With help of SAP I was able to solve my problem:
My suspision was right, the session cookie has not reached the onPremise System and therefore die CSRF Token validation was not successfull. But: SAP Cloud Platform Workflow has sent the session cookie together with the CSRF Token in the POST Request.
The Problem lies within the SAP Cloud Connector and it's settings:
In the Cloud Connector Administration Website, you are able to maintain your cloud to on-Premise Connection in Tab "Access Control". As Example: You have a SAP on-Premise System which is reachable via domain "sapmachine.sap.com" and you assign this on-Premise System to virtual Hostname "virtualsapmachine.sap.com":
cloud-to-on-premise-access-control.jpg
This enables the communication between SAP Cloud Platform and SAP Backend System via Cloud Connector. But Cookies are created with assignment to a certain domain. As example: The SAP Session Cookie is assigned to domain ".sapmachine.sap.com" (please note the dot "." at the beginning of the domain in the screenshot - some servers do this, so too my sap-backend server):
For correct communication between SAP Cloud Platform and SAP Backend System, also the domain information in the exchanged cookies has to be adjusted from virtualhost names to on-premise hostnames and vice versa. This can be done in SAP Cloud Connector Administration Website in tab "Cookie domains". As example: You assign the virtual host "virtualsapmachine.sap.com" to the cookie domain ".sapmachine.sap.com":
cloud-to-on-premise-cookie-domains.jpg
This solved my Problem. The session Cookie will be sent from SAP Cloud Platform Workflow together with the CSRF Token in the POST Request to my Cloud Connector and the Cloud Connector forwards the request and the session cookies in respect to the cookie domain mapping settings to my SAP on-Premise System. The SAP Backend System can validate the CSRF Token with the Session Information and everything works fine.
/closed
Add comment