Skip to content

Latest commit

 

History

History
344 lines (199 loc) · 10.1 KB

using-saml-bearer-assertion-authentication-a4f1d55.md

File metadata and controls

344 lines (199 loc) · 10.1 KB

Using SAML Bearer Assertion Authentication

Context

Remember:

SAP Business Technology Platform, Neo environment will sunset on December 31, 2028, subject to terms of customer or partner contracts.

For more information, see SAP Note 3351844.

Tip:

This documentation refers to SAP Business Technology Platform, Neo environment. If you are looking for documentation about other environments, see SAP Business Technology Platform ↗️.

To be able to use SAML Bearer Assertion authentication, you need to configure both SAP S/4HANA Cloud and SAP BTP sides.

Related Information

SAML Bearer Assertion Authentication

Set Up SAP S/4HANA Cloud Side

Set Up SAP BTP Side

Set Up SAP S/4HANA Cloud Side

Context

From the SAP S/4HANA Cloud side you need to maintain the communication settings to configure the connectivity between SAP S/4HANA Cloud and SAP BTP.

Note:

Make sure you have assigned the appropriate business catalogs to the propagated business users in the SAP S/4HANA Cloud tenant.

Procedure

  1. Create a communication user. See Maintain Communication Users.

  2. Create a communication system. See Maintain Communication Systems.

    1. Log into the SAP Fiori launchpad in the SAP S/4HANA Cloud system.

    2. Select the Communication Systems tile.

    3. Choose New to create a new system.

    4. Enter a system ID and a system name.

    5. Choose Create.

    6. In the Technical Data section, in the Host Name field, enter the host of the subaccount in SAP BTP. To find all available hosts in the Neo environment, see Regions and Hosts Available for the Neo Environment.

    7. Enable the OAuth Identity Provider by checking the box under OAuth 2.0 Identity Provider.

    8. Upload the signing certificate. This certificate is created from the metadata file you downloaded from your subaccount in SAP BTP in Optional: Configure Single-Sign On Manually, Step 8. Follow these steps to prepare the certificate and upload it.

      1. Open the metadata file with an editor of your choice. For the next configuration steps you will need the value of the X509Certificate tag.

      2. Create a new file and copy the content between the <X509Certificate> tags into this file.

      3. Add -----BEGIN CERTIFICATE----- to the top and -----END CERTIFICATE----- to the end of the file.

      4. Save as a x509.cer file.

      5. Back in the Communication Systems application select Upload Signing Certificate and upload the certificate you created.

    9. Choose + (Add) under User for Inbound Communication.

    10. In the dialog box that appears, select User Name and Password from the Authentication Method drop-down list.

      The username corresponds to the communication user.

    11. Choose OK to confirm.

    12. Choose Save.

  3. Create a communication arrangement and select a communication scenario. See Maintain Communication Arrangements.

    Note:

    When you have the communication arrangement created, choose OAuth 2.0 Details. Copy and save locally the fields and their values. You will need them when setting up the destination in the SAP BTP cockpit.

Set Up SAP BTP Side

Prerequisites

You have logged into the SAP BTP cockpit from the landing page for your subaccount.

Procedure

  1. In the cockpit, navigate to your subaccount.

  2. Choose Connectivity > Destinations in the navigation panel.

  3. Create an HTTP destination as follows:

    To enable principal propagation, create an OAuth2SAMLBearerAssertion HTTP destination and configure its settings as follows:

    1. Configure the basic settings:

      Parameter

      Value

      Name

      Enter a meaningful name.

      Type

      HTTP

      Description

      (Optional) Enter a meaningful description.

      URL

      The service URL from the communication arrangement.

      Proxy Type

      Internet

      Authentication

      OAuth2SAMLBearerAssertion

      Audience

      This is the SAML2 Audience from the OAuth 2.0 Details in the communication arrangement. See Set Up SAP S/4HANA Cloud Side, step 3.

      Client Key

      The name of the communication user you have in the SAP S/4HANA Cloud tenant.

      Token Service URL

      This is the Token Service URL from the OAuth 2.0 Details in the communication arrangement. See Set Up SAP S/4HANA Cloud Side, step 3.

      Token Service User

      The name of the communication user you have in the SAP S/4HANA Cloud tenant.

      Token Service Password

      The password for the communication user.

      System User

      This parameter is not used, leave the field empty.

    2. Configure the required additional property. To do so, in the Additional Properties panel, choose New Property, and enter the following property:

      Parameter

      Value

      authnContextClassRef

      urn:oasis:names:tc:SAML:2.0:ac:classes:X509

      scope

      (Optional) This parameter restricts the APIs that can be used by the OAuth Client.

      • If the scope parameter is omitted, then all APIs that are exposed for the OAuth Client can be used.

      • If the scope parameter is maintained, then only the related APIS can be used by the OAuth Client.

      The value of the OAuth 2.0 scope parameter expressed as a list of space-delimited, case-sensitive strings.

    3. Select the Use default JDK truststore checkbox.

  4. Save your entries.