|
| 1 | +--- |
| 2 | +auto_validation: true |
| 3 | +time: 20 |
| 4 | +tags: [ tutorial>intermediate, programming-tool>abap-development, software-product>sap-s-4hana-cloud] |
| 5 | +primary_tag: software-product>sap-btp--abap-environment |
| 6 | +author_name: Achim Seubert |
| 7 | +author_profile: https://github.com/achimseubert |
| 8 | +parser: v2 |
| 9 | +--- |
| 10 | + |
| 11 | +# Integrate SAP BTP ABAP Environment and SAP S/4HANA Cloud, public edition using the OAuth 2.0 SAML Bearer Assertion Flow |
| 12 | + |
| 13 | +<!-- description --> Integrate SAP BTP, ABAP environment and SAP S/4HANA Cloud, public edition using the OAuth 2.0 SAML Bearer Assertion Flow. This tutorial takes an existing integration based on Basic Authentication and configures the more complex authentication mechanism to enable the usage of principal propagation. |
| 14 | + |
| 15 | +## Prerequisites |
| 16 | + |
| 17 | +- This is the third tutorial of this tutorial group. Please complete the tutorial [Implement an Outbound Service Call in SAP BTP ABAP environment](abap-environment-business-partner-outbound-call) and the tutorial [Integrating an SAP BTP, ABAP Environment and an SAP S/4HANA Cloud, public edition System using Basic Authentication](abap-environment-business-partner-basic-auth) before proceeding. The prerequisites of the previous tutorials apply. |
| 18 | +- The custom communication scenario that is used must be enabled for outbound connectivity using **OAuth 2.0**, with **SAML 2.0 Bearer Assertion** as the grant type. |
| 19 | + |
| 20 | +## You will learn |
| 21 | + |
| 22 | +- How to configure **OAuth 2.0** for outbound connectivity. |
| 23 | +- How to configure an **OAuth 2.0 Identity Provider** for inbound connectivity. |
| 24 | + |
| 25 | +## Intro |
| 26 | +> |
| 27 | +>In this tutorial, all activities on S/4HANA Cloud side will be performed in the **customizing tenant** (100) of your **development system**. |
| 28 | +
|
| 29 | +### Understand the OAuth 2.0 SAML Bearer Assertion Flow |
| 30 | + |
| 31 | +The **OAuth 2.0 SAML Bearer Assertion** flow works as follows: |
| 32 | + |
| 33 | +At design time, the OAuth 2.0 client, in our case a system in the SAP BTP, ABAP environment, is signed up to the authorization server, in our case the SAP S/4HANA Cloud, public edition system. The authorization server provides the clients credentials. |
| 34 | + |
| 35 | +At run time, the OAuth 2.0 client sends the following information to the token endpoint of the authorization server (1): |
| 36 | + |
| 37 | +- SAML Bearer Assertion (authorization grant) |
| 38 | +- Client ID |
| 39 | +- Client secret or client certificate |
| 40 | + |
| 41 | +The authorization server authenticates the OAuth 2.0 client with its credentials (client id and client secret or client certificate), validates the SAML Bearer assertion, and, if the SAML Bearer assertion is validated successfully, the authorization server issues an access token (2). |
| 42 | + |
| 43 | +The OAuth 2.0 client sends the access token to the resource server – in our case the SAP S/4HANA Cloud, public edition system – to access the protected resource (3). The protected resource validates the access token and, if valid, grants access. |
| 44 | + |
| 45 | + |
| 46 | + |
| 47 | +The SAML Bearer Assertion is an XML document. It contains the information about the principal to be propagated. This information is stored in the `<saml.Subject><saml:NameID>` element of the XML document. It provides the actual ID and its format. |
| 48 | + |
| 49 | +To validate the SAML Bearer Assertion, the authorization server needs to trust the issuer of the SAML Bearer assertion – in our case, the system in the SAP BTP, ABAP Environment. |
| 50 | + |
| 51 | +### Get OAuth 2.0 Endpoint Information |
| 52 | + |
| 53 | +As an administrator in SAP S/4HANA Cloud, public edition system, you will derive the information of the endpoint and audience needed to set up the OAuth 2.0 communication. |
| 54 | + |
| 55 | +1. Open the SAP Fiori Launchpad of your SAP S/4HANA Cloud, public edition system |
| 56 | + |
| 57 | +2. Open the **Communication Systems** app and access the **Own SAP Cloud System**. You can filter for the **Own SAP Cloud System** via the **Adapt Filters** button. |
| 58 | + |
| 59 | +  |
| 60 | + |
| 61 | +3. In the General section copy the **OAuth 2.0 SAML2 Audience** and **OAuth 2.0 Confidential Client Token Service URL**. Store it for later use. |
