Single sign on or principal propagation is the ability of a system to securely forward or propagate the identity of the user or principal from a sender to a receiver, in a way that the forwarded user information is kept confidential and is not changed during transit. Based on pre established trust relationship to the sender, the receiver uses this information to logon the user without asking for the user credentials or logon again.
The diagram below shows the user principal flow from Fiori Applications to the on-premise SAP Gateway or Backend system for APIs protected via SAP Cloud Platform API Management.
In SAP Cloud Platform, API Management
Generate SAML Assertion Policy can be used to generate a short lived SAML assertion which can then be passed to the SAP Backend to establish an SAML IdP Initiated flow. At a high level, a SAML IdP Initiated flow would consist of the following steps: -
- Set fields like SAML Issuers, SAML Audience, Recipient that can be used in SAML assertion using JavaScript.
- Generate SAML Assertion using SAML Assertion Policy
- Remove xml root tags <?xml …> from the generated SAML Assertion
- Generate SAML Response which embeds generated SAML Assertion
- Generate base 64 bin encoded value of generated SAML Response
- Set Authorization header to outgoing request to target endpoint.
In
Security Best Practices package of SAP API Business Hub policy templates for API security best practices has been published which includes the policy template for validation of SAML assertion.
In
Part 1 blog we have described how the user’s principal passed from the Fiori application to the on-premise APIs protected is validated on the SAP Cloud Platform API Management and user’s identity passed in the SAML assertion is read.
In this blog, we have covered the steps to on board SAP Cloud Platform API Management as a trusted SAML Identity Provider in SAP Gateway and generate a short lived SAML Assertion from SAP Cloud Platform API Management which is used for passing user's identity to SAP Gateway.
Generate Certificate for Signing SAML Assertion
Note: - This is an optional step, in case you already a X509 certificate with private key which can be used for SAML assertion signing, then this step can be skipped. For the certificate generation, in the blog we have used Open SSL.
- Create a new folder in your file system to place the x509 certificate.
- In the cmd prompt navigate to the certificate folder and then use the openssl commands to generate the certificates
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 730
- Enter the password when prompted say abcd. This password should be used in section Upload JAR to SAP Cloud Platform, API Management
Generate JAR containing Certificate
- In the folder in which certificate is generated create folder named META-INF
- Create a file named descriptor.properties with the following content
certFile=cert.pem
keyFile=key.pem
- In the cmd prompt enter the following command to generate the jar file with the certificate
jar -cf idpKeystore.jar cert.pem key.pem
- Add in the descriptors file to the generated jar using the command
jar -uf idpKeystore.jar META-INF/descriptor.properties
Generate SAML IdP Metadata
Note: - This is an optional step for SAP Gateway based Backend because in SAP NetWeaver the SAML IdP can be manually configured however creation of the SAML IdP Metadata eases the no of configurations required.
For the SAML IdP metadata generation, in the document we have used an online SAML Metadata generation tool.
The following fields are important and the samlHelper.js file of the UserPropagationWithSAML policy template would have to be modified based on this values: -
- EntityId: - This would map to the issuer field of the SAML policy ( sapapim.issuer context variable in samlHelper.js file of the API Proxy) template. Provide a url say api.gateway
- NameId: - from the drop down select the option per your flow. In this example, we had used the default flow of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- SP x509 certificate field paste the content of the cert.pem file which was generated in Section Certificate Generation for Signing SAML Assertion.
Copy only the base64 encoded certificate content minus the header -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
- Provide HTTP redirect url to (https://apimgmtproxy/saml/sso ), Single Logout Url (optionally) and then click on the option BUILD SP METDATA (which would appear after scrolling to the end of the website)
Configuration on the SAP Backend (SAP Gateway) Side
Note: - The screenshot might vary based on the NetWeaver version, in this document the configuration was done on a NetWeaver 7.40 system.
Activation of the SAML Service Provider
Note: - This configuration can be skipped if SAML has been already activated in the SAP Gateway.
- Logon to the SAP Gateway system and then execute transaction saml2
- Enable SAML 2.0 authentication on the SAP Gateway client
- In the next screen provide the Provider Name say GatewayS. This name should be mapped to Audience field in the SAML Assertion (audience context variable of samlHelper.js file in the API Proxy).
