cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Transfer SCP User ID (IdP) from UI5 App to SAP Backend System safely

Go to solution
former_member606203
Discoverer

on ‎01-25-2018 9:20 AM

Hi guys,

we are currently working on an SAPUI5 Application in the SAP Cloud Platform, environment Neo. We are facing an issue which is not very common and yet unsolved. We did a lot of research and found nearly nothing.

Requirement of the Application:

Employees from very different location need to interact via a web application to create some feedback which will be transferred into the SAP backend system. Daily response on quantity and stock.

The employees do not have a sap backend user and they shouldn’t get one because they do not have any other tasks in the backend system at all. This is a decision which I can’t change.

So, every employee should get a SCP User within the SAP IdP (SAP Cloud Platform Identity Provider). The communitcation between SCP and Backend will be done via an SAP interface user (non-dialog). But we need to know which SCP IdP User is logged on and sent us the request. During the development we send the SCP IdP user ID over the OData service which is not save and can be manipulate e.g. via Chrome dev tools etc.

We tried following setup to propagate the IdP user identiy from SCP app to SAP backend by using the step-by-step guide Cloud Platform Connectivity Principal Propagation, Exercise B1-B3. I’ll just mention the main steps within here.

  1. Set up trust with the IdP
  2. Export System certificate (Cloud Connector) for acquainting it with backend
  3. Configure CA certificate of Cloud Connector
  4. Configure SAP backend to trust Cloud Connector (Transaction STRUST)
  5. Import certificate in SAP backend for user mapping (Transaction CERTRULE)
  6. Create SCP destination to propagate user credentials to SAP backend

But we still get a logon dialog where we need to logon with a sap backend user. We also tried work with the different logon modes in SCIF Service as well. Without success.

I guess that I always need an SAP Backend User and therefore we need to store the tech. SAP User into the SCP Destination or into the SICF Service. Or did I set up the principal propagation not complete correctly so the SAP backend answer to my incorrect setup by showing the logon dialog?

To sum it up, I have two questions:

  1. If I configure the principal propagation between SCP, Cloud Connector and SAP backend correctly, can I connect from the web app to SAP Backend without a SAP backend user?
  2. Is there any possibility to transfer the SCP IdP User ID from SCP web app to SAP backend safely?

The second question bother us the most. The first Question could be “bypassed” with an technical SAP User in the SCP Destination or in the SICF Service, as far as I understood the topic.

Regards, your H.P.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member197255
Explorer
‎02-07-2018 4:40 PM

Hi,

To use Principal Propagation either via the Cloud Connector or SAPAssertionSSO, the user ID must also exist in the backend system so there isn’t a way around this and this is why you are getting the 2nd authentication request from your backend system during your testing. You just answered your own question by using the technical user for the destination configuration in the SAP Cloud Platform.

As for the 2nd question, I think I know what you are trying to do but I don’t recommend this. You are trying to bypass the authentication method for your backend system and it is a high security risk.

Show replies
Show replies

Answers (7)

Answers (7)

former_member512938
Participant
‎02-07-2018 2:11 PM

Dear H.P.,

This topic is really interesting and I agree, I found nothing on it (or I just misunderstood every technical document I've read, since I am not strong about this security thing :)).

It is so true when you write that data stored in the front end javascript application can be manipulated in debug mode so end users may access data they are not supposed to see. So how the hell can we pass data stored on SCP IdP User Identity service directly to SAP backend ?

What I can tell you : I've already set up Principal Propagation using X509 Short Live certificates and it works great. But you still need a SAP user to log in : in CERTRULE transaction, you map a subject of an X509 certicate to the SAP username / alias. When the mapping is successful, the end user is then logged in with the corresponding SAP user. If unsuccessful, the end user will be prompted to provide credentials on standard HTTP popup.

If you have any update for your second question, please, let me know :).

Regards,

Olivier

Show replies
Show replies
jfk
Explorer
‎02-12-2021 12:06 AM
0 Kudos

Hi,

you can use this code snipped in your DPC_EXT class of your OData service to get the Name used in the certificate

READ TABLE mr_request_details->technical_request-request_header INTO DATA(ls_cert_str) WITH TABLE KEY name = 'ssl_client_cert'.
IF sy-subrc = 0.
DATA(lr_cert) = cl_abap_x509_certificate=>get_instance( if_certificate = ls_cert_str-value ).
lr_cert->get_subject_dn(
IMPORTING
et_dn = DATA(lt_dn)
).
READ TABLE lt_dn INTO DATA(ls_dn) WITH KEY oid = 'CN'.
DATA(lv_dn_name) = ls_dn-value.
ENDIF.

I got this code snipped from here
https://answers.sap.com/questions/12905835/scp-portal-open-an-app-with-user-name-as-parameter.html

Best regards
Jan

Show replies
Show replies
christoffer_fuss
Participant
‎02-18-2021 6:08 PM
0 Kudos

This works great, thank you very much 🙂

former_member611663
Explorer
‎08-28-2019 2:27 PM
0 Kudos

Hi All,

I have a similar requirement, i am building a full stack SAPUI5 application deploy on Neo Stack as a html 5 application.

1. My subaccount is configured as SF extension account

2. I have set up my subaccount as a service provider against SF which is my IdP

3. All resources triggered from sub account will be challenged by SuccessFactors login page

4. Punch in my SF credentials

5. Voila i can view my SAPUI5 applications.

6. From now on, i like to read the SAML asserting attributes within my SAPUI5 applications, do we have any idea how to achieve this. Is there something i need to set in SuccessFactors provisioning login during SSO configuration.

Your experience is much appreciated.

