OAuth 2.0 offers constrained access to web services without requirement to pass user credentials. How to consume a SAP NetWeaver Gateway OData service with OAuth 2.0 SAML bearer assertion flow from a web application and how to configure the different components (OData service, OAuth client, SAML and resource authorizations) are described in this document.
Table of Contents:
- A user is authenticated by the Identity Provider (IDP) and logs on to the system.
- The authenticated user accesses a web application (OAuth client), which uses an OData service on the backend.
- The web application asks the Security Token Service (STS) to issue one SAML bearer assertion, which will be uses by the client to get OAuth 2.0 access token from OAuth 2.0 authorization server (AS ABAP).
- The web application gets access token using the received SAML bearer assertion and access OData service with this token on behalf of the user.
The SAML bearer assertion can be issued centrally by a security token service (STS) or locally by a trusted API of the application itself.
Sample implements for use in customer projects are available here: Sample Implementations
Configuration Guide for this scenario
To get this scenario running several configuration steps have been performed. Click on the links below to see the step-by-step descriptions for the various components involved. All configuration steps are based on the leave request example.
OData Service Enablement
SAP NetWeaver Gateway Transaction /IWFND/MAINT_SERVICE
Trust Relationship to the Security Token Service (STS)
OAuth 2.0 Client Registration
Resource Owner Authorizations
See the http messages between the web application and the Security Token Service repectively the SAP NetWeaver Gateway system.
1. SAML Bearer Assertion
In our example the application issues the SAML assertion locally. Hence it's using the issuer name "DemoAppIDP" this does not refer to a central IDP service. The assertion itself needs to comply with the OAuth 2.0 specification. See this page for a requirements specificaiton of the assertion.
2. OAuth 2.0 Access Token Request
After receiving a SAML assertion which identifies the resource owner user the OAuth 2.0 client will send an access token request directly at the Gateway system where the OData service is hosted on to get OAuth 2.0 access token. See a request example:
3. OAuth 2.0 Access Token Response
After successful authentication and authorization check for the OAuth client and the resource owner the token endpoint inside the AS ABAP will send an OAuth 2.0 access token back.
See an example of a successful response.
4. OData Service Request and Response
The OAuth client uses the access token in the HTTP bearer authorization header to access the OData service (ZLEAVEREQUEST).