Skip to Content
0
Jun 15, 2018 at 09:45 AM

oAuth Configuration between HANA XS and C4C

1231 Views

I'm trying to establish oAuth communication between a HANA XS Classic application and a C4C tenant to use SSO scenario. Unfortunately, we are getting an error (see below).


Environment:

- C4C tenant in SAP Cloud

- HANA XS Classic (1.0 SPS 12) application is running on SAP Cloud Platform (NEO)

- HTML5 App is running on SAP Cloud Platform (NEO), calls HANA XS Classic Backend

- Identity Provider is Microsoft Azure Platform (using SAML2) connected to C4C and SAP Cloud Platform (Cockpit)

We were able to establish a working oAuth connection between SAP Cloud Platform Cockpit (HTML5 App) and C4C using Authentication Type "AppToAppSSO" and relevant data in the Destination. So, a user that was authenticated via Azure can work with the HTML5 App on SAP Cloud and can access C4C from that HTML5 App via SSO. Also, AppToAppSSO between HTML5 App and HANA XS Classic backend works. Nice.

However, HANA XS also needs to access C4C in the same azure authentication for the user working in the HTML5 app. For this case, our configuration (XSHTTPDEST, XSOAUTH...) for C4C oAuth is not working. We followed these help portal sites:

https://help.sap.com/viewer/b3d0daf2a98e49ada00bf31b7ca7a42e/1.0.12/en-US/6efe500d91ee462c85cce7609646e17a.html

https://help.sap.com/viewer/b3d0daf2a98e49ada00bf31b7ca7a42e/1.0.12/en-US/935805ae7f6641289a266b67e2a76704.html


When we start a request to the C4C using an XSJS script, we get this error in XSJS trace:

2018-06-13 08:30:19.686140 e XSOAuthClient OAuthHTTPRequest.cpp(00412) : Response body: { "error":"invalid_grant","error_description":"The provided authorization grant is invalid. Exception was: There is no trust between entities and XXX.hana.ondemand.com in client 242. For more information consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545." }


Referring to Note https://launchpad.support.sap.com/#/notes/1688545, oAuth configuration on C4C may not be valid. We suppose, that we did something wrong as we imported the certificate into the oAuth configuration on C4C side (we just exported the HANA XS certificate from the browser url via Security button in Chrome). Do we need a "proper" signing certificate exported from HANA XS instance?


Thanks for any help!

xsoauthclientconfig:

{
"clientFlavor":"XXX.XXX.oAuthTest:C4C",
"clientID":"XXX",
"clientAuthType":"basic",
"authorizationEndpointURL":"/sap/bc/sec/oauth2/authorize", "tokenEndpointURL":"/sap/bc/sec/oauth2/token", "revocationEndpointURL":"/sap/bc/sec/oauth2/revoke",
"flow":"saml2Bearer",
"description":"OAuth Client for C4C",
"samlIssuer":"XXX.hana.ondemand.com", "redirectURL":"XXX.hana.ondemand.com:443/sap/hana/xs/oAuth/lib/runtime/tokenRequest.xsjs",
"scopeReq":"maxScopes",
"shared":"true",
"modifies":""
}

Please note: some info is anonymized with XXX