Bring your own trust!This is a follow-up article to the following mini series of blogs on the OAuth2SAMLBearerAssertion Flow with SAP BTP Destination Service. |
The focus of this instalment is to describe how to fully automate the implementation and the deployment of the OAuth2SAMLBearerAssertion flow with SAP BTP Destination service APIs, including when using your own x.509 trust with the destination. Disclaimer:
|
Scenario A.Using the generic (default) Destination Service trustThat's the scenario covered in my original post: OAuth2SAMLBearerAssertion Flow with the SAP BTP Destination Service. SuccessFactors. Leveraging the Destination Service x.509 trust service simplifies the implementation of the entire OAuth2SAMLBearerAssertion flow, making it sort of out-of-the-box. Update as of June 2021. The above statement is, to some extent, no longer true as SAP BTP destination service has added a new REST API endpoint allowing you to download the generic SAML IdP metadata (that precisely contains the x.509 certificate) , namely /saml2Metadata. |
Let's see what it takes to use a custom X509 certificate key pair with the destination service. |
Scenario B.Using the SuccessFactors generated X.509 key pairIndeed, Destination Service certificate APIs allow to manage your own key-stores with certificates and have them assigned to destinations programmatically. Let's see how this can be done with a custom trust (certificate) generated by a SFSF tenant (Admin Center/Manage OAuth2 Client Applications) |
Good to know:
|
Good to know:
|
Quovadis-SAP-pkcs8.pem
here goes a truncated private key content.
please note each line does not exceed 64 characters
----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCxYAtn2l+j12U6
pDOpCmbzfKV8VhrbXAO6JepTchc/tWgZgKMf/yeUigpyeIiL60Mc4Q4jdcR40I+6
1LZYqkvSl6FrWU3T4tC4OJQzsMZeHW1FtxyplWs/xWEzGGE6q8Ve6Sdv1Nro7IEC
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XGbjKUhAq24wXglEq0+FhBaeUEjmoccpuPVXAKWhAoGAPSmr/83IP1mcmVxy2OIC
c4SxqKy7MhOwWLagp2t8MXjtYbs9PMyqtUzdqJBPpqGYhyj+TZkVJ1djyLeDNVbv
9Ivbez4r++c73GnBw3hBBpfdJb7uNHWj7ULV7ARdkhCQIA44zY8PE1kLsrEH8pfz
OtpPzIFKF+JBkqFx0rTCQBA=
-----END PRIVATE KEY-----
Quovadis-SAP-x509.pem
here goes a truncated public key content:
please note each line does not exceed 64 characters
-----BEGIN CERTIFICATE-----
MIIDKDCCAhCgAwIBAgIEFPqAZzANBgkqhkiG9w0BAQQFADBWMQswCQYDVQQGEwJV
SzEJMAcGA1UECBMAMQkwBwYDVQQHEwAxDDAKBgNVBAoTA1NBUDEMMAoGA1UECxMD
R1BPMRUwEwYDVQQDEwxxdW92YWRpcy9zYXAwHhcNMjEwMzI3MjM0NTM5WhcNNDgw
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
K4qO3rczlZgy5u3XhJrojcXa2+Q7GsyDl7k0egzXQxqklxsRbq09A96bbrqS+CjG
Gi7CzwO6o1aExIHd5r6/A8moQjr1R0rlARrlTx5VF9IoyM7K1l5Vb5hQYn78M4dP
dM1gsr5JLapT4c9XlKpv3HEcV8rTDZ+hS0ZwRSR6M5a+JZqKX+o3OlVx5D0=
-----END CERTIFICATE-----
$ openssl pkcs12 -export -inkey Quovadis-SAP-pkcs8.pem \
-in Quovadis-SAP-x509.pem -out Quovadis-SAP.pfx
Enter Export Password:
Verifying - Enter Export Password:
----------------------------------------------------------
Please make note of the password as you will need it later
in the destination definition.
