Skip to Content
Technical Articles

OAuth2SAMLBearerAssertion Flow with the SAP BTP Destination Service. S/4HANA Cloud.

Foreword.

This instalment belongs to a mini series of blogs on OAuth2SAMLBearerAssertion Flow leveraging SAP BTP Destination Service with S/4HANA Cloud inbound ODATA services. Bon voyage:)

 

Abstract.

There is ample and relatively accurate official documentation on how to configure S/4HANA Cloud for Side by Side or In-App integration with the APIs.

And when it comes to inbound communication (e.g. you are calling into S4HC APIs) the end to end user SSO is not only essential but paramount.

And precisely, OAuth2SAMLBearerAssertion authorisation flow allows for propagation of a user’s identity from any client application deployed anywhere all the way through to an ODATA-based asset management service (like SAP S/4HANA Cloud in this instance).

A truly end to end Single Sign On!

 

Putting it all together

As a baseline we will use the following User Propagation Scenario: User Propagation from the Cloud Foundry Environment to SAP S/4HANA Cloud.

This scenario is applicable to any brief including with the client application deployed as Other runtime (== other than SAP BTP CF or Kyma runtimes).

Good to know:

  • The SAP BTP destination service can be used with Other custom runtimes. This translated into plain English means your application does not have to be deployed on BTP but you can still leverage the SAP BTP Destination service.
  • The following authentication scenarios are supported with SAP S/4HANA Cloud:

    • Basic Authentication (inbound and outbound connections)
    • OAuth 2.0 SAML Bearer Assertion (inbound connections). This is scenario being described in this blog.
    • OAuth 2.0 Client Credentials (outbound Connections)
    • No Authentication (outbound connections)

 

Configure OAuth communication with S/4HANA Cloud.

We will follow the sequence of the configuration tasks as described in the official documentation, namely:

Configuration Tasks

Quovadis-S4HC.

Assuming you have the right level of access to your target S4HC system and that you have created a communication user you may now create there your own OAuth2.0 client application (=communication system+communication arrangement).

Let’s call it Quovadis-S4HC.

 

Configure the OAuth2.0 Identity Provider in the Communication System.

 

One piece of information you will need from the Destination service created on SAP BTP sub-account level is the trust’s public x509 certificate that you will need to insert into the Quovadis-S4HC OAuth2.0 Communication System as depicted below:

 

 

A fairly common question. What is the Provider Name?

The provider name designated the issuer of the saml bearer assertion. The provider name defaults to the Issuer’s x.509 certificate CN (Common Name).

When uploading the destination service signing certificate, the CN will be populated automatically to both the Signing Certificate Subject and Issuer sections to the left .

Make sure you copy the CN field and assign it as a Provider Name (as it will not be populated).

Good to know:

  • Under the bonnet this will result in the creation of a custom OAuth2.0 Identity Provider that will be used in the IDP-initiated flow when your 3rd party client app has called into the oauth token validation endpoint…
  • You might also use a custom Provider Name; however this requires setting additional property called assertionIssuer (which designates the issuer of the saml assertion) in the destination definition. This is documented here at the section Set Up SAP BTP Side point 3b.

 

Last but not least you can create a communication arrangement for a given communication scenario.

 

Create a communication arrangement for a given communication scenario.

 

Creating a communication arrangement (that uses this communication system) will result in creating of an OAuth2.0 client with the client_id and client_secret equal the communication user name and password respectively.

The SAML2 Audience is the service provider and is the value
of your S4HC tenant URL.

The Token service URL is the OAuth2.0 IdP endpoint. 
The Destination service will call this endpoint with the saml 
assertion it has generated internally.

You can add the required scope as a Token service URL 
endpoint's query parameter (?scope=<scope>)
or you can pass it in the scope property in the destination 
definition.

You will need the above OAuth2.0 client details when creating a destination definition below.

Creating a destination.

Create a Destination service instance on a BTP sub-account level (that can be done with a trial BTP account as well)

 

Before you can configure the API hub sandbox environment you will need to have created an instance of the destination service.

