Skip to Content

oAuth Configuration between HANA XS and C4C

I'm trying to establish oAuth communication between a HANA XS Classic application and a C4C tenant to use SSO scenario. Unfortunately, we are getting an error (see below).


Environment:

- C4C tenant in SAP Cloud

- HANA XS Classic (1.0 SPS 12) application is running on SAP Cloud Platform (NEO)

- HTML5 App is running on SAP Cloud Platform (NEO), calls HANA XS Classic Backend

- Identity Provider is Microsoft Azure Platform (using SAML2) connected to C4C and SAP Cloud Platform (Cockpit)

We were able to establish a working oAuth connection between SAP Cloud Platform Cockpit (HTML5 App) and C4C using Authentication Type "AppToAppSSO" and relevant data in the Destination. So, a user that was authenticated via Azure can work with the HTML5 App on SAP Cloud and can access C4C from that HTML5 App via SSO. Also, AppToAppSSO between HTML5 App and HANA XS Classic backend works. Nice.

However, HANA XS also needs to access C4C in the same azure authentication for the user working in the HTML5 app. For this case, our configuration (XSHTTPDEST, XSOAUTH...) for C4C oAuth is not working. We followed these help portal sites:

https://help.sap.com/viewer/b3d0daf2a98e49ada00bf31b7ca7a42e/1.0.12/en-US/6efe500d91ee462c85cce7609646e17a.html

https://help.sap.com/viewer/b3d0daf2a98e49ada00bf31b7ca7a42e/1.0.12/en-US/935805ae7f6641289a266b67e2a76704.html


When we start a request to the C4C using an XSJS script, we get this error in XSJS trace:

2018-06-13 08:30:19.686140 e XSOAuthClient OAuthHTTPRequest.cpp(00412) : Response body: { "error":"invalid_grant","error_description":"The provided authorization grant is invalid. Exception was: There is no trust between entities and XXX.hana.ondemand.com in client 242. For more information consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545." }


Referring to Note https://launchpad.support.sap.com/#/notes/1688545, oAuth configuration on C4C may not be valid. We suppose, that we did something wrong as we imported the certificate into the oAuth configuration on C4C side (we just exported the HANA XS certificate from the browser url via Security button in Chrome). Do we need a "proper" signing certificate exported from HANA XS instance?


Thanks for any help!

xsoauthclientconfig:

{
"clientFlavor":"XXX.XXX.oAuthTest:C4C",
"clientID":"XXX",
"clientAuthType":"basic",
"authorizationEndpointURL":"/sap/bc/sec/oauth2/authorize", "tokenEndpointURL":"/sap/bc/sec/oauth2/token", "revocationEndpointURL":"/sap/bc/sec/oauth2/revoke",
"flow":"saml2Bearer",
"description":"OAuth Client for C4C",
"samlIssuer":"XXX.hana.ondemand.com", "redirectURL":"XXX.hana.ondemand.com:443/sap/hana/xs/oAuth/lib/runtime/tokenRequest.xsjs",
"scopeReq":"maxScopes",
"shared":"true",
"modifies":""
}

Please note: some info is anonymized with XXX

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Jun 15 at 02:16 PM

    Dear Nils,

    I see that the samlIssuer is currently set to :"XXX.hana.ondemand.com". As you've mentioned your Identity Provider is Microsoft Azure. To I would suggest to use that as your samlIssuer because the SAML Token is created from the Azure IdP.

    Best regards
    Gregor

    Add comment
    10|10000 characters needed characters exceeded

    • Dear Gregor, thanks for the answer. Actually we changed two things:

      1) set samlIssuer to Azure IDP

      2) Exported "own certificate" from HANA XS Admin and imported it into C4C oAuth Client

      Now we have changed behaviour - when we call our test script and login with Azure Credentials, we are redirected to

      https://xxx.hana.ondemand.com/sap/hana/xs/saml/login.xscfunc

      and get response body

      StatusCode in ResponseMessage != OK; please refer to the database trace for more information


      HANA XS Engine Trace says:

      2018-06-19 08:15:11.896766 e XSSession XSSessionLifecycle.cpp(00339) : Assertion authentication for user xxx.yyy@domain.tld failed with reason: Internal processing error(StatusCode: , StatusMessage: )


      The user mail address is stated correctly in the trace, so authentication via Azure should be successfull, but we do not get a forward to the originally requested URL (test script).

      Any ideas?


      Best regards
      Nils