Skip to Content
Oct 06, 2016 at 06:31 PM

Consuming HCP API mgmt gateway services from Azure/AWS using openid connect


Currently involved in agile experiments around cloud platforms for mobility of non-SAP business systems, and have a concrete challenge.

We're looking at how to best consume data from SAP systems from Azure or AWS mobile clients or API gateways.

We want to try out exposing an onPremise Gateway service through HCP API Management and consume it from Azure or AWS. We want to have one identity provider outside HCP, and have already established an externally facing AD Federation Services (AD FS) and an Azure AD. Hana Cloud connector with principal propagation is already in place from another initiative, and this is currently setup to use SAML against AD FS.

For authenticating against the gateway service in HCP API management, we had hoped we would be able to use Openid Connect/OAuth. The authentication of named user would need to be passed down to the Cloud connector, causing prinipal propagtion of the same named user to be executed against the SAP NetWeaver ABAP system hosting the actual gateway service.

However, from our initial investigation it seems HCP and HCP API mgmt does not support OAuth/OpenID for consumption of service.

There are OAuth settings for HCP security settings, but this then makes HCP the OAuth identity provider (which for us is a role I believe AD FS or Azure AD must fulfill).

Is our understanding above correct? Is there another way of obtaining a token which can be used against HCP API mgmt?