Skip to Content

Can't authenticate against HTML-Mashup embedded SCP application in C4C

Dear experts,

I wanted to extend SAP C4C with an SCP application hosted on CF. I have been following this guide: Extending SAP Cloud for Customer on Cloud Foundry Environment Manually

https://help.sap.com/viewer/462e41a242984577acc28eae130855ad/Cloud/en-US/1150e4395ba6487bad2a7164db7ea417.html

Everything works as expected, except authenticating with the extension application from the HTML Mashup in C4C.

If the user starts a new session with C4C through the configured IdP, the mashup cannot be displayed. The reason is that the SCP authentication service disallows display in an iframe by setting the header field X-Frame-Options: DENY. Since HTML mashups in C4C are embedded in iframes, loading the mashup fails.

Procedure which fails:

  1. User opens a new browser session (not logged into IdP)
  2. User opens C4C - gets redirected to IdP
  3. User logs into IdP, and gets redirected to C4C (authenticated)
  4. User opens screen with the HTML mashup in C4C
  5. Mashup iframe loads application page (through CF approuter)
  6. CF approuter redirects to CF authentification service https:// . authentication.eu10.hana.ondemand.com/oauth/authorize?response_type=code&client_id=sb-poc_oauth_c4c!t38354&redirect_uri= >
  7. Loading the authentication service in the HTML Mashup iframe fails:
    "Refused to display 'https:// . authentication.eu10.hana.ondemand.com/login' in a frame because it set 'X-Frame-Options' to 'deny'"

The message is correct:

X-Frame-Options: DENY will make the browser refuse to handle the redirect to the login on the SCP CF authentication service. SSO fails and the Mashup doesn't load.

Note: The mashup works fine if the user is already authenticated with SCP. So if the user visits the extension application (or any other application on SCP) first and authenticates, no redirection to the SCP authentication service occurs, and the mashup can load. This is obviously not a solution for a productive use case though.


1. Am I missing something here? I am confused how the concept described in the extension guide is ever supposed to work.

2. Has anyone made SCP extension with SSO work with C4C? Any advice?

Best regards,

Manuel

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Best Answer
    Posted on Apr 08, 2020 at 09:52 AM

    I have finally solved this problem.

    Turns out there is a setting "iframeDomains" on the UAA service. Unfortunately this seems to be neither documented nor is there a UI for it. The only documentation I found for it (for the same problem I had) was with SAP Conversational AI:

    https://help.sap.com/viewer/eafc53387d0d46a887611a1f48ca6d23/1911/en-US/e409c11690474c9ea5b9e35f29d4e9c9.html#loio82285888d0f0473e95b19f29c27d5f12

    There is now a new note for this problem for C4C https://launchpad.support.sap.com/#/notes/2912358 . However, documentation like Conversational AI has it should be added anywhere where CF applications are embedded into other applications, like the extension guide for C4C that I was following.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Mar 31, 2020 at 09:02 PM

    Hi Manuel,

    Based on my past experience,, I know that SAP IDS has a clickjacking framing protection framework and due to this, they don't allow framing IDS service just like that. However, if you have a custom IDS tenant then they do have a section in SAP IDS tenant where you can configure, who can call your IDS in iframe by the means of "Trusted Domains" app. You can go to: Applications & Resources --> Tenant Settings -->Trusted Domains and add a new entry for your c4c URL as my3*****.crm.ondemand.com. or for any C4C tenant you can enter a wild card pattern as *.crm.ondemand.com .You can refer: https://help.sap.com/viewer/fd39efd120a74b37a1acca61d63bacaf/Cloud/en-US/03fd4358fcb34198b904a8a77ac69538.html for more details.

    AFAIK, configuring trusted domain can only be done in a custom IDP hence please check with if you have a customer IDS provisioned.

    More details:

    https://apps.support.sap.com/sap/support/knowledge/public/en/2597946

    BR
    Saurabh

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.