OAuth 2.0 offers constrained access to web services without requirement to pass user credentials. How to consume a SAP NetWeaver Gateway OData service with OAuth 2.0 SAML bearer assertion flow from a web application and how to configure the different components (OData service, OAuth client, SAML and resource authorizations) are described in this document.
Table of Contents:
Target Scenario
- A user is authenticated by the Identity Provider (IDP) and logs on to the system.
- The authenticated user accesses a web application (OAuth client), which uses an OData service on the backend.
- The web application asks the Security Token Service (STS) to issue one SAML bearer assertion, which will be uses by the client to get OAuth 2.0 access token from OAuth 2.0 authorization server (AS ABAP).
- The web application gets access token using the received SAML bearer assertion and access OData service with this token on behalf of the user.
The SAML bearer assertion can be issued centrally by a security token service (STS) or locally by a trusted API of the application itself.
Sample Implementations
Sample implements for use in customer projects are available here: Sample Implementations
Configuration Guide for this scenario
To get this scenario running several configuration steps have been performed. Click on the links below to see the step-by-step descriptions for the various components involved. All configuration steps are based on the leave request example.
Configuration Step | Tools used |
OData Service Enablement | SAP NetWeaver Gateway Transaction /IWFND/MAINT_SERVICE |
Trust Relationship to the Security Token Service (STS) | Transaction SAML2 |
OAuth 2.0 Client Registration | Transaction SOAUTH2 |
Resource Owner Authorizations | Transaction PFCG |
Message Flows
See the http messages between the web application and the Security Token Service repectively the SAP NetWeaver Gateway system.
1. SAML Bearer Assertion
In our example the application issues the SAML assertion locally. Hence it's using the issuer name "DemoAppIDP" this does not refer to a central IDP service. The assertion itself needs to comply with the OAuth 2.0 specification. See this page for a requirements specificaiton of the assertion.
<?xml version="1.0" encoding="UTF-8"?> <saml2:Assertion ID="_2c74223a-442b-48ff-8843-012d82c2f539" IssueInstant="2013-03-25T15:07:30.369Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">DemoAppIDP</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_2c74223a-442b-48ff-8843-012d82c2f539"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>cjILDskglBoHfoHbGst4Mdsuomo=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>eQnK4...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIG...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">manager</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2013-03-25T19:07:30.545Z" Recipient="https://iltlvwdmz100.dmztlv.sap.corp:8443/sap/bc/sec/oauth2/token"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2013-03-25T15:07:30.369Z" NotOnOrAfter="2013-03-25T19:07:30.545Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AudienceRestriction> <saml2:Audience>GatewayProvider</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute Name="client_id"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">LEAVEAPP</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> <saml2:AuthnStatement AuthnInstant="2013-03-25T15:07:30.561Z" SessionNotOnOrAfter="2013-03-25T15:07:30.576Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:none</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion>
2. OAuth 2.0 Access Token Request
After receiving a SAML assertion which identifies the resource owner user the OAuth 2.0 client will send an access token request directly at the Gateway system where the OData service is hosted on to get OAuth 2.0 access token. See a request example:
POST https://gatewayhe.sap.de:1443/sap/bc/sec/oauth2/token HTTP/1.1 Authorization: Basic TE... Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Host: gatewayhe.sap.de:1443 Content-Length: 4534 client_id=LEAVEAPP&scope=ZLEAVEREQUEST_0001&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=PEFzc2Vy...
3. OAuth 2.0 Access Token Response
After successful authentication and authorization check for the OAuth client and the resource owner the token endpoint inside the AS ABAP will send an OAuth 2.0 access token back.
See an example of a successful response.
HTTP/1.1 200 OK
Date: Thu, 14 Mar 2013 08:15:40 GMT
Server: SAP NetWeaver Application Server / ABAP 731
content-type: application/json; charset=utf-8
content-length: 142
cache-control: no-store
pragma: no-cache
{ "access_token":"AFB...","token_type":"Bearer","expires_in":"3600","scope":"ZLEAVEREQUEST_0001"}
4. OData Service Request and Response
The OAuth client uses the access token in the HTTP bearer authorization header to access the OData service (ZLEAVEREQUEST).
GET https://gatewayhe.sap.de:1443/sap/opu/odata/sap/zleaverequest/?sap-client=001 HTTP/1.1 Authorization: Bearer AFB... Host: gatewayhe.sap.de:1443
HTTP/1.1 200 OK Date: Thu, 14 Mar 2013 08:15:40 GMT Server: SAP NetWeaver Application Server / ABAP 731 content-type: application/atomsvc+xml content-length: 877 dataserviceversion: 2.0 set-cookie: sap-usercontext=sap-client=001; path=/ <?xml version="1.0" encoding="utf-8"?><app:service xml:lang="en" xml:base="https://gatewayhe.sap.de:1443/sap/opu/odata/sap/zleaverequest/" ...