See how the leave request scenario can be realized in an Android App leveraging SAP NetWeaver Gateway and the OAuth 2.0 SAML Bearer Assertion Flow. For this purpose we created a demo Android App based on the SAP NetWeaver Gateway Android Toolkit.
Table of Contents:
Configuration Guide for this scenario
To get this scenario running several configuration steps have been performed. Click on the links below to see the step-by-step descriptions for the various components involved.
OData Service Enablement
SAP NetWeaver Gateway Transaction /IWFND/MAINT_SERVICE
Trust Relationship to the Security Token Service (STS)
Security Token Service Setup
Security Token Service Configuration
OAuth 2.0 Client Registration
Resource Owner Authorizations
Examine the Source Code
The app is developed using the SAP NetWeaver Gateway Android Toolkit which offers a lot of useful features like asynchronous messaging, CSRF protection handling and UI as well as Proxy generation for a given OData service.
Based on an Android starter application project generated with the toolkit the following features have been implemented
- A delegate class taking care of the OAuth 2.0 and SAML handling, which ist called prior to the OData service request (see class OAuth2Delegate)
- A basic OAuth 2.0 Access token storage (see class OAuth2AndroidTokenHandler)
- The CSRF handling and its delegate class was adapted so that OAuth 2.0 access tokens are used to fetch CSRF tokens (see class
- The details activity was enhanced with a button to approve leave requests.
- OAuth 2.0 support for the different activities (login, list, detail activity), including automatic redirect to login screen if access token has become invalid.
The sources of the App can be found on SDN Code Exchange. Click here to download the eclipse project .
Here’s a description of the contents of the various java packages.
The classes that are performing the STS and OAuth 2.0 Token Endpoint calls
Access Token & Settings storage (currently unencrypted)
The various activity screens (login activity, list activity, detail view activity)
Modified SDMConnectivityHelper class (provided by the Gateway Android toolkit)
If you want to be able to build the App you additionally have to install the Android Developer Tools (ADT) plugin for Eclipse.
This App is for demonstrative purposes only. It’s not meant to be directly used in a productive scenario. In a productive scenario it’s inevitable to store the access token in encrypted form. Furthermore a more sophisticated access token retrieval from storage should be implemented.
See the http messages the App exchanges with the Security Token Service and the SAP NetWeaver Gateway system.
1. Security Token Request
After the logon button is pressed the app will attempt to get a SAML Assertion from the Security Token Service. For this sake it’s using the WS-Trust protocol.
2. Security Token Response
After a successful authentication at the Security Token Service a SAML assertion will be sent back inside a WS-Trust Security Token Response.
3. Access Token Request
Having received a SAML assertion which identifies the resource owner user an OAuth 2.0 access token will be requested directly at the Gateway system where the OData service is hosted on.
4. Access Token Response
After successful authentication of the OAuth 2.0 client (the App in this case) and the resource owner an access token is sent back. This access token indicates that it's valid for OData service ZLEAVEREQUESTAPPR_0001 (meaning approval service in first version). The access token is now used for all proceeding requests. The initial roundtrip to the Security Token Service and the OAuth 2.0 Token Endpoint at the Gateway system is not needed anymore as long as the access token is still valid. Therefore in a productive scenario it's recommended to have a long access token validity.
5. OData Service Request
The access token will now be used in the HTTP Bearer authorization header to access the service.
When performing change operations (HTTP POST, PUT, DELETE), prior to the OData service access an XSRF (CSRF) token needs to be fetched. This can be done using the OAuth 2.0 access token. The SAP NetWeaver Gateway Android Toolkit provides the CSRF handling in a so called delegate classes. See class SDMConnectivityHelper.getCSRFData() as starting point.