cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can't authenticate against HTML-Mashup embedded SCP application in C4C

Go to solution
former_member561559
Explorer

on ‎03-31-2020 3:00 PM

0 Kudos

Dear experts,

I wanted to extend SAP C4C with an SCP application hosted on CF. I have been following this guide: Extending SAP Cloud for Customer on Cloud Foundry Environment Manually

https://help.sap.com/viewer/462e41a242984577acc28eae130855ad/Cloud/en-US/1150e4395ba6487bad2a7164db7...

Everything works as expected, except authenticating with the extension application from the HTML Mashup in C4C.

If the user starts a new session with C4C through the configured IdP, the mashup cannot be displayed. The reason is that the SCP authentication service disallows display in an iframe by setting the header field X-Frame-Options: DENY. Since HTML mashups in C4C are embedded in iframes, loading the mashup fails.

Procedure which fails:

  1. User opens a new browser session (not logged into IdP)
  2. User opens C4C - gets redirected to IdP
  3. User logs into IdP, and gets redirected to C4C (authenticated)
  4. User opens screen with the HTML mashup in C4C
  5. Mashup iframe loads application page (through CF approuter)
  6. CF approuter redirects to CF authentification service https://<subaccount>.authentication.eu10.hana.ondemand.com/oauth/authorize?response_type=code&client...;
  7. Loading the authentication service in the HTML Mashup iframe fails:
    "Refused to display 'https://<subaccount>.authentication.eu10.hana.ondemand.com/login' in a frame because it set 'X-Frame-Options' to 'deny'"

The message is correct:

X-Frame-Options: DENY will make the browser refuse to handle the redirect to the login on the SCP CF authentication service. SSO fails and the Mashup doesn't load.

Note: The mashup works fine if the user is already authenticated with SCP. So if the user visits the extension application (or any other application on SCP) first and authenticates, no redirection to the SCP authentication service occurs, and the mashup can load. This is obviously not a solution for a productive use case though.


1. Am I missing something here? I am confused how the concept described in the extension guide is ever supposed to work.

2. Has anyone made SCP extension with SSO work with C4C? Any advice?

Best regards,

Manuel

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member561559
Explorer
‎04-08-2020 10:52 AM

I have finally solved this problem.

Turns out there is a setting "iframeDomains" on the UAA service. Unfortunately this seems to be neither documented nor is there a UI for it. The only documentation I found for it (for the same problem I had) was with SAP Conversational AI:

https://help.sap.com/viewer/eafc53387d0d46a887611a1f48ca6d23/1911/en-US/e409c11690474c9ea5b9e35f29d4...

There is now a new note for this problem for C4C https://launchpad.support.sap.com/#/notes/2912358 . However, documentation like Conversational AI has it should be added anywhere where CF applications are embedded into other applications, like the extension guide for C4C that I was following.

Show replies
Show replies
gregorw
Active Contributor
‎08-03-2020 11:22 AM

Hi Manuel,

great that you've shared your solution. I have quite a similar issue in SAP Analytics Cloud (SAC) where there is the functionality of Adding an Embedded Web Page. I've followed the description in Note 2912358 - Embedding the XSUAA login page in an iFrame - SAP Cloud Platform Cloud Foundry but only the Content-Security-Policy got set correctly. the X-Frame-Options are still:

X-Frame-Options: DENY

Will file an incident now.

Best regards
Gregor

stortstabeu
Discoverer
‎05-24-2023 12:18 PM
0 Kudos

Hi gregorw

did you open an incident for this? We have the same problem with SAC. We try to integrate SAC Story in Fiori launchpad but having issue with X-Frame-Option Deny. Seems like it is coming from SAC.

Answers (1)

Answers (1)

former_member226
Employee
Employee
‎03-31-2020 10:02 PM

Hi Manuel,

Based on my past experience,, I know that SAP IDS has a clickjacking framing protection framework and due to this, they don't allow framing IDS service just like that. However, if you have a custom IDS tenant then they do have a section in SAP IDS tenant where you can configure, who can call your IDS in iframe by the means of "Trusted Domains" app. You can go to: Applications & Resources --> Tenant Settings -->Trusted Domains and add a new entry for your c4c URL as my3*****.crm.ondemand.com. or for any C4C tenant you can enter a wild card pattern as *.crm.ondemand.com .You can refer: https://help.sap.com/viewer/fd39efd120a74b37a1acca61d63bacaf/Cloud/en-US/03fd4358fcb34198b904a8a77ac... for more details.

AFAIK, configuring trusted domain can only be done in a custom IDP hence please check with if you have a customer IDS provisioned.

More details:

https://apps.support.sap.com/sap/support/knowledge/public/en/2597946

BR
Saurabh

Show replies
Show replies
former_member561559
Explorer
‎04-01-2020 7:56 AM
0 Kudos

Thanks Saurabh,

This will work for the IdP, yes. But the IdP is not the problem here. The problem is the authentication service in SCP Cloud Foundry. In the extension setup proposed by the C4C extension guide, a user request would go like this:

User -> SCP:Application Approuter -> SCP:Authentication (UAA) service -> IdP

The UAA service is sending the X-Frames-Options: DENY and preventing the mashup to display.

former_member226
Employee
Employee
‎04-01-2020 10:05 PM
0 Kudos

Ohk. In Neo environment based IDP, I am sure it used to work with domain trusted configuration as this let a customer configure the trusted domain which IDP (hosted on SCP Neo) will authorize to iframe. In case of CF authentication service, this could have been changed. May be SAP support can help you with that.

However, please let me know if you solve this issue as It would be interesting to find out what caused this problem.

former_member561559
Explorer
‎04-08-2020 2:03 PM

See my answer. Turns out there is an undocument setting on the authorization service that we can change through the settings API.

Ask a Question