Are you a developer or administrator in SAP S/4HANA Cloud, public edition or SAP BTP, ABAP environment and need to implement or configure your custom outbound communication via communication user? You are not sure what authentication method to use? You have found a tutorial such as Call an External API and Parse the Response in SAP BTP ABAP Environment, but this does not show the authentication-specific details that are needed for your scenario? Let me try to close some of these gaps with this blog.
Before you start with your implementation, you need to think about what authentication method to use. Therefore, I have compiled a few hints on how you can derive the right authentication method for your use case. Once you have chosen the authentication method, you need to implement and configure it. The nice thing about outbound communication via communication user is, that it follows the same pattern: a developer creates a communication scenario and implements the outbound call using the scenario, and an administrator maintains a communication arrangement for the scenario for a specific communication partner. If you are not familiar with this pattern yet: I have summarized it below. Afterwards, I have listed the details that you need to maintain depending on the chosen authentication method.
The following aspects are not covered by this blog:
Before you start with your implementation project, you need to decide on the right authentication method. The right authentication method can be decided by answering the following questions:
The authentication method needs to be supported by both parties. Hence, check the authentication methods that are supported by the communication partner.
The following authentication methods are supported when calling an internet-facing service from ABAP Cloud:
When using Basic Authentication, a username and password is sent to the communication partner’s server for authentication. When using Client Certificate Authentication, an X.509 certificate is used. In both cases the credentials are sent to the communication partner’s server direct. However, when using OAuth 2.0, then two servers are involved: the authorization server and the resource server. Firstly, the ABAP Cloud system calls the token endpoint of the authorization server and provides an authorization grant to obtain an access token. To authenticate at the authorization server a client secret or an X.509 certificate can be used. The supported authorization grants are client credentials and SAML bearer assertion. Secondly, the ABAP Cloud system uses the access token to authenticate at the resource server.
Since SAP S/4HANA Cloud, public edition and SAP BTP, ABAP environment follow a different release cycle and run in different environments, there might be slight differences. Hence, check the supported authentication methods that are supported
Decide if the actions in the called communication partner shall be executed under a technical user independent from the user on the caller side who has triggered the call, or if the actions shall be performed under an individual user corresponding to the user on the caller side. In the latter case I speak of principal propagation.
If the service shall be processed as technical user, then choose one of the following authentication methods:
If the principal shall be propagated to the target, then use the following authentication method:
Certificate-based authentication is more secure than using a password-based authentication method: a password is a shared secret and is known by both communication partners, while certificate-based client authentication uses public key infrastructure and the private key, which is owned by the client, is not shared with the communication partner. Moreover, a synchronized password change between the communication partners is not possible, while this can be achieved with certificate-based authentication since the client can possess more than one certificate.
Hence, Client Certificate Authentication, OAuth 2.0 Client Credentials Grant with mTLS Client Authentication, and OAuth 2.0 SAML Bearer Assertion Grant with mTLS Client Authentication are preferred over Basic Authentication, OAuth 2.0 Client Credentials Grant with Client Secret Authentication, and OAuth 2.0 SAML Bearer Assertion Grant with Client Secret Authentication.
Client certificates can be maintained in the Maintain Client Certificates app. SAP S/4HANA Cloud, public edition comes with a ready-to-use client certificate: the client default certificate. SAP recommends using this certificate for certificate-based authentication. In SAP BTP, ABAP environment, however, you need to provide your own certificate currently. I will not go into detail regarding the maintenance of client certificates in this blog.
As described in
the flow to enable custom outbound communication via outbound communication always follows the same pattern:
As developer in the development system using ABAP Development tools:
As administrator in the development, test, or production system using the corresponding Fiori apps:
Although the pattern is generic, some details depend on the chosen authentication method. For instance, when using basic authentication as shown in the screenshots above, a username and password need to be provided for the user for outbound communication. I have listed the authentication method-specific steps for scenario, communication system, and communication arrangement per authentication method below.
Maintain outbound settings:
Add a user for outbound communication:
Maintain outbound communication:
Maintain outbound settings:
Add a user for outbound communication:
Maintain outbound communication:
Maintain outbound settings:
Add a user for outbound communication:
Maintain outbound communication:
Maintain outbound settings:
Maintain outbound OAuth 2.0 client settings:
Add a user for outbound communication:
Maintain outbound communication:
Maintain outbound OAuth 2.0 client settings:
Add a user for outbound communication:
Maintain outbound communication:
Maintain outbound settings:
Maintain outbound OAuth 2.0 client settings:
Add user for outbound communication:
Maintain outbound communication:
Maintain outbound OAuth 2.0 client settings:
Add a user for outbound communication:
Maintain outbound communication:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
9 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 |