Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Technical User Propagation from JCo towards On-Premises

simon_luser
Product and Topic Expert
Product and Topic Expert
‎2024 May 22 2:06 PM
973

This blog lays out how to use a technical user instead of basic authentication from JCo based on the SAP Java Buildpack in CF towards on-premises.

 

Background

JCo retrieves an access token representing the technical user which is then be sent to the Connectivity service. This is similar to principal propagation, but in this case, a technical user is propagated instead of a business user. The retrieval of the access token performs the OAuth 2.0 client credentials flow, according to the token service configurations in the destination. Currently for JCo the token service generation supports basic authentication only. The token service is called from the Internet, not from the Cloud Connector.

 

Configuration

Generally speaking, the setup as described in the documentation stays the same, only the destination configuration in the Destination Service needs to be adjusted.

In the UI select the authentication type TechnicalUserPropagation. You now need to enter three values for:

  • jco.client.tech_user_id - the technical user name (client ID) which is forwarded towards on-premises and used for token retrieval
  • jco.client.tech_user_secret - the secret for jco.client.tech_user_id used for token retrieval
  • jco.client.tech_user_service_url - the URL of the token service, against which the token exchange is performed

Example

We are going to use the token of the XSUAA service instance here. We specified for the instance in the configuration JSON the xsappname as jco-technicalProp.

After the application binding we can retrieve the relevant parameters from the CF environment variables VCAP_SERVICES:

 

 

"clientid": "sb-jco-technicalProp!t77058"
"clientsecret": "TMsePptYQLSRf6qUWWt+l1D0rUQ="
"url": "https://cf.authentication.hana.ondemand.com"

 

 

Entering it in the Destination Service:

simon_luser_0-1716286606143.png

The token will now be forwarded to the Cloud Connector. Assuming all necessary basic steps for principal propagation are configured, we can configure a pattern to extract its name for the short-lived certificate:

simon_luser_1-1715949812665.png

The ABAP backend needs to maintain a user mapping for this technical user, in this case mapping it to the ABAP user SKYWALKER:

simon_luser_1-1716286913724.png

That's it!

Labels in this area
Popular Blog Posts