on 08-30-2019 7:24 AM
Hello,
We have a scenario where users want to authenticate using Azure AD and access OData services via SAP gateway in SAP CRM ( Netweaver 7.5 ). Currently we have a setup working where the flow is:
1) The user authenticates to a app registration in Azure AD and gets a JWT token
2) Our web app (server side) uses an Azure Enterprise App to exchange this JWT for a SAML
3) CRM is setup to trust the Enterprise App from step 2, and the web app (server side) calls CRM to gett an access token
4) The access token is sent as authentication bearer in the Odata Call to CRM
This works for us, but I'm curious about the other OAuth flow availble, with authorization codes instead of SAML2, since this would align our SAP SSO more with our existing authentication flows. HOwever when I try from postman I get different error messages, and I cannot really find which endpoints I should use
This is what I'm currently trying to get my access token from Azure
Then I try to get my bearer from SAP, but fail.
POST /sap/bc/sec/oauth2/token?code=<acces_code_from_step_before>&grant_type=authorization_code&redirect_uri=<redirect_uri_to_our_web_app<br>
{ "error":"invalid_grant","error_description":"Authorization code has invalid length." }
Since the SAML2 flow works I'm pretty sure the trust is setup correctly, but I'm not sure which endpoints and parameters to use
This is the Oauth setup
Grateful for all hints
In the end we ended up with a service that created our own SAML Assertion and signed it with a cert that is trusted by Netwear.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi ,
I am trying to achieve something similar maybe you can answer some questions for me 🙂
2) Our web app (server side) uses an Azure Enterprise App to exchange this JWT for a SAML
I did the same but used an OBO flow from my registered application to the SAP NetWeaver Enterprise Application. and passing my SAML Bearer to my Token Service via the Trusted IDP setup but got a incorrect Recipient error. How did you get past this issue? How did you generate your SAML assertion? The recipient is tied to the redirect URL and it can't point to the Token service I was sending it to as it would break if you connected through the browser.
3) CRM is setup to trust the Enterprise App from step 2, and the web app (server side) calls CRM to get an access token
What calls did you make here?
Appreciate the help!
Hello Mattias,
I'm looking to implement the service to service scenario using Azure Enterprise App.
Could you please provide more details into how this was done?
Thanks
Saleel
We generate the SAML from Azure AD by posting to this URL
https://login.microsoftonline.com/<tenant id>/oauth2/token
with the following body as form data
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:<JWT>
client_id:<client id of Azure AD App>
client_secret:<client secret>
resource: <local provider name>
requested_token_use:on_behalf_of
requested_token_type:urn:ietf:params:oauth:token-type:saml2
However you could use the Nodejs-service below to generate a SAML, och take the route we finally did and use SAP API Management
Hello everyone,
I’ve been pulling my hair out the whole day with a similar scenario. We have a web app that uses Azure AD for authentication, which will consume oData from Sap Gateway. I’m trying to find a way to exchange the JWT for a SAML token but didn’t have any luck so far.
Can someone please shed a light on how to achieve this please?
Any help will be much appreciated!
Regards,
Christiano
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I will try to do a write up of what we did, it's to big for just a comment though
But in short what you need to do is
I followed this guide to set it all up
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-netweaver-tutorial
The flow that we used is
We had issues with step 1, since we have multiple Azure applications that need to access the same SAP system, so we have since then moved on to using SAP API Management instead, so I don't have the details of our setup left, but reading and following the tutorial above should be enough to get you started. Also we use postman to be able to easily test all this.
I also created a small node JS service that basically takes a JWT, verifies it and then create a SAML token that can be used by SAP NW, without needing to juggle with Azure AD, I'll upload it to github
Please see this github repo, https://github.com/trr-official/saml_sap_jwt
It's very basic right now and not alot of documentation. We're not using it anymore so I did not spend alot of time on cleaning it up.
Please create issues in the github repo if you have issues, so everyone can follow them
Hello,
I have followed this guide to set everything up.
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-netweaver-tutorial
I have passed the tests and the SSO is working, but I don't understand the part of SAP Netweaver for OAuth. I have configured the OData Service in SAP Gateway and OAuth 2.0 Client. What would be the next step to test it? How to call the Azure AAD to get the SAML assertion that can be consumed by SAP NW and call SAP NW with that assertion to exchange for an access token? Is it possible that you can list out the endpoints with parameters that you have called?
In the above comments, a JWT token is received from Azure. What is the endpoint to call and get this token in Azure?
From the guide, the reply URL in the Enterprise Application should be "[SAP NW server name]/sap/saml2/sp/acs/[client no]", but for OAuth, the reply URL should be "[SAP NW server name]/sap/bc/sec/oauth2/token?sap-client=[client no]". How to resolve this?
I am sorry that I have so many questions.
Dominic
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.