on 01-25-2018 9:20 AM
Hi guys,
we are currently working on an SAPUI5 Application in the SAP Cloud Platform, environment Neo. We are facing an issue which is not very common and yet unsolved. We did a lot of research and found nearly nothing.
Requirement of the Application:
Employees from very different location need to interact via a web application to create some feedback which will be transferred into the SAP backend system. Daily response on quantity and stock.
The employees do not have a sap backend user and they shouldn’t get one because they do not have any other tasks in the backend system at all. This is a decision which I can’t change.
So, every employee should get a SCP User within the SAP IdP (SAP Cloud Platform Identity Provider). The communitcation between SCP and Backend will be done via an SAP interface user (non-dialog). But we need to know which SCP IdP User is logged on and sent us the request. During the development we send the SCP IdP user ID over the OData service which is not save and can be manipulate e.g. via Chrome dev tools etc.
We tried following setup to propagate the IdP user identiy from SCP app to SAP backend by using the step-by-step guide Cloud Platform Connectivity Principal Propagation, Exercise B1-B3. I’ll just mention the main steps within here.
But we still get a logon dialog where we need to logon with a sap backend user. We also tried work with the different logon modes in SCIF Service as well. Without success.
I guess that I always need an SAP Backend User and therefore we need to store the tech. SAP User into the SCP Destination or into the SICF Service. Or did I set up the principal propagation not complete correctly so the SAP backend answer to my incorrect setup by showing the logon dialog?
To sum it up, I have two questions:
The second question bother us the most. The first Question could be “bypassed” with an technical SAP User in the SCP Destination or in the SICF Service, as far as I understood the topic.
Regards, your H.P.
Hi,
To use Principal Propagation either via the Cloud Connector or SAPAssertionSSO, the user ID must also exist in the backend system so there isn’t a way around this and this is why you are getting the 2nd authentication request from your backend system during your testing. You just answered your own question by using the technical user for the destination configuration in the SAP Cloud Platform.
As for the 2nd question, I think I know what you are trying to do but I don’t recommend this. You are trying to bypass the authentication method for your backend system and it is a high security risk.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear H.P.,
This topic is really interesting and I agree, I found nothing on it (or I just misunderstood every technical document I've read, since I am not strong about this security thing :)).
It is so true when you write that data stored in the front end javascript application can be manipulated in debug mode so end users may access data they are not supposed to see. So how the hell can we pass data stored on SCP IdP User Identity service directly to SAP backend ?
What I can tell you : I've already set up Principal Propagation using X509 Short Live certificates and it works great. But you still need a SAP user to log in : in CERTRULE transaction, you map a subject of an X509 certicate to the SAP username / alias. When the mapping is successful, the end user is then logged in with the corresponding SAP user. If unsuccessful, the end user will be prompted to provide credentials on standard HTTP popup.
If you have any update for your second question, please, let me know :).
Regards,
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
you can use this code snipped in your DPC_EXT class of your OData service to get the Name used in the certificate
READ TABLE mr_request_details->technical_request-request_header INTO DATA(ls_cert_str) WITH TABLE KEY name = 'ssl_client_cert'.
IF sy-subrc = 0.
DATA(lr_cert) = cl_abap_x509_certificate=>get_instance( if_certificate = ls_cert_str-value ).
lr_cert->get_subject_dn(
IMPORTING
et_dn = DATA(lt_dn)
).
READ TABLE lt_dn INTO DATA(ls_dn) WITH KEY oid = 'CN'.
DATA(lv_dn_name) = ls_dn-value.
ENDIF.
I got this code snipped from here
https://answers.sap.com/questions/12905835/scp-portal-open-an-app-with-user-name-as-parameter.html
Best regards
Jan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All,
I have a similar requirement, i am building a full stack SAPUI5 application deploy on Neo Stack as a html 5 application.
1. My subaccount is configured as SF extension account
2. I have set up my subaccount as a service provider against SF which is my IdP
3. All resources triggered from sub account will be challenged by SuccessFactors login page
4. Punch in my SF credentials
5. Voila i can view my SAPUI5 applications.
6. From now on, i like to read the SAML asserting attributes within my SAPUI5 applications, do we have any idea how to achieve this. Is there something i need to set in SuccessFactors provisioning login during SSO configuration.
