cancel
Showing results for 
Search instead for 
Did you mean: 

BTP destination for CDS view with "OAuth2 SAML Bearer Assertion" is not working

jenny_slay
Participant
0 Kudos

Hi there,

I am creating a side-by-side extension using standard CDS view I_StorageLocation. I have done following setting :

1.Created a created a custom CDS view YY1_PlantStorageLocation

2.Created a custom communication scenario YY1_PLANTSTORAGELOCATION_CDS

3.Created following communication arrangement :

I have created a destination in SAP BTP with SSO Mechanism “OAuth2 SAML Bearer Assertion”. I have observed following :

  • I have maintained “YY1_PLANTSTORAGELOCATION_CDS_0001” in BTP destination Scope, got following error: "error":"invalid_scope","error_description":"Requested OAuth 2.0 scope exceeds the scope granted by the resource owner or OAuth 2.0 client. Make sure that both have access to the scopes requested. For more information consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545"
  • Then I tried by maintaining “/IWFND/SG_MED_CATALOG_0002 YY1_PLANTSTORAGELOCATION_CDS_0001” in BTP destination Scope, got following error:Finished sending GET request to back end https://XXXXX-api.s4hana.ondemand.com/sap/opu/odata/sap/YY1_PLANTSTORAGELOCATION_CDS/?$format=json in 88 ms. HTTP status from the back end is 403.

Please note following points :

  • The communication system does not seems to have any issue as the same is used in other communication arrangement, it work fine.
  • BTP Destination created with “OAuth2 SAML Bearer Assertion” for standard communication scenario ID such as SAP_COM_0108 work fine for me. This confirming that my approach for SSO is fine.
  • Correct me if I am wrong, the CDS view also set with “Protection : Not required”, hence user does not required any additional authorization.
  • The CDS view work fine for BTP destination with Basic Authentication.

This is the first time I am creating destination for CDS view with “OAuth2 SAML Bearer Assertion”. Looks like I am missing some setting required to CDS view with SSO. Any help on this issue would be much appreciated. Thanks

Regards, Jenni

quovadis
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Jennifer

Have you tried to debug your issue yet?

Can you share the BTP destination definition please? Kind regards; Piotr

Accepted Solutions (1)

Accepted Solutions (1)

quovadis
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello Jennifer,

There is very likely some issue with the OAuth configuration for the custom comm scenario you created.

You could either try to debug it or opt for bypassing the OAuth client and use the SAMLBearerAsertion authentication directly against your bespoke ODATA API.

[Actually this is the approach my colleague Prasanth alludes to as well in his reply.]

I explain the difference between these 2 approaches (between having an OAuth client and the saml bearer assertion) in my blog SAMLBearerAssertion authentication with S/4HANA and S/4HANA Cloud.

On a side note, if you wanted to debug your issue there are ways to do it as for instance described in How to generate SAML bearer assertion token with SAP BTP Destination Service? and here ABAP acting as a Resource Server. App2App integration with OAuth2SAML2BearerAssertion flow. in the troubleshooting section.

kind regards; Piotr

Answers (2)

Answers (2)

AndreasRiehl
Advisor
Advisor
0 Kudos

Hello Jenni,

The OData Service that is created with the "External API" scenario of the Custom CDS Views key user app does only support basic authentication (user/password).

Best Regards,
Andreas

tiborolle
Explorer
0 Kudos

Very strange is it... public cloud....restrictions everywhere...

PrasanthM
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Jennifer,

Could you refer to the documentation https://help.sap.com/viewer/0f69f8fb28ac4bf48d2b57b9637e81fa/2105.500/en-US/31876c06f99645f289d802f9... for more details on how to connect SAP S/4HANA Cloud to BTP via SAML Assertion. This should solve your issue.

Best Regards,

Prasanth