cancel
Showing results for 
Search instead for 
Did you mean: 

SAP to consume third party webservice that requires saml authentication

jagdishwar_b
Active Participant
0 Kudos
305

Hi All,

I am able to invoke our thirdparty webservice from soapUI, but it is a two step procedure, This is how it works in SoapUI:

step 1) first send below predefined message, embeded with username and pwd in the header:


<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
	<SOAP:Header>
		<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<wsse:UsernameToken>
				<wsse:Username>myusername</wsse:Username>
				<wsse:Password>mypwd</wsse:Password>
			</wsse:UsernameToken>
		</wsse:Security>
	</SOAP:Header>
	<SOAP:Body>
		<samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
			<samlp:AuthenticationQuery>
				<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
					<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myusername</saml:NameIdentifier>
				</saml:Subject>
			</samlp:AuthenticationQuery>
		</samlp:Request>
	</SOAP:Body>
</SOAP:Envelope>

after this, we are got the response as:


<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
	<SOAP:Header>
		<header xmlns="http://schemas.thirdparty.com/General/1.0/">
		...
		</header>
	</SOAP:Header>
	<SOAP:Body>
		<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
			<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
				<SignedInfo>
					<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
					<Reference URI="#A18A90576-64FD-71E0-A9BC-286444658733">
						<Transforms>
							<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
						</Transforms>
						<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
						<DigestValue>LzlvRhszr3qlOTG7AZX8i+yKvRI=</DigestValue>
					</Reference>
				</SignedInfo>
				<SignatureValue>qc1x+84wkkPrf76dHW2HJ...</SignatureValue>
				<KeyInfo>
					<X509Data>
						<X509Certificate>MIIB3I.....NBgkqhk</X509Certificate>
					</X509Data>
				</KeyInfo>
			</Signature>
			<samlp:Status>
				<samlp:StatusCode Value="samlp:Success"/>
			</samlp:Status>
			<saml:Assertion AssertionID="A18A90576.." xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
				<saml:Conditions NotBefore="2011-01-25T09:14:54.045Z" NotOnOrAfter="2011-01-25T17:19:54.045Z"/>
				<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
					<saml:Subject>
						<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myusername</saml:NameIdentifier>
					</saml:Subject>
				</saml:AuthenticationStatement>
			</saml:Assertion>
			<samlp:AssertionArtifact>MDGH....RbY6qHUFcO</samlp:AssertionArtifact>
		</samlp:Response>
	</SOAP:Body>
</SOAP:Envelope>

step 2) from the above response body, use the Signature elemenent, and saml:Assertion element as part of header of the original request, so the actual request in soapUI has become:


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:product="http://mytp/myfunctionality">
	<soapenv:Header>
		<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<Signature> ...</Signature>
			<saml:Assertion>..</saml:Assertion>
		</wsse:Security>
	</soapenv:Header>
	<soapenv:Body>
		<product:isProductAvailable>
			<product:ProductNAME>myproduct</product:ProductNAME>
			<product:ProductYEAR>2010</product:ProductYEAR>
		</product:isProductAvailable>
	</soapenv:Body>
</soapenv:Envelope>

after sending this above request, we are getting the desired response:


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:product="http://mytp/myfunctionality">
	<soapenv:Header>
	</soapenv:Header>
	<soapenv:Body>
		<isProductAvailableResponse xmlns="http://mytp/myfunctionality">
			<isProductAvailable>true</isProductAvailable>
		</isProductAvailableResponse>
	</soapenv:Body>
</soapenv:Envelope>

If we want to implement the same functionality using abap consumer proxy, do we need to invoke with two different requests,

is there any efficient way, where we can specify the values of <wsse:Username> and <wsse:Password>, and invoke with original payload.

is there any config in SOAMANAGER, to specify the saml releated settings, for the consumer proxy.

what could be the simplest way to consume this webservice in sap.

thanks in advance, BJagdishwar.

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi,

Please create logical port using wsdl directly it will apply required settings in LP. You can also ask for client certificate which you can apply while calling 3rd party services. To me this seems X509 client certificate authentication.

You can also create LP manually by giving SAP SAML authentication and save. Next time when you edit LP you will be able to see plenty of option to configure required settings.

Please note that not all security methods are supported by SAP.

Regards,

Gourav

jagdishwar_b
Active Participant
0 Kudos

thanks Gourav for your Comments.

in our case, when we presented the complexity to our vendor (webservice provider), the webservice provider created a wrapper webservice with transport level authentication, with that we are able to invoke the functionality from SAP or SoapUI.