Foreword.
We are so used to say “Alexa play spotify” and the likes and no longer realise how much manual work it takes to set up the ubiquitous OAuth2SAML2Bearer Assertion flow with a vanilla SAP ABAP backend system. This instalment will walk you through this challenge!
Disclaimer:
|
Abstract.
The initial task was to set up the SuccessFactor Employee Central integration with the SFSF ECP (Employee Central Payroll) twin via outbound OAuth. (ECP is an ABAP payroll engine that can be either accessed over VPN or exposed to the public internet.) Looking at the overview of the required and documented steps (aka Using OAuth 2.0 to Integrate Employee Central and Employee Central Payroll) the task seemed relatively straightforward. Let’s see…
|
Putting it all together.
A quick reminder of the steps to accomplish:
This is an overview of the configuration steps that are needed to set up OAuth 2.0 in Employee Central Payroll (ECP).
|
Last but not least…
|
Step 1. x509 key pair – Creating OAuth X509 Keys
Even if my hands got a little bit rusty with SAP GUI I was able to go through steps 2 – 4 relatively smoothly, as depicted below. Step 2. SAML2 – Configuring OAuth Identity Provider
Step 4. SOAUTH2 – Registering OAuth Client
|
And finally was ready to test this “ubiquitous” authorisation flow (initially using postman). But all I was getting was an 401 error (=logon error). Please goto troubleshooting section below for detailed explanation.
And while contemplating my bad luck I happened to come across the following community post. The answer provided by Wolfgang Janzen is spot-on!
When I read through it I said to myself – this is it. The missing S_SCOPE object must be the culprit!
|
Let’s get it done!
After having completed the whole ABAP server side configuration with SAML2 / SU01 / SOAUTH2 / PFCG it is time to create the saml bearer assertion and then call into the ABAP OAuth client to obtain a bearer access token. The bearer access token will carry all the necessary authorisations to enable a remote and password-less access to ODATA resources. |
Step 5. Configuring Outbound OAuth
At this stage we shall deviate from the SFSF/ECP documentation as we shall be generating the saml assertion programmatically! (sub-step 1a and 1b below.)
Why ? This is because:
- the ABAP server is not exposed to the public internet thus SFSF built-in destination service (the one from the SFSF security center) is not an option.
- the client application has no SFSF EC tie-in thus SFSF built-in destination service cannot be used either
On the other hand, SAP BTP destination service can help generate the saml bearer assertion in either use case (even if the server or application have no public internet exposure)! Please refer to the sibling blog if this is of interest as well.
1a. Generate SAML bearer assertion.A saml assertion identifies the resource owner! The produced saml assertion is both base64- and URL- encoded. The nodejs code snippet below is provided “as-is”.
1b. Decode SAML Bearer Assertion into XML format.
2. OAuth 2.0 Access Token RequestAfter receiving a SAML assertion, which identifies the resource owner user, the OAuth 2.0 client will send an access token request directly at the Gateway system where the OData service is hosted on to get OAuth 2.0 access token.
|
3. OAuth 2.0 Access Token Response
After successful authentication and authorization check for the OAuth client and the resource owner the token endpoint inside the AS ABAP will send an OAuth 2.0 bearer access token back.
Here go examples of successful responses:
a. EC_ADM_OAUTH client – admin services{ "access_token": "-hY-kcapHuuvsU9KHYiuPe0U6p8Xt1rhMr5F4eqkjdRD1xxx", "token_type": "Bearer", "expires_in": "3600", "scope": "HRSFEC_ECP_INFO_SRV_0001 HRSFEC_INFOTYPE_SRV_0001" } b. EC_ESS_OAUTH client – self services{ "access_token": "-hY-kcapHuuvsd4swh8vxmtVoTf3R187pIQXkV0KX57BQxxx", "token_type": "Bearer", "expires_in": "3600", "scope": "HRSFEC_PAYCTRL_REC_SRV_0001 HRSFEC_PAY_OVERVIEW_SRV_0001" } c. QUOVADIS_ECP client – bespoke travel services{ "access_token": "-hY-kcapHuuvseHGU63vyPYrQxq7diXlXooux8SFxMQ4vxxx", "token_type": "Bearer", "expires_in": "3600", "refresh_token": "-hY-kcapHuuvseHGU64PyO5uqYEOUaWH2-XBrfeCi1S5Yxxx", "scope": "ZUI_TRAVELAPPROVERMMY_0001 ZUI_TRAVELPROCESSORMMY_0001" } |
4. OData Service Request and Response
The OAuth client uses the access token in the HTTP bearer authorization header to access the OData service (ZUI_TRAVELPROCESSORMMY).