Your experience is much appreciated.
Regards,
RL
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All,
was there any solution for this? I have the exact same requirements and also dont want to use the User-API in the UI5 App and take the risk of tampered requests.
Regards,
Daniel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I have the same issue/use case right now as you can see here.
Is there a solution for this?
I tried it with principal propagation and added for every P-User of my IDP one entry in "EXTID_DN" and assigned the same service user "TEST01". Now I just need to access the X.509 cient certificate which was used for the logon and read the external userid from the subject.
But I havent found a way to access this information.
Can anybody help?
Best regards,
Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear all,
I've commented nghia.nguyen 's answer but it is somehow not as visible as a real topic reply. So please, check my comment a little below nghia.nguyen's.
Also, I am wondering why this is actually considered as an "accepted answer" by moya.watson ? I think it is a bit premature, since the question has not been fully and clearly answered 🙂
Thank you.
Regards,
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi -- just means it's one of many potential answers. Doesn't mean the issue is closed. But it helps bump it up so people can respond in the active thread with more info. Sorry for the confusion.
Dear Nghia,
Thank you for your quick reply.
I think you misunderstood what H.P. and I try to achieve. Let me clarify the situation :
I won't recall the licensing topic as this is not what the point here. This is a technical request.
Regards,
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
OK, from your latest statement, I understand what you are trying to do.
I am not a programmer to give you the exact thing that you would need but it would be something like this.
The user is authenticated against an IdP and that SAML ticket does contain the information that you looking for in one of the attributes. Since the destination is configured for basic authentication then none of the SAML attributes will be forwarded which mean your app must use the API to extract the attribute and somehow pass that value along with your request to the backend system. Here are some links that may help with getting the SAML attribute within the app:
https://blogs.sap.com/2015/04/16/using-the-hcp-user-api-in-web-ide/
https://blogs.sap.com/2016/05/23/getting-user-details-in-ui5-hcp/
Hope this help.
Thank you nghia.nguyen.
The user API solution you are talking about is the technical path we want to avoid. We are already implementing this but it is unacceptable in a security speaking way.
As hpbaxxter mentionned in his initial question, if you store data in your front-end app (let say "Customer Number") in order to build and execute a request to your back end (let's say "Retrieve me all the Sales order for this Customer Number"), what can prevent me from changing this very Customer Number into another one in javascript debugging mode ? So I will access some sales orders who are not mine...
What if I can delete anyone else data just by knowing his customer id ?
Unlike the principal propagation scenario, we want to identify which end user is logged in without having a Gateway user / SAP user created per SCP Cloud user. The one and only user we want to deal with, in SAP back end, is the technical user from SCP destination, and it should remain transparent.
If we give to 1500 customers the access to the app, we don't want to manage 1500 gateway users and 1500 SAP ECC users.
We have an idea but don't know if it is the way to go. In the principal propagation scenario, is it possible to map every SCP user to a single Gateway/SAP ECC user ? The SAP Cloud Connector, while setting the principal propagation Subject Pattern would only let me choose among ${name}, ${mail}, ${display_name} and ${login_name}. It seems to be SAML assertion attributes from SAP Identity Provider.
Alongside with this first question, is it possible to retrieve SAML assertion attributes in SAP ECC back end ?
Do you follow me ?
Regards,
Olivier
Hi,
Wow! Initially, I thought you were using the UserID for logging purpose to see who access the service. IMO, I don’t there is an easy way to do this with some simple setting. You trying to use a technical user but at the same time trying to get the real user ID to parse the backend data.
Yes, you are correct about the Cloud Connector subject name option. It is a selection so you must pick one.
Get SAML attributes in the backend system, in all my testing I haven’t seen any SAML ticket passed to the backend system. I haven’t encounter any parameter that would forward the SAML ticket to the backend system from the Cloud Connector.
SAP Cloud Platform offered methods to achieve SSO for on premise system but the issue you are trying to solve is not really an SSO so I don't think there is a way to do this without some programming at the app level and backend service.
I don’t know if this is possible, but encrypted the real UserID in the app on SAP Cloud Platform after using the API & decrypted it in the backend system.
User | Count |
---|---|
78 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.