While the usage of OAuth2 is quite straight forward, it is sometime convenient to have a bit of coding to start with. If you don't want to use an sample implementation, please check the sample messages on the page Using OAuth 2.0 from a Web Application with SAML Bearer Assertion Flow.
The sample clients are based on the example scenario. Please follow Configuration Guide for this scenario for configuration.
Table of Contents:
Java Client with local SAML token generation
Source Code
Get a copy of the source from github at: https://github.com/d039113/OA2C. This includes an Eclipse project OAuth2Client_Java.
The client uses the opensaml implementation for generating a SAML2 token. So you'll additionally need a copy of the opensaml libraries from http://shibboleth.net/downloads/java-opensaml/latest/
Configuration & Testing
The Eclipse project contains a Junit test, which requests an OAuth access token. Once you are able to obtain an access token, this token can be used to access OData resource on the Gateway system.
Before testing, adopt the configuration to your system enviroment by adopting the file saml.properties in your imported Eclipse project.
The unit tests use a properties file for configuration. In an application may also pass over a java.util.Properties object.
Java Keystore
The Eclipse project contains a sample keystore which is stored in the classpath. For your environment you need to create an own keystore, e.g. by running the command
| Tool | Explanation |
|---|---|
Keytool | keytool -genkey -alias saml2 -keyalg RSA -keystore localsts.jks -keysize 2048 The tool will ask you to protecte the keystore itself and the key entries with an password used for encryption. Adopt these entries in the saml,properties configuration file: |
| Configuration saml.properties | # Keystore Path |
SAML Configuration
The saml.properties files contains several settings for the SAML configuration
| Field | Explanation |
|---|---|
| SAML Issuer Name | SAML2 Identity Providers identify them with a name. This name is also used in the trust relationship of transaction SAML2. The default is DemoAppIDP, which can be changed if required. # SAML issuer name |
| Audience Restriction | SAML Assertions are issued to the system. The value of this field must match the name of the SAML2 local entity in your system. Open transaction SAML2 to identify the correct value. # SAML target audience (->name of local provider from transaction SAML2)
|
OAuth Client Configuration
The OAuth client needs to authenticate it against the Gateway system. The following settings need to be maintained:
| Field | Explanation |
|---|---|
| OAuth2 Client Id | This field contains the username of the ABAP service user which is used to identify the OAuth2 client # OAuth2 client id |
| OAuth2 Client Secret | This field contains the password used for authentication # OAuth2 client password |
| URL of Token Endpoint | Maintain the URL to the token endpoint. The endpoint must be accessed using the HTTPS access point. # OAuth2 Token endpoint |
ABAP Configuration
Trust establishment in transaction SAML2 requires SAML2 metadata. The metadata file is generated by the unit test run and written to the working directory.
SAML2 Metadata
Metadata written to C:\Users\d039113\git\OA2C\OAuth2Client_Java\metadata.xml
Once the metadata is generated, follow the steps outlined in Using OAuth 2.0 from a Web Application with SAML Bearer Assertion Flow#ConfigurationGuideforthisscenario.
Integration
For integration in your application, please refer to the unit test https://github.com/d039113/OA2C/blob/master/OAuth2Client_Java/src/com/sap/security/oa2/test/LocalAssertionOAuth2Test.java
1 Comment
Ravi Joseph
Dear Martin ,
have followed all the steps but unfortunately getting CX-Saml2_assertion error . Could you suggest any solution for this pls ?