cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Using destination with OAuth2SAMLBearerAssertion

Go to solution
y_oshri
Associate
Associate

on ‎2023 Oct 10 9:17 AM

0 Kudos
1,562

Hello

Senario;

i am using cap cds with node

i have application A on CF for subacount X with xsuaa

i have application B on CF for subacount Y with xsuaa

i want to access an odata api from application B to application A

i created a OAuth2SAMLBearerAssertion destination

but when i try to use this destination i am getting an error

Failed to build headers. Caused by: The destination tried to provide authorization tokens but failed in all cases. This is most likely due to misconfiguration.Original error messages:\n' +

'Error determining metadata contracts

i flow this post https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/user-propagation-between-cloud-foundr...

i create a trust between the account except the part of setting role collection that i didn't had a clear understanding what role should i set/configure

any help ??

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎2023 Oct 10 10:01 AM
0 Kudos

Hello Yaniv,

I went through a similar scenario, and created a little series of detailed blog posts.
I hope you'll find it helpful to go through it:

https://blogs.sap.com/2022/06/10/sap-btp-how-to-call-protected-app-across-regions-with-saml-and-oaut...

You'll see that the trust configuration is using both subaccount-SAML-metadata and the SAML-metadata of the destination itself.
Maybe you missed this part?
As the error message seems to be complaining about a missing SAML-metadata

Good luck,
Carlos

Show replies
Show replies
y_oshri
Associate
Associate
‎2023 Oct 10 5:53 PM
0 Kudos

Hi Roggn

Thanks a lot for your answer and for the amazing post

with the help of your article i was able to call my backend

the missing part was the role-collection that you define and later on assign to my user

but i have one question

my frontend application should be used for all sap users

and i am not able to give for each user this role-collection

so how should i handle this case?

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎2023 Oct 10 9:12 PM
0 Kudos

Hi Yaniv,

I'm so glad to hear that the blog post could unblock you !!

About the second question, the answer would be "Role Collection Mapping"
In the Role Collection, you don't assign single user names.
Instead, one section below, "Groups", you define a mapping of your RC to a user group
Here, you have to specify the Identity Provider in the drop down (previously defined Trust in Trust Cofiguration).
And you specify the exact name of a group which exists in the IDP.
Usually, every user of an IDP should be assigned to multiple user groups.
Like that, all these users automatically get the Role Collection assigned

Does this help?

y_oshri
Associate
Associate
‎2023 Oct 11 8:57 AM

Thank you very much Roggan for your help I really appreciate it

Answers (1)

Answers (1)

jlong
Product and Topic Expert
Product and Topic Expert
‎2025 Mar 07 7:25 PM
0 Kudos

Here is another scenario, exposing your CAP project at subaccount level and then going to the next step and exposing it cross subaccounts;

https://github.com/SAP-samples/fiori-tools-samples/blob/main/cap/destination/README.md

John

Show replies
Show replies
Ask a Question