- Set the Skew Tolerance (default configuration is 120 seconds and its kept as is)
- Select Identity Provider Discovery: Common Domain Cookie (set the selection mode to Automation)
Adding SAP Cloud Platform, API Management as the Trusted SAML IdP
- Click on the Tab Trusted Providers and then click on Add button from the drop down select the option of Upload Metadata file
- Click on Choose file button and then select the SAML IdP Metadata generated in section Generate SAML IdP Metadata for API Gateway and then click on Next
- In the next screen, the name of the Trusted IdP Provider is shown, just click on Next
- Follow the wizard till Finish button is enabled, generally no major modification is required in this wizard as most of the information is read from the SAML IdP Metadata
- Click Edit and then Navigate to the Identity Federation and then click on Add to provide the details of the name mapping to be used in the SAML assertion. In this case we had selected Unspecified and then click on Ok
- For the User ID Mapping Mode of the configuration Details of Name Id format, select option Mapping in USREXTID table, type SA and then click on Save
Note: - In this case user mapping between the external user Id as per the SAML assertion to the SAP Backend user would have to be done via the VUSREXTID table for type SA
- Click on Enable to Activate the API Gateway SAML IdP
User mapping between External User (from SAML Assertion) to SAP Gateway
Note: - This is an optional configuration and required in case user id mapping mode is set to Mapping in USREXTID table, type SA
- Logon to the SAP Gateway system and then enter the transaction sm30
- Provide the table/view name as VUSREXTID and then click on Maintain
- In the Popup, Set the External ID type to SA ( which the code for SAML Assertion based authentication) and then click on
- Click on New Entries to add in new user mapping.
- For SAML based authentication, the external Id is typically in the formation {IdPProvidername}::{SAMLSubjectValue}. The IdP Provider Name is the value provided in the section Adding SAP API Gateway as the Trusted SAML IdP (which in this blog is set to apimgmt.api.gateway). Therefore the External User Id would be apimgmt.api.gateway::{SCN User Id} for SAP Cloud Platform based user ids. In the User field provide the SAP Gateway user Id. Check the Activated check box and then click Save.
Note: - These steps can be repeated to maintain mapping between the external users and the SAP Gateway users.
Configuration on the SAP Cloud Platform API Management
Upload Certificate JAR to SAP Cloud Platform API Management
- Click on the link Access API Portal to open API Portal.
- Select the option Certificate and click on the option Create
- In the Create Certificate dialog, from the drop down select Key Store and select the option New Store. Enter the store name and name details as provided in the table below.
- Using the Browse button upload the JAR file generated in section Generate JAR containing Certificate. In the password field provide the value of the X509 Certificate private key say abcd (or the value provided in section Generate Certificate for Signing SAML Assertion)
Policy Changes for SAML Flows
- Open the API & navigate to the policy designer, from the scripts section, select the samlHelper.js file and then modify the following context variables provided in the table below based on your configurations.
- Click on Update and then in the next screen click on Save to persist the API Proxy changes.
Testing the Flow from Fiori Application
In this blog the details of building applications using SAP Cloud Platform Web IDE is not covered as there are lot of articles available on how to consume OData services to
build Fiori like applications. At the end you will have a Fiori Application which talks to the OData service from SAP Gateway. In this section we capture the steps required to connect the Fiori application to SAP Gateway OData API managed via SAP Cloud Platform API Management using user principal propagation.
- Logon to the SAP Cloud Platform account of the Fiori application ( say https://account.hanatrial.ondemand.com/cockpit )
- Navigate to the Connectivity and then click on Destinations and then click on the destination file used is used in the Fiori application to connect to the SAP Gateway OData API .
- Change the URL field of the import destination to point to your SAP Cloud Platform API Management Proxy host, set the Authentication type to AppToAppSSO and then click on the Save button
- Launch the fiori application and If all the configurations step are proper then user would be logged in using the SAP ID and this credential would then be used to fetch data from SAP Gateway
Further Reads
Enhanced features of SAP Cloud Platform API Management
Monitoring and Governing 3rd Party APIs
API Security Best Practices
Accelerate digital application development
For more blogs on SAP Cloud Platform API Management visit us at
SAP Community