Request: GET https://<host>.<domain>:<port>/sap/opu/odata/sap/ZUI_TRAVELPROCESSORMMY/?sap-client=666
Response:
|
Conclusion.
The official SAP help documentation, namely Using OAuth 2.0 to Integrate Employee Central and Employee Central Payroll describes quite accurately all the necessary configuration steps. Still, the OAuth setup on NW ABAP side can be challenging as of such – as there are many tiny details to pay attention to (as depicted in the amber coloured sections along this blog post). Last but not least, I hope you have enjoyed reading this blog…Please leave your questions and comments in the add comment section below. |
Troubleshooting.
Let me share a hint on how to easily establish a connection with any ABAP backend system using a .sapc formatted connection file.
Good to know:
|
The main troubleshooting note is 1688545 – OAuth 2.0 Server in AS ABAP Troubleshooting.
And the transaction SA38 with SEC_TRACE_ANALYZER is your friend.
HTTP Trace with SA38 (or SE38) SEC_TRACE_ANALYZER
Here goes the trace for the 401 logon error I encountered initially:
Here goes the rationale of the above 401 error: To generate access token for client_credentials grant type you must pass the Client ID and Client Secret as a Basic Authentication header (Base64-encoded) Otherwise, all form parameters must be x-www-form-urlencoded. |
Appendix
Using OAuth 2.0 from a Web Application with SAML Bearer Assertion Flow
Configuration Guide for this scenarioTo get this scenario running several configuration steps have been performed. Click on the links below to see the step-by-step descriptions for the various components involved. All configuration steps are based on the leave request example.
|
OAuth 2.0 Resource Owner Authorization Configuration
Create OAuth 2.0 client user and add authorization object S_SCOPEWith OAuth 2.0, the access to a resource / service is not done by a user directly, but by an OAuth client. The client logs on to Gateway and sends the user’s access token to the service. Therefore, as a first step we need to create the OAuth 2.0 client in SAP Gateway. This client is not an app, it is a user account of type system that the actual client app will use to log on to SAP Gateway. To do this run transaction SU01 and create a new system user (user type: system). With this technical user, the OAuth client app can log on to SAP Gateway. In theory this is enough to allow access to the SAP Gateway service. The client could now send an access token and its client secret to be authorized. As this is not secure enough, the client must not only authenticate itself with User ID and Password or X509 but must also have the authorization to access the service with the given scope and client id. Within the SAP Backend the authorization object S_SCOPE is used for this purpose. To enable the OAuth client user to act as an OAuth client, you must assign and configure the authorization object S_SCOPE. This is done by creating a new role, adding S_SCOPE object and assigning the role to the user. Run transaction PFCG and create a new role. For our example we call the role ZOAUTHSERVICE. The following storyboards describe ZOAUTHSERVICE role configuration steps: |
Additional resources:
Using OAuth 2.0 to Integrate Employee Central and Employee Central Payroll
Troubleshooting notes:1688545 – OAuth 2.0 Server in AS ABAP Troubleshooting 2346664 – Security Trace Analyzer – Improvements 2900830 – EC-to-ECP: Error handling for OAuth 2.0 2259979 – Authentication using SAML 2.0 fails asking to enter the user and password 3009886 – Provided authorization grant is invalid Generating OAuth X509 Key in SAP SuccessFactorsGenerate SAML bearer assertion. Golden selection of help resources.https://help.sap.com/viewer/185f14fbe60d4bbb8d7d5e4f8d89b24b/2105/en-US/f5f3782dad014254b2263575ace2f36d.html
https://launchpad.support.sap.com/#/notes/2900830
https://answers.sap.com/questions/530487/how-to-test-oauth-20-enabled-sap-odata-service-fro.html
https://wiki.scn.sap.com/wiki/display/Security/Using+OAuth+2.0+from+a+Web+Application+with+SAML+Bearer+Assertion+Flow
https://wiki.scn.sap.com/wiki/display/Security/Registration+of+an+OAuth+2.0+Trusted+Identity+Provider
https://help.sap.com/viewer/e815bb97839a4d83be6c4fca48ee5777/7.31.25/en-US/2e25659ad6834ce5b7f6c394fca79ee3.html
https://wiki.scn.sap.com/wiki/display/Security/Security+Token+Service+Configuration
|