$cat Quovadis-SAP.pfx | base64
MIIJaQIBAzCCCS8GCSqGSIb3DQEHAaCCCSAEggkcMIIJGDCCA88GCSqGSIb3DQEHBqCCA8AwggO8AgEAMIIDtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI7lMw3L7cdssCAggAgIIDiDzxvv/WOYSgcwyCPZpmQoIRxc2m37ehcjNV7b51euH9+FxlGCOLB0czpqeRULGA+jFWp68KBm8Ze3vpjMB5XggXoi52bcy6kHpoT3BwmO43IZdAb7rahYRIti5daPvgs9xj2JVWuqonLcWKUzw89dhmQ0GPs57X6vpEtprMd2NcMVnSDGq173v6pUnwKS6AJ2YiqOwQPGasx2g44lNEpvrTsY85qIX094l4eJ4A8MsO1Nau3YT
########################## truncated #################################
HRtfx/RglD005qV14LmaAaYd6r5GOeYdV0YC5xHkBbWU9sh7aE5mDF/AVW2w22ji1UYHYp7qjkDImou7sbXpQMHyNrdcw/kPqsIRuP1wQLxcxegQqD9UMr3mhw8a4S6I/mqMP4rJcUGak6R35U+/9uSdZkbwIqSUIssEZ2d9vjAjtjcL5VlwcMEn7b1QR2qEdYuSPXcnskBHWFcskv0cICS3dUesSxm6/Psn4pbMpMYf+ydrOehkrAProaGftb9nNhFdThJEy2eW+9Jv9SLRX+05zYMYmUlBGArFHRUMKTYUNlf6vi4uTGL5K9lVHtJfllPxzSOBZ8GR9juzwfLd5/YrfN8zeP+j5UFBNZOOf1TXV7HRUGpC90UpTJsI4TN54+uXZBoC2xwX84I6QrPqFgeT4FIDKG0KIAo9thayo5VYa9OPuNy9fkLvQHfi0M80kNrUZKzOuGMxr7qQCwGdiRCwAC/LTn6GIQuB+NHRxYPXLiCZVYX1RBNPAIywasn4C77hjj02gNEqFFQlu1dgmcsw6s3nQyOzvs0lK3H4RYB0PWefD+N45FQoF98oTElMCMGCSqGSIb3DQEJFTEWBBRcuLmsoF0w3oYj1xllxSC9hRneWzAxMCEwCQYFKw4DAhoFAAQUPTi8wCiDIYWXJdI0tqd2XLbXSnsECAnnFfE3b2EgAgIIAA==
Good to know:
|
1. GET subaccountCertificates API call:
obtain the list of all uploaded certificates (key pairs) present
in your DestinationService instance.
https://destination-configuration.cfapps.eu10.hana.ondemand.com/destination-configuration/v1/subacco...
2. POST subaccountCertificates API call:
add a new keystore to the Destination service vault.
https://destination-configuration.cfapps.eu10.hana.ondemand.com/destination-configuration/v1/subacco...
3. you may again run the GET certificate or GET certificates
API to make sure yours has been recorded.
{
"Name": "Quovadis-SAP",
"Type": "HTTP",
"URL": "https://apisalesdemo2.successfactors.eu/odata/v2/User/$metadata",
"Authentication": "OAuth2SAMLBearerAssertion",
"ProxyType": "Internet",
"KeyStorePassword": "<your key store password>",
"tokenServiceURLType": "Dedicated",
"audience": "www.successfactors.com",
"companyId": "<SFSF tenant companyId>",
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession",
"apiKey": "<Quovadis-SAP apiKey>",
"KeyStoreLocation": "quovadis-sap.pfx",
"clientKey": "<Quovadis-SAP apiKey>",
"nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"SystemUser": "<your test user>",
"tokenServiceURL": "<SFSF tenant>/oauth/token"
}
1. GET subaccountDestinations API call:
obtain the list of all destinations present in your DestinationService instance.
https://destination-configuration.cfapps.eu10.hana.ondemand.com/destination-configuration/v1/subacco...
2. POST subaccountDestinations API call:
add our new Quovadis-SAP destination to the Destination service instance.
https://destination-configuration.cfapps.eu10.hana.ondemand.com/destination-configuration/v1/subacco...
3. you may again run the GET destination to retrieve the newly
created Quovadis-SAP destination
https://destination-configuration.cfapps.eu10.hana.ondemand.com/destination-configuration/v1/subacco...
Find destination API call:
https://destination-configuration.cfapps.eu10.hana.ondemand.com/
destination-configuration/v1/destinations/Quovadis-SAP
The SAP BTP destination service is constantly evolving and has recently added /saml2Metadata endpoint that allows to retrieve the default trust programmatically. Thus indeed, from now on, a full automation is possible whether you decide using the default trust or you decide to bring your own trust... As usual, looking forward to comments and questions... |
This is how to troubleshoot a saml assertion that is being generated by SAP BTP destination service: How to troubleshoot SAP BTP OAuth2SAMLBearerAssertion destination with SuccessFactors? |
SAP Business API Hub sandbox environment.Before you can configure the API hub sandbox environment you will need to have created an instance of the destination service. Please refer to the following article on the details for the sandbox environment configuration with SAP API Business Hub. Crypto section:Key File Formats: DER, PEM and PKCS #12 Explained. Convert Certificate Files to One-Line PEM Format |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
5 | |
4 | |
3 | |
3 | |
2 | |
2 | |
2 | |
1 | |
1 |