Hi community,
I have been playing with OAuth for a while now. I have not had many issues so far, and thanks to this wonderful community I have been able to solve the ones I've stumbled upon. These links were super useful:
OAuth connection to SuccessFactors Employee Central
Configuring OAuth 2.0 for AS ABAP
There is one thing though that I have not been able to figure out and that I wanted to ask out here. The way this whole thing is laid out in SAP is to allow the logged in user to consume resources from other applications, SuccessFactors in this case.
This happens at the time the bearer assertion is being generated (CL_OA2C_SAML20_ASSERTION->IF_OA2C_SAML20_ASSERTION~ISSUE_BEARER_ASSERTION). There is one difference between what is explained in the first vs the second link, and that is, that in the first link the bearer assertion is issued by Success Factors, while in the second link SAP is the issuer.
I find the second option more comforting, this way I don't have to request it to SuccessFactors from SAP, and share my private key in the process (and on top of that, requesting the assertion is not an option if you want to use the OA2C classes, so you would have to redefine the method and write it yourself).
In any case, one parameter that is needed when generating the assertion is the user id. This user id being part of the assertion token will tell SuccessFactors the user that is going to access the resource, so again, it makes sense that is the same one that is logged into SAP.
However, I don't get why the user id is not part of the signature that generates the assertion, or that there is no BADI in place for us developers to alter that.
I give you an example, on one of my clients, I have the ability to log into the system (SAP) using my user credentials, but specifying another user I want to proxy as, similar to proxies in SuccessFactors. Unfortunately if I do that now, all the calls I make to SuccessFactors are going to be under my name, instead of the proxy user I am using.
Has anyone dealt with this? Any work around. I have played with an overwrite exit in the method and writing my own code there and it works pretty well, just wondering if there is a better solution out there.
Thanks a lot in advance!
Here is a peak at the culprit:
DATA: lo_saml20_assertion TYPE REF TO if_saml_assertion.
DATA: ls_subject TYPE saml2_name_id.
CREATE OBJECT lo_saml20_assertion TYPE cl_saml_assertion_oa2c.
* Set identity information
lo_saml20_assertion->set_audience( i_audience ).
* This little guy here returns either email or sy-uname based on your config
build_name_id( EXPORTING i_consnumber = i_user_email_num
IMPORTING es_saml20_name_id = ls_subject ).
lo_saml20_assertion->set_name_id( ls_subject ).
lo_saml20_assertion->set_attributes( it_saml_attributes ).
lo_saml20_assertion->set_authentication_contexts( it_saml_auth_contexts ).
* Protocol initialization
lo_saml20_assertion->if_saml_protocol~initialize( ).
* Set recipient
DATA(l_recipient) = i_recipient.
lo_saml20_assertion->set_recipient( l_recipient ).
* Members preparation
lo_saml20_assertion->if_saml_protocol~prepare( ).
* Get XML with signed assertion and encode it on base64
e_assertion_x = lo_saml20_assertion->if_saml_protocol~serialize( ).
e_assertion = base64url_encode( EXPORTING i_xstring = e_assertion_x
i_no_url = i_no_b64url_encoding ).