Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Does any XSUAA configuration support the SAML2 Bearer grant?

sebastian_vogel_inpeek
Discoverer

on ‎2023 Oct 27 2:31 PM

0 Likes
881

Hello,

I'm trying to get the SAML2 Bearer Grant working on BTP CF accordingly to Cloud Foundry documentation: UAA API Reference (cloudfoundry.org)

Any configuration I'm trying, returns an error message like 500 "Uh oh. Something went a miss."

My system alias seems to be right, with a wrong one, I don't receive a 500 error code.

A cURL request looks like this:

curl --location 'https://yyyy.authentication.eu10.hana.ondemand.com/oauth/token/alias/yyy' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Authorization: Basic yyy' --data-urlencode 'assertion=yyy' --data-urlencode 'client_id=yyy' --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer' --data-urlencode 'client_secret=yyy' --data-urlencode 'scope=openid uaa.user'

Is there any way to get a working XSUAA configuration to perform a SAML2 Bearer Grant? Or any other option via (Managed) Approuter?

Thank you and best,

Sebastian

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

gregorw
SAP Mentor
SAP Mentor
‎2023 Oct 30 9:51 PM
0 Likes

Hi Sebastian,

using the SAML Bearer Assertion Flow is possible. I would suggest you read through:

Consuming a Business Technology Platform service from an S/4HANA system using SM59 destination with ...

to get an understanding how it is implemented using an ABAP System as the Client. Then you might continue with:

How to generate SAML bearer assertion token for OAuth2SAMLBearerAssertion flow?

to implement a test client in Node.JS. I've started an implementation at https://github.com/gregorwolf/bookshop-demo/tree/main/tests/OAuth-SAML-Bearer-Assertion but haven't finished yet. Pull requests always welcome. But you might also try the Java implementation attached to Note: 3031657 - How to generate SAML assertion using SAP-provided offline tool - SuccessFactors.

Best Regards
Gregor

Show replies
Show replies
CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎2023 Oct 27 2:41 PM
0 Likes

Hello,

you can check this little blog series:

https://blogs.sap.com/2022/06/10/sap-btp-how-to-call-protected-app-across-regions-with-saml-and-oaut...

Yes, it works, but with the help of destination service

The described scenario can be adapted, it works as well for calls within one subaccount only

Kind Regards,
Carlos

Show replies
Show replies
sebastian_vogel_inpeek
Discoverer
‎2023 Oct 27 3:04 PM
0 Likes

Hi Carlos,

thank you for your quick response. I've read your blog posts already and tried it out, but our scenario is a bit different.

We're trying to connect a SAP NetWeaver Portal (where we get the SAML assertion) to the BTP, both connected to the same IAS. We need a Bearer Token in a user context for further actions like accessing several Fiori applications and swapping tokens with User Token Grant.

So when I got your post right, the destination service fills in a SAML assertion. In our case I need to pass it myself.

If you have any idea or any pointing to the right direction, I would be very happy.

Thanks,

Sebastian

Ask a Question