Choose Other as the runtime environment and give the service instance a name, for instance Quovadis

Next configure your API Business Hub sandbox with the above destination service credentials.

Please refer to the following article on the details for the sandbox environment configuration with SAP API Business Hub.

You can create a destination definition using either GUI of the SAP BTP sub-account or programmatically calling the destination service APIs.

Assuming you will be rehearsing the access to the destination 
service APIs with the SAP Business API Hub sandbox environment
or alternatively using the API Management,
you do not need to write a single line of code.

All you need to do is create a definition of your destination
as demonstrated below.

Then you may call that destination with the destination 
service find api any time you need to procure a bearer access token
to authorize access to remote S4HC resource.

 

Most of the values in the below destination definition will need to come from the OAUTH2.0 service – the so called Communication Arrangement – from S4HC tenant.

 

Create destination definition programmatically with API.

You could grab the below json structure, enter your values and use it with the

destination service POST/PUT destinations APIs

Post (=create) a new destination:
Put (=update) an existing destination:

https://destination-configuration.cfapps.xx99.hana.ondemand.com/destination-configuration/v1/subaccountDestinations

{
  "Name": "Quovadis-S4HC",
  "Type": "HTTP",
  "URL": "https://my999999.s4hana.ondemand.com/sap/opu/odata/sap/API_PURCHASEORDER_PROCESS_SRV",
  "Authentication": "OAuth2SAMLBearerAssertion",
  "ProxyType": "Internet",
  "tokenServiceURLType": "Dedicated",
  "audience": "https://my999999.s4hana.ondemand.com",
  "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:x509",
  "Description": "https://api.sap.com/api/API_PURCHASEORDER_PROCESS_SRV/overview",
  "clientKey": "<client_id>", //==communication user name
  "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "scope": "API_PURCHASEORDER_PROCESS_SRV_0001",
  "x_user_token.jwks_uri": "https://<identityzone>.authentication.xx99.hana.ondemand.com/token_keys",
  "tokenServiceUser": "<client_id>", //==communication user name
  "tokenServiceURL": "https://my999999-api.s4hana.ondemand.com/sap/bc/sec/oauth2/token",
  "userIdSource": "email",
  "tokenServicePassword": "<client_secret>" //==communication user password
}

 

Asserting user’s identity

A user’s identity.That’s the most important part of the setup.

You have a choice between a static technical user, or a dynamic user.

The destination service supports dynamic user indentities via 
a user JWT token. 
You may need to provide an access url to OpenID Connect provider metadata.
Please add in the destination service's x_user_token.jwks_uri property 
the value of the jwks_uri url from the OIDC provider metadata.

As aforementionned, the value of this property must come 
from the OIDC user identity provider metadata.
In case you are using the XSUAA service as the OIDC provider you could call
the .well-known/openid-configuration endpoint of the XSUAA service url,
in order to retrieve the OIDC metadata, for instance:

https://<identityzone>.authentication.xx99.hana.ondemand.com/.well-known/openid-configuration

then you will look for jwks_uri and copy the value of jwks_uri 
(it is yet another url) to the x_user_token.jwks_uri property 
in the destination defintion.

Disclaimer:
In a productive scenario you must be using a user JWT token!
However a technical user may be used in the initial sandboxing 
and concept proving of the entire configuration.

In either case, the user must exist in both the client application 
and the target S4HC system.

 

Finding destination.Obtaining the bearer access token to call into S4HC business API.

Find destination API call:

https://destination-configuration.cfapps.xx99.hana.ondemand.com/
destination-configuration/v1/destinations/Quovadis-S4HC

Please substitute xx99 by the BTP subaccount region where you
have provisionned the destination service on a subaccount level,
for instance 'eu10' etc.

