This is a follow-up blog post to previously published How to generate SAML bearer assertion token with SAP BTP Destination Service?
When it comes to unattended side by side, system to system or app2app integrations with S/4HANA systems, the choice of an unmanned and password-less authentication method is between OAuth2SAML2BearerAssertion or SAML2BearerAssertion.
Good to know:
Both OAuth2SAML2BearerAssertion and SAML2BearerAssertion rely on the saml bearer assertion authentication paradigm for unattended business users’ identity propagation.
And in either case we can leverage our polyvalent SAP BTP destination service.
That brings the following question: what would be the compelling reason or scenario to use one or the other ? And which one to choose when both are permitted and available for a given API?
Both Basic and x509 client certificate authentication methods are user centric (even if the user is a technical user). Thus, they are not really well-suited for unmanned system to system, app2app integration scenarios.
And overall there are quite many S4HC APIs that do not natively support OAuth2.0!
To that point, the saml bearer assertion authentication method is likely a perfect authentication alternative for all these non-OAuth2.0 enabled S4HC APIs making them usable in unattended side by side integrations.
Let’s see it in more details…
Putting it all together
When creating a Communication System in S4HC and aiming at system to system, side by side, password-less integration without user interaction with the APIs there are two password-less authentication choices available as follows:
a. OAuth 2.0 Identity Provider. (Communication system).
Before you can authenticate with a bearer access token in the authorization header [to be granted access to resources via an OAuth 2.0 client], you have to configure a trusted relationship to the required identity provider (x509 certificate) as depicted below:
b. SAML Bearer Assertion Provider. (Communication system.
Before you can authenticate with a SAML Assertion in the authorization header, you have to configure a trusted relationship to the required identity provider (x509 certificate) as depicted below:
As a result, with the 2nd option it is possible to use the non-OAuth enabled APIs with a saml bearer assertion passed in the authorization header of the business API call.
For instance, in the below scenario the API_MATERIAL_DOCUMENT_SRV ODATA API only supports the basic authentication (or x509 client certificate).
However, by having configured the SAML Bearer Assertion Provider in the communication system we can use either the BTP’s destination service or API Management, as shown in the Appendix section below, to generate a saml assertion and then call into the API remotely.
|Please refer to previously published How to generate SAML bearer assertion token with SAP BTP Destination Service? for a discussion around S/4HANA OP and SAP BTP destination service to generate the saml assertion.|
But what about the OAuth-enabled APIs?
What would be the advantage or disadvantage of calling some OAuth-enabled API directly with the saml bearer assertion in the authorization header of the API call over first going to the OAuth client to get a bearer access token and then calling the same API with the access token ?
All I can think about for now is that with an OAuth client the OAuth token endpoint is the single and unique recipient of the saml assertion regardless of how many ODATA endpoints are there. And moreover, with OAuth, you can ask for a bearer access token for multiple scopes.
Still, SAMLBearerAssertion may remove a lot of complexity when it comes to setting up an unmanned access to resources (especially with S/4HANA on-premise ABAP systems).
And SAP help pages are already full of references for instance Integrating SAP Business Application Studio.
Looking forward to hearing from you. Please post any questions and comments you may have in the add comment section below.
Here goes an example of how to execute an ODATA API with the saml assertion in the authorization header using SAP API Management part of SAP Integration Suite.
SAP API Management
I created the saml assertion with a standard SSO policy tailored to my needs as follows:
|An example: GET /A_MaterialDocumentHeader|
|Create a destination
To access API services, you need to authenticate yourself. Each API supports different authentication methods.
APIs created by SAP are categorized according to the main purpose of the messages being communicated as follows: