cancel
Showing results for 
Search instead for 
Did you mean: 

SAP CPI/Cloud Integration : Principal Propagation using password grant type

0 Kudos
952

Hello Experts,

I'm stuck with the below requirement since few days and would highly appreciate your support in sorting this issue.

Requirement:

I'm having a requirement to propagate the user context from the sender to the backend on prem S4 HANA system via Cloud Integration using the cloud connector. The sender system will present the CPI Integration suite Service Key (Client ID and Secret) along with the username and password in the body of the request.

I need to propagate this to the backend using password grant type flow.

Progress So far:

I have referred multiple blogs and have created a XSUAA instance in the cloud foundry and added few scopes and role templates. Using this , I could fetch the access token using postman from the below endpoint.

https://<CI tenant>.authentication.ap21.hana.ondemand.com/oauth/token?grant_type=password

Issues:

When I pass this token to the I flow endpoint below. I get a 401 response with the error as mentioned below.

https://<CIruntime URL>/http/princproptest

Error - Bearer error="invalid_token", error_description="The token is invalid: Jwt token with audience [openid, sb-na-17602b24-dd94-418c-9e34-bc6c889fff33!a6394] is not issued for these clientIds: [sb-i, it-rt-116].", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

Is this because the token does not have the ESBMessaging.Send scope to hit the Iflow?

Any help on how this can be resolved will be of great help.

I have already referred to the below youtube video and the blogs:

https://blogs.sap.com/2022/04/20/principal-propagation-in-sap-integration-suite-from-external-system...

https://www.youtube.com/watch?v=0mMbnV5QUm0

Thanks,

Priyanka

View Entire Topic
VijayKonam
Active Contributor
0 Kudos

First thing, sending the backend system credentials in the body is not recommended.

The Client-ID and Secret that you want to use for CPI should use the token url on the CPI tenant. Not cloud platform itself. Assuming you are on CF, you need to create process integration runtime instances and create keys with ESBmessage.Send role. This solves authenticating on the IS side. However, to get authenticated on the backend side using the credentials in the body, you may need to dynamically populate the credentials to the backend SOAP/PROXY or RFC channel.

Again, this is not end to end SSO. To achieve that, I believe your SAP-IS needs to be integrated with your organization's SSO authority and use principal propagation supported adapters for the integrations.

Hope someone else may be able to help as well.