Skip to Content

Transfer SCP User ID (IdP) from UI5 App to SAP Backend System safely

Hi guys,

we are currently working on an SAPUI5 Application in the SAP Cloud Platform, environment Neo. We are facing an issue which is not very common and yet unsolved. We did a lot of research and found nearly nothing.

Requirement of the Application:

Employees from very different location need to interact via a web application to create some feedback which will be transferred into the SAP backend system. Daily response on quantity and stock.

The employees do not have a sap backend user and they shouldn’t get one because they do not have any other tasks in the backend system at all. This is a decision which I can’t change.

So, every employee should get a SCP User within the SAP IdP (SAP Cloud Platform Identity Provider). The communitcation between SCP and Backend will be done via an SAP interface user (non-dialog). But we need to know which SCP IdP User is logged on and sent us the request. During the development we send the SCP IdP user ID over the OData service which is not save and can be manipulate e.g. via Chrome dev tools etc.

We tried following setup to propagate the IdP user identiy from SCP app to SAP backend by using the step-by-step guide Cloud Platform Connectivity Principal Propagation, Exercise B1-B3. I’ll just mention the main steps within here.

  1. Set up trust with the IdP
  2. Export System certificate (Cloud Connector) for acquainting it with backend
  3. Configure CA certificate of Cloud Connector
  4. Configure SAP backend to trust Cloud Connector (Transaction STRUST)
  5. Import certificate in SAP backend for user mapping (Transaction CERTRULE)
  6. Create SCP destination to propagate user credentials to SAP backend

But we still get a logon dialog where we need to logon with a sap backend user. We also tried work with the different logon modes in SCIF Service as well. Without success.

I guess that I always need an SAP Backend User and therefore we need to store the tech. SAP User into the SCP Destination or into the SICF Service. Or did I set up the principal propagation not complete correctly so the SAP backend answer to my incorrect setup by showing the logon dialog?

To sum it up, I have two questions:

  1. If I configure the principal propagation between SCP, Cloud Connector and SAP backend correctly, can I connect from the web app to SAP Backend without a SAP backend user?
  2. Is there any possibility to transfer the SCP IdP User ID from SCP web app to SAP backend safely?

The second question bother us the most. The first Question could be “bypassed” with an technical SAP User in the SCP Destination or in the SICF Service, as far as I understood the topic.

Regards, your H.P.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Best Answer
    Feb 07 at 04:40 PM

    Hi,

    To use Principal Propagation either via the Cloud Connector or SAPAssertionSSO, the user ID must also exist in the backend system so there isn’t a way around this and this is why you are getting the 2nd authentication request from your backend system during your testing. You just answered your own question by using the technical user for the destination configuration in the SAP Cloud Platform.

    As for the 2nd question, I think I know what you are trying to do but I don’t recommend this. You are trying to bypass the authentication method for your backend system and it is a high security risk.

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 07 at 02:11 PM

    Dear H.P.,

    This topic is really interesting and I agree, I found nothing on it (or I just misunderstood every technical document I've read, since I am not strong about this security thing :)).

    It is so true when you write that data stored in the front end javascript application can be manipulated in debug mode so end users may access data they are not supposed to see. So how the hell can we pass data stored on SCP IdP User Identity service directly to SAP backend ?

    What I can tell you : I've already set up Principal Propagation using X509 Short Live certificates and it works great. But you still need a SAP user to log in : in CERTRULE transaction, you map a subject of an X509 certicate to the SAP username / alias. When the mapping is successful, the end user is then logged in with the corresponding SAP user. If unsuccessful, the end user will be prompted to provide credentials on standard HTTP popup.

    If you have any update for your second question, please, let me know :).

    Regards,

    Olivier

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 08 at 01:32 PM

    Dear all,

    I've commented Nghia Nguyen 's answer but it is somehow not as visible as a real topic reply. So please, check my comment a little below Nghia Nguyen's.

    Also, I am wondering why this is actually considered as an "accepted answer" by Moya Watson ? I think it is a bit premature, since the question has not been fully and clearly answered :)

    Thank you.

    Regards,

    Olivier

    Add comment
    10|10000 characters needed characters exceeded

    • Hi -- just means it's one of many potential answers. Doesn't mean the issue is closed. But it helps bump it up so people can respond in the active thread with more info. Sorry for the confusion.

  • Feb 08 at 11:28 AM

    Dear Nghia,

    Thank you for your quick reply.

    I think you misunderstood what H.P. and I try to achieve. Let me clarify the situation :

    1. In our SCP Destination settings we want to set up a Basic Authentication with a specified "technical user". The goal of this user is only to get connected to the back end from SCP.
    2. In our ZCL_XXXXXXX_DPC_EXT service implémentation class, we want to retrieve some of the P00XXX cloud user data (check the screenshot) like Company or so on... as we would do with a GET PARAMETER ID on a principal propagation scenario. But in this very case, the user who is logged in SAP system is the "technical user" we defined in SCP Destination. We are not able to know which end user is actually logged in (P000001 or P000002)

    I won't recall the licensing topic as this is not what the point here. This is a technical request.

    Regards,

    Olivier

    Add comment
    10|10000 characters needed characters exceeded

  • Jul 09 at 03:37 PM

    Hi,

    I have the same issue/use case right now as you can see here.

    Is there a solution for this?

    I tried it with principal propagation and added for every P-User of my IDP one entry in "EXTID_DN" and assigned the same service user "TEST01". Now I just need to access the X.509 cient certificate which was used for the logon and read the external userid from the subject.

    But I havent found a way to access this information.

    Can anybody help?

    Best regards,

    Chris

    Add comment
    10|10000 characters needed characters exceeded