Skip to Content
Technical Articles
Author's profile photo Yogananda Muthaiah
Yogananda Muthaiah
March 26, 2021 2 minute read

SAP Commissions – JWT Authentication

JWT-based Authentication

The basic thing you need to understand JWT-based authentication is that you’re dealing with an encrypted JSON which we’ll call “token”. This token has all the information required for the back-end system to understand who you are and if, indeed, you are who you say you are.

 

So, let’s get into it.

Step 1 – Generate a private key.

You can generate a private key with the openssl tool using Gitbash

openssl genrsa -out private_jwt.key 2048

2. Generate a public key.

Again, we use openssl to generate the public key for the private key created in above scenario 1

openssl rsa -in private_jwt.key -pubout -outform PEM -out public_jwt_key.pub

The public key is stored in the file public_jwt_key.pub. It is used later by Commissions to verify the JWT token signature during the logon.

Step 2. Select Commissions user with authentication type JWT and upload the public key.

Go to SAP Commission > User Administration > Select your User and follow the steps

Step 3. Generate a JWT token.

Install Node and NPM to get jwtgen Package (https://www.npmjs.com/package/jwtgen)

npm i jwtgen

Command to generate JWT Token

jwtgen -e 3000 -c "sub=D00000000000001" -c "aud=https://<tenantid>.callidusondemand.com" -a RS256 -p JWT-Auth.key

Note : sub = your userId of SAP commissions

Screenshot for JWT Token

 

SAP Commissions performs the following validations on the JWT token:

  • The aud claim in the token is equal to the Commissions server URL.
  • The iss claim in the token contains a Commissions user id of authentication type JWT.
  • The token signature is successfully verified with the public key stored with the Commissions user.
  • The token is valid and not yet expired.

Step 4. Authenticate against Commissions with the JWT token.

GET Method :

https://<tenantid>.callidusondemand.com/CallidusPortal/services/Authentication/isAuthenticated

If this API call is successful, a response with {} will appear.

Known Error

  • Public Key is limited to one user for JWT Authentication

Decoded Headers

{
  "typ": "JWT",
  "alg": "RS256"
}

Decoded Payload

{
  "iat": 1616780333,
  "exp": 1616783333,
  "sub": "D00000000000001",
  "aud": "https://<tenantid>.callidusondemand.com"
}

 

Assigned Tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Philip Holtom
      Philip Holtom

      Thanks Yogananda ! That's a helpful article on this new feature.

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Thanks Philip Holtom !

      Author's profile photo Ze Vargas
      Ze Vargas

      Very helpful. thank you!

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Thanks Ze Vargas !

      Author's profile photo Praveen Gatakala
      Praveen Gatakala

      Helpful information! Thanks Yoga

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Thanks Praveen Gatakala !  Keep sharing to all your friends and colleagues.

      Author's profile photo Tas Cullen
      Tas Cullen

      Great article Yogananda Muthaiah. Just want to point out that you do have the full tenant ID showing in some of your screenshots the ones from terminal - not sure if you want to amend the images to remove it?

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Tas Cullen ,Thanks for highlighting!

      I have morphed the tenantId now in the screenshots.