 

As a result of this call you will get the bearer access token that you can use to call into S4HC OData API, and retrieve the assets like Purchaser Orders or Sales Orders, your user has been granted access to, for instance:

 "authTokens": [
    {
      "type": "Bearer",
      "value": "-hY-nuoXHtusskpbJBHeC4EX8jPi0jYZ7RAZP9Q7_WadI111",
      "http_header": {
        "key": "Authorization",
        "value": "Bearer -hY-nuoXHtusskpbJBHeC4EX8jPi0jYZ7RAZP9Q7_WadI111"
      },
      "expires_in": "3600",
      "scope": "API_PURCHASEORDER_PROCESS_SRV_0001"
    }
  ]

 

Thanks for reading

Piotr Tesny

 

Additional resources.

Last but not least. Let’s see the rationale behind using the Destination Service.

 

S/4HANA Cloud

Leverage Principal Propagation via OAuth 2 when consuming a Business API from S/4HANA Cloud

Extending SAP S/4HANA Cloud in the Cloud Foundry Environment Manually

Scenario: User Propagation from the Cloud Foundry Environment to SAP S/4HANA Cloud

Set Up Authentication for SAP S/4HANA Cloud Extensions

SAP S/4HANA Cloud : Developer’s pocket reference taking up Cloud Essentials Build

SAP S/4HANA Cloud Expertise Services community

This is a private implementation-focused group for Partners & SAP internal ONLY.
The community exists to help scale S/4HANA Cloud knowledge and experience out to the wider community.
SAP Extensibility Explorer for SAP S/4HANA Cloud

Tutorials:

2 Comments
You must be Logged on to comment or reply to a post.
  • Hello Piotr

    I have some queries

    1. Is it possible for API authentication using Identity Authentication Service (IAS).
    2. Is it possible to use two authentication same time like User based & OAuth 2.0 for an inbound API
    3. How to use IP Address Restriction + User Authentication for Inbound API

    Please suggest

    • Hello Abhijit,

      Thanks for taking time and reading through the blog.

      Back to your questions.

      To reiterate: The authentication scenario described in this blog is OAuth 2.0 SAML Bearer Assertion (inbound connections). 

      Why? because it allows for a truly end to end user Single Sign On. 

      And this is why I am not dealing with the Basic Authentication for inbound communication in this blog.

      I would refer you to the chapter 5 of this excellent S/4HANA Cloud handbook on extensibility topics

      Set Up Authentication for SAP S/4HANA Cloud Extensions

      ad 1.

      Please refer to the Asserting user’s identity above

      In a nutshell, with the OAuth2SAMLBearerAssertion authentication brokered by SAP BTP Destination service you will need to provide a user JWT token as a client application user's identity proof.

      In a typical integration scenario with SAP BTP sub-account as a service provider, the BTP XSUAA service would be the OIDC provider. Moreover, if the client application is deployed on BTP CF then the user's JWT Token would be passed directly to that application by the XSUAA.

      However, any OIDC provider would do (including IAS if configured as OIDC provider for user authentication against your application). But you might need to transport the user's JWT token to find destination API manually via the X-user-token header.

      This is all described in very detail in the destination service documentation.

      For instance quoting after: https://api.sap.com/api/SAP_CP_CF_Connectivity_Destination/resource

      The X-user-token header is only taken into account for authentication type that require user information to be provided (such as OAuth2UserTokenExchange, OAuth2JWTBearer, SAPAssertionSSO (deprecated!) and OAuth2SAMLBearerAssertion).

      If provided, the value must be a user JWT token in encoded form (see https://tools.ietf.org/html/rfc7519).

      If provided, it will be used with priority over the Authorization header for the token exchange operation. This means that the user token from this header will be used when determining the user and the tenant subdomain and will also be the token, for which token exchange is performed. If this header is not provided, the user token from the Authorization header will be used

       

      ad 2.

      S/4HANA Cloud has 200+ ODATA APIs. Which API(s) you have in mind ? Otherwise it is a simple check on api.sap.com

      ad 3.

      IP Address Restriction is more of a networking craft.

      I'm afraid I cannot be of much help here.

      Please have a look a the following community thread on this topic

      kind regards

      Piotr