[opproxytest_subscription_url]/rt/a/[destination_name]/[pathToBackendService].
      • audience is set to value https://hana.ondemand.com/[tenantID], which is the tenant local provider name found in the Trust setting of our subaccount.

      Do these values seem correct to you?

      Thanks a lot in advance for you reply. It will certainly help us reaching our goals 😉

      Best regards,

      Jérôme.

      • Hi Jérôme ,

         

        Did you find any solution for this error ?

         

        @Vinayak ,  We are using  ODP service "gwaas-<>.eu2.hana.ondemand.com" setup as API provider .  What will be the "recipient " in that case ?  I believe OpProxy is only when we have On-premise provider.

        I tried to use something like below but didn't work giving same error PWD_WRONG

         

        context.setVariable("sapapim.recipient", "https://<>apiportalapimgmtpeu2-<>.eu2.hana.ondemand.com/ODP/odata/SAP/XYZ_SRV;v=1/" +

         

        Kindly guide.

         

        Thanks,

        Sambaran