Introduction
SAP Cloud Integration version 2.45.x comes with support of Principal Propagation to applications running on SAP Cloud Foundry. This blog explains on how to make use of this enhancement.
Feature per se, is very easy to consume with the HTTP receiver adapter/connector but understanding the required setup of
Custom Identity Provider (IdP) and establishing
trust between SAP BTP Neo and cloud foundry account is little complex and time consuming.
The feature shall be explained with a sample use case as depicted in below diagram.
myApp needs to collect the response from an app httpApp, which exposes an HTTP endpoint and is running on SAP BTP (CF) version, by making use of an Integration Flow designed and deployed with SAP Cloud Integration. The need is to collect the response of httpApp with the user who logged-in to myApp. That means, the logged-on user’s context (principal) must be propagated from myApp to Integration Flow and then to httpApp. This has been achieved via OAuth2 SAML Bearer Assertion authentication in HTTP receiver adapter/connector.
1. Prerequisites
Before going through this blog, we assume that you already have an application deployed on your cloud foundry account and secured with XSUAA service instance. If not, then you can refer the below blog links:
2. Setup
A similar feature has been enabled for SuccessFactors OData V2 and details are available in the blog
https://blogs.sap.com/2018/07/30/sap-cloud-platform-integration-principal-propagation-with-successfa... and is recommended to you to go through the above mentioned blog where in most of the setup information has been provided which is also required here, excluding SuccessFactors related setup (e.g. section 1.1.1, 1.6 of the above blog are not relevant here). In this blog, summary of the setup shall be provided.
For the above-mentioned sample use case, you need to complete the setup of user, group creation in the Custom IDP (Cust. IdP); linking Cust. IdP to SubAccnt1; OAuth2 client creation in SubAccnt2; trust setup between SubAccnt1 and SubAccnt2 by following the setup guidelines of above mentioned blog as in the section 1.1, 1.2, 1.3, 1.4 and 1.5. Section 1.1.1 and 1.6 are not relevant here.
To establish trust between SubAccnt2 and Cloud Foundry account, follow the below steps:
- Download the metadata from your SubAccnt2.
Go to the SubAccnt2, go to Trust Management and change the Configuration type of local service provider to custom, save and then download the metadata.
- Go back to the Cloud Foundry Cockpit, go to your sub account and then go to Trust Configuration page and press: “New Trust Configuration” and upload the Metadata XML File from previous step, parse and save. Done!
- Once, the trust has been created, select the trust configuration from the security menu and click on the name of your trust configuration from the list.
- In the opening dialog, select Role Collection Mapping and map your role collection to the user group created in custom IDP.
3. Integration Flow Design and Deployment
Now, we will design the integration flow which talks to an HTTP endpoint exposed by the cloud foundry application with OAuth2 SAML Bearer Assertion authentication in HTTP receiver adapter. We will start with deployment of OAuth2 credentials for SAML bearer assertion.
3.1 Credentials Deployment
For credentials deployment, you will you need some information out of the SAML metadata for your CF account. You can access the metadata of your cloud foundry via the following link:
https://<subdomain>.authentication.<domain>/saml/metadata
Out of the metadata you will need the "entityID" and the token URL which is marked as "AssertionConsumerService" with "Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI"".
Follow the section 2.1 of above mentioned blog till the opening of deployment dialog (step 7). After that, you need to select the Target System Type as SAP BTP (CF).
Parameter details
- Name: Name of your choice (e.g. myOauthSamlCred), this shall be used as alias name for whole of this security artifact. This name must be provided under the Credential Name in HTTP receiver adapter/ connector properties inside the integration flow.
- Description: Any description of your choice
- Audience: EntityID out of the SAML metadata (see above)
- Client Key: {clientid} from xsuaa service credentials in cloud foundry
- Token Service Url: Token URL out of the SAML metadata (see above)
- Target System Type: SAP BTP (CF).
- Token Service User: {clientid} from xsuaa service credentials in cloud foundry
- Token Service Password: {clientsecret} from xsuaa service credentials in cloud foundry
- Additional Properties: The deploy dialog window already captures the additional properties required for the complete use case. Let the default values as is.
3.2 Integration Flow Design
In the Design space of your SAP Cloud Integration Web UI, create or choose a package of your choice. Create integration flow artifact. (Steps to create integration flow project are omitted).
Consider the sample integration flow created
In HTTP receiver adapter/connector, in the Address field, provide the HTTP endpoint exposed by the cloud foundry application. Observe the Authentication type to be OAuth2 SAML Bearer Assertion. For the credential name, provide the name you have used while deploying the OAuth2 SAML credentials.
Save and deploy the integration flow. Since it has SOAP sender adapter, it shall result in the SOAP endpoint URL in SAP Cloud Integration. To get the SOAP endpoint URL, go to monitoring of your Web UI and then in, Manage Integration Content and click on Started tile. Copy the SOAP endpoint URL keep it in temporarily in a text editor. This shall be used in destination configuration created for myApp.
4. Destination Configuration for myApp
Follow the steps of section 3 of the above-mentioned blog to setup a destination which will be used for the communication between myApp and Integration Flow. After this step, when you invoke the myApp, the login screen will be of custom idp what you have configured. After successful log-in, the myApp will invoke the integration flow via destination configuration and integration flow will invoke endpoint exposed by the cloud foundry application via HTTP receiver adapter with user context/principal being propagated to all the involved applications across different accounts.
Summary
With OAuth2 SAML Bearer Assertion authentication type in HTTP receiver adapter/connector, you can achieve the principal propagation to the application(s), running on SAP BTP -Cloud Foundry version, with little complex infrastructure setup steps :).