Hi
I am currently working on a project with a number of applications that require different authentication mechanisms but still going through OData provisioning through to the SAP Cloud Connector. The scenarios include:
1. Applications that are user specific - reading and writing to the backend ERP system via OData Provisioning via SAP Cloud Connector -> to the backend ERP system. This is being used successfully and full principal propagation security is in place and all users are identified successfully.
This scenario utilisies:
- an ApptoAppSSO destination at the subaccount level pointing to the gwaas application (Odata provisioning).
- an OData provisioning specific destination that points to the backend ERP system using Onpremise and Principal Propagation settings
For this to also work I have the Access Control setting in the SAP Cloud Connector as Principal Type = X509 Certificate AND also have a short-lived certificate loaded from the SCC into the backend ERP system.
All of this works perfectly well. There are absolutely no issues with this setup.
2. Applications that only READ from the backend ERP system therefore all users read the same content and we don't need to read anything different based on the userid. For this I was expecting to utilise the same setup. Create a new destination at the subaccount level using ApptoAppSSO exactly as above. This would then point to an OData provisioning destination but in this case it would utilise Basic Authentication instead of Principal Propagation.
This would mean I needed a new access control entry in the SCC that was not passing an X509 certificate to the ERP system.
BUT, I did all of this and it does not work. The userid I am using in the Basic Auth has all of the roles assigned but still does not work. I receive the UNAUTHORISED message in the OData provisioning troubleshooting function.
I am mindful that I still have CERTRULE operating in the backend so not sure how this would work with the Basic Authentication option - especially when there is no certificate being passed in.
So, looking for assistance in getting this to work. I've read mixed messages online trying to find answers to this and in some cases I have found statements that OData provisioning and Basic Auth do not work?? Can anyone confirm this?
I have checked the /IWBEP service in SICF so not sure whether I need to adjust the Login procedure but I've not had to do this for the Principal Propagation settings so did not make sense to change this here.
Any assistance would be greatly received.
Thanks! & Kind Regards
Phil Cooley
- SAP Managed Tags:
Accepted Solutions (1)
Glad to report this issue is now resolved. The fix was to change the IWBEP service in SICF and changing the Logon Data -> Procedure setting to L - Alternative Logon Procedure.
In the Logon procedure list I moved the Basic Authentication option up to 1st position.
This fixed the issue.
So overall set up includes:
- New access control setting in the SAP Cloud Connector. Principal type setting should be None.
- Subaccount destination with AppToAppSSO setting -> pointing to an ODP Basic Auth destination.
- ODP destination with Basic Authentication with a logon ID that has the GW_User role + backend security roles.
With the above set up this works well!
Answers (0)
| User | Count |
|---|---|
| 95 | |
| 11 | |
| 10 | |
| 9 | |
| 9 | |
| 7 | |
| 6 | |
| 5 | |
| 5 | |
| 4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.