Regards,

RL

Show replies
Show replies
former_member236845
Explorer
‎07-30-2019 6:51 AM
0 Kudos

Hi All,

was there any solution for this? I have the exact same requirements and also dont want to use the User-API in the UI5 App and take the risk of tampered requests.

Regards,

Daniel

Show replies
Show replies
christoffer_fuss
Participant
‎07-09-2018 4:37 PM
0 Kudos

Hi,

I have the same issue/use case right now as you can see here.

Is there a solution for this?

I tried it with principal propagation and added for every P-User of my IDP one entry in "EXTID_DN" and assigned the same service user "TEST01". Now I just need to access the X.509 cient certificate which was used for the logon and read the external userid from the subject.

But I havent found a way to access this information.

Can anybody help?

Best regards,

Chris

Show replies
Show replies
former_member512938
Participant
‎02-08-2018 1:32 PM
0 Kudos

Dear all,

I've commented nghia.nguyen 's answer but it is somehow not as visible as a real topic reply. So please, check my comment a little below nghia.nguyen's.

Also, I am wondering why this is actually considered as an "accepted answer" by moya.watson ? I think it is a bit premature, since the question has not been fully and clearly answered 🙂

Thank you.

Regards,

Olivier

Show replies
Show replies
moyalynne
Active Contributor
‎02-08-2018 1:35 PM

Hi -- just means it's one of many potential answers. Doesn't mean the issue is closed. But it helps bump it up so people can respond in the active thread with more info. Sorry for the confusion.

former_member512938
Participant
‎02-08-2018 11:28 AM
0 Kudos

Dear Nghia,

Thank you for your quick reply.

I think you misunderstood what H.P. and I try to achieve. Let me clarify the situation :

  1. In our SCP Destination settings we want to set up a Basic Authentication with a specified "technical user". The goal of this user is only to get connected to the back end from SCP.
  2. In our ZCL_XXXXXXX_DPC_EXT service implémentation class, we want to retrieve some of the P00XXX cloud user data (check the screenshot) like Company or so on... as we would do with a GET PARAMETER ID on a principal propagation scenario. But in this very case, the user who is logged in SAP system is the "technical user" we defined in SCP Destination. We are not able to know which end user is actually logged in (P000001 or P000002)

I won't recall the licensing topic as this is not what the point here. This is a technical request.

Regards,

Olivier

Show replies
Show replies
former_member197255
Explorer
‎02-08-2018 2:07 PM
0 Kudos

Hi,

OK, from your latest statement, I understand what you are trying to do.

I am not a programmer to give you the exact thing that you would need but it would be something like this.

The user is authenticated against an IdP and that SAML ticket does contain the information that you looking for in one of the attributes. Since the destination is configured for basic authentication then none of the SAML attributes will be forwarded which mean your app must use the API to extract the attribute and somehow pass that value along with your request to the backend system. Here are some links that may help with getting the SAML attribute within the app:

https://blogs.sap.com/2015/04/16/using-the-hcp-user-api-in-web-ide/

https://blogs.sap.com/2016/05/23/getting-user-details-in-ui5-hcp/

Hope this help.

former_member512938
Participant
‎02-08-2018 3:15 PM

Thank you nghia.nguyen.

The user API solution you are talking about is the technical path we want to avoid. We are already implementing this but it is unacceptable in a security speaking way.

As hpbaxxter mentionned in his initial question, if you store data in your front-end app (let say "Customer Number") in order to build and execute a request to your back end (let's say "Retrieve me all the Sales order for this Customer Number"), what can prevent me from changing this very Customer Number into another one in javascript debugging mode ? So I will access some sales orders who are not mine...

What if I can delete anyone else data just by knowing his customer id ?

Unlike the principal propagation scenario, we want to identify which end user is logged in without having a Gateway user / SAP user created per SCP Cloud user. The one and only user we want to deal with, in SAP back end, is the technical user from SCP destination, and it should remain transparent.

If we give to 1500 customers the access to the app, we don't want to manage 1500 gateway users and 1500 SAP ECC users.

We have an idea but don't know if it is the way to go. In the principal propagation scenario, is it possible to map every SCP user to a single Gateway/SAP ECC user ? The SAP Cloud Connector, while setting the principal propagation Subject Pattern would only let me choose among ${name}, ${mail}, ${display_name} and ${login_name}. It seems to be SAML assertion attributes from SAP Identity Provider.

Alongside with this first question, is it possible to retrieve SAML assertion attributes in SAP ECC back end ?

Do you follow me ?

Regards,

Olivier

former_member197255
Explorer
‎02-08-2018 3:46 PM
0 Kudos

Hi,

Wow! Initially, I thought you were using the UserID for logging purpose to see who access the service. IMO, I don’t there is an easy way to do this with some simple setting. You trying to use a technical user but at the same time trying to get the real user ID to parse the backend data.

Yes, you are correct about the Cloud Connector subject name option. It is a selection so you must pick one.

Get SAML attributes in the backend system, in all my testing I haven’t seen any SAML ticket passed to the backend system. I haven’t encounter any parameter that would forward the SAML ticket to the backend system from the Cloud Connector.

SAP Cloud Platform offered methods to achieve SSO for on premise system but the issue you are trying to solve is not really an SSO so I don't think there is a way to do this without some programming at the app level and backend service.

I don’t know if this is possible, but encrypted the real UserID in the app on SAP Cloud Platform after using the API & decrypted it in the backend system.

former_member512938
Participant
‎02-08-2018 4:37 PM
0 Kudos

Thank you. For reading convenience, I'll convert my latest comments into answers. Maybe you could do the same so we have better visibility 🙂

Cheers

Ask a Question