Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

OAuth 2.0 offers constrained access to web services without requirement to pass user credentials. How to consume a SAP NetWeaver Gateway OData service with OAuth 2.0 SAML bearer assertion flow from a web application and how to configure the different components (OData service, OAuth client, SAML and resource authorizations) are described in this document.

Table of Contents:

Target Scenario

  1. A user is authenticated by the Identity Provider (IDP) and logs on to the system.
  2. The authenticated user accesses a web application (OAuth client), which uses an OData service on the backend.
  3. The web application asks the Security Token Service (STS) to issue one SAML bearer assertion, which will be uses by the client to get OAuth 2.0 access token from OAuth 2.0 authorization server (AS ABAP).
  4. The web application gets access token using the received SAML bearer assertion and access OData service with this token on behalf of the user.

The SAML bearer assertion can be issued centrally by a security token service (STS) or locally by a trusted API of the application itself.

Sample Implementations

Sample implements for use in customer projects are available here: Sample Implementations

Configuration Guide for this scenario

To get this scenario running several configuration steps have been performed. Click on the links below to see the step-by-step descriptions for the various components involved. All configuration steps are based on the leave request example.

Configuration Step

Tools used

OData Service Enablement
OAuth 2.0 enabling of the approval service, OAuth 2.0 Scope creation and assignment

SAP NetWeaver Gateway Transaction /IWFND/MAINT_SERVICE

Trust Relationship to the Security Token Service (STS)
Configure the Gateway System to trust SAML Bearer assertions issued by the STS

Transaction SAML2

OAuth 2.0 Client Registration
Registration of the OAuth 2.0 client “LEAVEAPP”, which makes calls on behalf of the resource owner user

Transaction SOAUTH2

Resource Owner Authorizations
Assignment of authority object S_SCOPE next to the manager and employee users' usual permissions

Transaction PFCG

Message Flows  

See the http messages between the web application and the Security Token Service repectively the SAP NetWeaver Gateway system.

1. SAML Bearer Assertion

In our example the application issues the SAML assertion locally. Hence it's using the issuer name "DemoAppIDP" this does not refer to a central IDP service. The assertion itself needs to comply with the OAuth 2.0 specification. See this page for a requirements specificaiton of the assertion.

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_2c74223a-442b-48ff-8843-012d82c2f539" IssueInstant="2013-03-25T15:07:30.369Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
	<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">DemoAppIDP</saml2:Issuer>
	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
			<ds:Reference URI="#_2c74223a-442b-48ff-8843-012d82c2f539">
				<ds:Transforms>
					<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
						<ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</ds:Transform>
				</ds:Transforms>
				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
				<ds:DigestValue>cjILDskglBoHfoHbGst4Mdsuomo=</ds:DigestValue>
			</ds:Reference>
		</ds:SignedInfo>
		<ds:SignatureValue>eQnK4...</ds:SignatureValue>
		<ds:KeyInfo>
			<ds:X509Data>
				<ds:X509Certificate>MIG...</ds:X509Certificate>
			</ds:X509Data>
		</ds:KeyInfo>
	</ds:Signature>
	<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
		<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">manager</saml2:NameID>
		<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
			<saml2:SubjectConfirmationData NotOnOrAfter="2013-03-25T19:07:30.545Z" Recipient="https://iltlvwdmz100.dmztlv.sap.corp:8443/sap/bc/sec/oauth2/token"/>
		</saml2:SubjectConfirmation>
	</saml2:Subject>
	<saml2:Conditions NotBefore="2013-03-25T15:07:30.369Z" NotOnOrAfter="2013-03-25T19:07:30.545Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
		<saml2:AudienceRestriction>
			<saml2:Audience>GatewayProvider</saml2:Audience>
		</saml2:AudienceRestriction>
	</saml2:Conditions>
	<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
		<saml2:Attribute Name="client_id">
			<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">LEAVEAPP</saml2:AttributeValue>
		</saml2:Attribute>
	</saml2:AttributeStatement>
	<saml2:AuthnStatement AuthnInstant="2013-03-25T15:07:30.561Z" SessionNotOnOrAfter="2013-03-25T15:07:30.576Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
		<saml2:AuthnContext>
			<saml2:AuthnContextClassRef>urn:none</saml2:AuthnContextClassRef>
		</saml2:AuthnContext>
	</saml2:AuthnStatement>
</saml2:Assertion>

 

2. OAuth 2.0 Access Token Request

After receiving a SAML assertion which identifies the resource owner user the OAuth 2.0 client will send an access token request directly at the Gateway system where the OData service is hosted on to get OAuth 2.0 access token. See a request example:

POST https://gatewayhe.sap.de:1443/sap/bc/sec/oauth2/token HTTP/1.1
Authorization: Basic TE...
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Host: gatewayhe.sap.de:1443
Content-Length: 4534

client_id=LEAVEAPP&scope=ZLEAVEREQUEST_0001&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=PEFzc2Vy...

3. OAuth 2.0 Access Token Response

After successful authentication and authorization check for the OAuth client and the resource owner the token endpoint inside the AS ABAP will send an OAuth 2.0 access token back.

See an example of a successful response.

HTTP/1.1 200 OK
Date: Thu, 14 Mar 2013 08:15:40 GMT
Server: SAP NetWeaver Application Server / ABAP 731
content-type: application/json; charset=utf-8
content-length: 142
cache-control: no-store
pragma: no-cache

{ "access_token":"AFB...","token_type":"Bearer","expires_in":"3600","scope":"ZLEAVEREQUEST_0001"}

4. OData Service Request and Response

The OAuth client uses the access token in the HTTP bearer authorization header to access the OData service (ZLEAVEREQUEST).

GET https://gatewayhe.sap.de:1443/sap/opu/odata/sap/zleaverequest/?sap-client=001 HTTP/1.1
Authorization: Bearer AFB...
Host: gatewayhe.sap.de:1443
HTTP/1.1 200 OK
Date: Thu, 14 Mar 2013 08:15:40 GMT
Server: SAP NetWeaver Application Server / ABAP 731
content-type: application/atomsvc+xml
content-length: 877
dataserviceversion: 2.0
set-cookie: sap-usercontext=sap-client=001; path=/

<?xml version="1.0" encoding="utf-8"?><app:service xml:lang="en" xml:base="https://gatewayhe.sap.de:1443/sap/opu/odata/sap/zleaverequest/" ...