cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

oAuth Configuration between HANA XS and C4C

former_member542725
Discoverer

on ‎06-15-2018 10:45 AM

0 Kudos

I'm trying to establish oAuth communication between a HANA XS Classic application and a C4C tenant to use SSO scenario. Unfortunately, we are getting an error (see below).


Environment:

- C4C tenant in SAP Cloud

- HANA XS Classic (1.0 SPS 12) application is running on SAP Cloud Platform (NEO)

- HTML5 App is running on SAP Cloud Platform (NEO), calls HANA XS Classic Backend

- Identity Provider is Microsoft Azure Platform (using SAML2) connected to C4C and SAP Cloud Platform (Cockpit)

We were able to establish a working oAuth connection between SAP Cloud Platform Cockpit (HTML5 App) and C4C using Authentication Type "AppToAppSSO" and relevant data in the Destination. So, a user that was authenticated via Azure can work with the HTML5 App on SAP Cloud and can access C4C from that HTML5 App via SSO. Also, AppToAppSSO between HTML5 App and HANA XS Classic backend works. Nice.

However, HANA XS also needs to access C4C in the same azure authentication for the user working in the HTML5 app. For this case, our configuration (XSHTTPDEST, XSOAUTH...) for C4C oAuth is not working. We followed these help portal sites:

https://help.sap.com/viewer/b3d0daf2a98e49ada00bf31b7ca7a42e/1.0.12/en-US/6efe500d91ee462c85cce76096...

https://help.sap.com/viewer/b3d0daf2a98e49ada00bf31b7ca7a42e/1.0.12/en-US/935805ae7f6641289a266b67e2...


When we start a request to the C4C using an XSJS script, we get this error in XSJS trace:

2018-06-13 08:30:19.686140 e XSOAuthClient OAuthHTTPRequest.cpp(00412) : Response body: { "error":"invalid_grant","error_description":"The provided authorization grant is invalid. Exception was: There is no trust between entities and XXX.hana.ondemand.com in client 242. For more information consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545." }


Referring to Note https://launchpad.support.sap.com/#/notes/1688545, oAuth configuration on C4C may not be valid. We suppose, that we did something wrong as we imported the certificate into the oAuth configuration on C4C side (we just exported the HANA XS certificate from the browser url via Security button in Chrome). Do we need a "proper" signing certificate exported from HANA XS instance?


Thanks for any help!

xsoauthclientconfig:

{
"clientFlavor":"XXX.XXX.oAuthTest:C4C",
"clientID":"XXX",
"clientAuthType":"basic",
"authorizationEndpointURL":"/sap/bc/sec/oauth2/authorize", "tokenEndpointURL":"/sap/bc/sec/oauth2/token", "revocationEndpointURL":"/sap/bc/sec/oauth2/revoke",
"flow":"saml2Bearer",
"description":"OAuth Client for C4C",
"samlIssuer":"XXX.hana.ondemand.com", "redirectURL":"XXX.hana.ondemand.com:443/sap/hana/xs/oAuth/lib/runtime/tokenRequest.xsjs",
"scopeReq":"maxScopes",
"shared":"true",
"modifies":""
}

Please note: some info is anonymized with XXX

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

gregorw
Active Contributor
‎06-15-2018 3:16 PM

Dear Nils,

I see that the samlIssuer is currently set to :"XXX.hana.ondemand.com". As you've mentioned your Identity Provider is Microsoft Azure. To I would suggest to use that as your samlIssuer because the SAML Token is created from the Azure IdP.

Best regards
Gregor

Show replies
Show replies
former_member542725
Discoverer
‎06-19-2018 9:24 AM
0 Kudos

Dear Gregor, thanks for the answer. Actually we changed two things:

1) set samlIssuer to Azure IDP

2) Exported "own certificate" from HANA XS Admin and imported it into C4C oAuth Client

Now we have changed behaviour - when we call our test script and login with Azure Credentials, we are redirected to

https://xxx.hana.ondemand.com/sap/hana/xs/saml/login.xscfunc

and get response body

StatusCode in ResponseMessage != OK; please refer to the database trace for more information


HANA XS Engine Trace says:

2018-06-19 08:15:11.896766 e XSSession XSSessionLifecycle.cpp(00339) : Assertion authentication for user xxx.yyy@domain.tld failed with reason: Internal processing error(StatusCode: , StatusMessage: )


The user mail address is stated correctly in the trace, so authentication via Azure should be successfull, but we do not get a forward to the originally requested URL (test script).

Any ideas?


Best regards
Nils

Ask a Question