| 62 | + |
| 63 | +  |
| 64 | + |
| 65 | +### Add OAuth 2.0 Client to Communication System in SAP BTP ABAP environment |
| 66 | + |
| 67 | +As an administrator in SAP BTP ABAP environment, adjust your communication system to support the **OAuth 2.0** authentication method for outbound connectivity. |
| 68 | + |
| 69 | +1. Open SAP Fiori Launchpad of your SAP BTP ABAP environment system. |
| 70 | + |
| 71 | +2. Open the **Communication Systems** app and access Communication System `ZBPA2X_COM_SYS_S4H` |
| 72 | + |
| 73 | +3. Choose **Edit** |
| 74 | + |
| 75 | +4. In section **OAuth 2.0 Settings** set |
| 76 | + <ol type="a"><li>Token Endpoint: **OAuth 2.0 Confidential Client Token Service URL** (derived in STEP 1) |
| 77 | + </li><li>Audience: **OAuth 2.0 SAML2 Audience** (derived in STEP 1) |
| 78 | + |
| 79 | + </li></ol> |
| 80 | + |
| 81 | +5. In section **Users for Outbound Communication** |
| 82 | + <ol type="a"><li>Choose `+` |
| 83 | + </li><li>Choose Authentication Method **OAuth 2.0** |
| 84 | + </li><li>Provide OAuth 2.0 Client ID: Username of communication user created in [Step 'Create a Communication User' of the previous tutorial](abap-environment-business-partner-basic-auth) (`ZBPA2X_COM_USER`) |
| 85 | + </li><li>Provide Client Secret: Password of communication user created in [Step 'Create a Communication User' of the previous tutorial](abap-environment-business-partner-basic-auth). Here you reuse the communication user in order to sign up to the OAuth 2.0 client. |
| 86 | + |
| 87 | +  |
| 88 | + |
| 89 | + </li><li>Choose **Create**</li></ol> |
| 90 | + |
| 91 | +6. Choose **Save** to save the communication system |
| 92 | + |
| 93 | +### Modify Communication Arrangement in SAP BTP ABAP environment to use Authentication OAuth 2.0 |
| 94 | + |
| 95 | +As an administrator in SAP BTP ABAP environment, configure your communication arrangement to use the authentication **OAuth 2.0** for outbound connectivity. |
| 96 | + |
| 97 | +1. In the SAP Fiori Launchpad, open the **Communication Arrangements** app |
| 98 | + |
| 99 | +2. Navigate to Communication Arrangement `ZBPA2X_CA_OUTBOUND` |
| 100 | + |
| 101 | +3. Choose **Edit** |
| 102 | + |
| 103 | +4. In Section **Outbound Communication**: |
| 104 | + <ol type="a"><li>Select newly maintained outbound communication user of type OAuth 2.0 for Outbound Communication |
| 105 | + |
| 106 | +  |
| 107 | + |
| 108 | +  |
| 109 | + |
| 110 | + </li><li>Note down the **SAML2 Issuer**, make sure SAML2 Identifier is **E-Mail** |
| 111 | + |
| 112 | + </li></ol> |
| 113 | + |
| 114 | +5. Choose **Save** to save the Communication Arrangement |
| 115 | + |
| 116 | +### Obtain Signing Certificate |
| 117 | + |
| 118 | +As an administrator in SAP BTP ABAP environment, obtain a signing certificate for the system. This certificate will allow the SAP S/4HANA Cloud, public edition system to trust the SAP BTP ABAP environment system. |
| 119 | + |
| 120 | +1. Stay in communication arrangement `ZBPA2X_CA_OUTBOUND` |
| 121 | + |
| 122 | +2. Choose button **Download** > **Download Signing Certificate** |
| 123 | + |
| 124 | +  |
| 125 | + |
| 126 | +3. Note down where the file was saved, for later use |
| 127 | + |
| 128 | +### Upload Signing Certificate in Communication System in SAP S/4HANA Cloud, public edition |
| 129 | + |
| 130 | +As an administrator in SAP S/4HANA Cloud, public edition, configure your communication system to trust the **OAuth 2.0 Identity Provider** of the SAP BTP, ABAP environment system using the previously obtained signing certificate. This will enable **OAuth 2.0** authentication for the exposed remote service. |
| 131 | + |
| 132 | +1. Open the SAP Fiori Launchpad of the customizing tenant (100) of your SAP S/4HANA Cloud, public edition development system. |
| 133 | + |
| 134 | +2. Access the **Communication Systems** app and open communication system `ZBPA2X_COM_SYS` |
| 135 | + |
| 136 | +3. Choose **Edit** |
| 137 | + |
| 138 | +4. Enable OAuth2.0 Identity Provider section |
| 139 | + <ol type="a"><li>Provide **OAuth 2.0 SAML Issuer**: Noted down in STEP 4 |
| 140 | + </li><li>Choose **Upload Signing Certificate** button |
| 141 | + </li><li>Upload the certificate obtained in STEP 5 |
| 142 | + |
| 143 | + </li></ol> |
| 144 | + |
| 145 | +5. Choose **Save** to save the Communication System |
| 146 | + |
| 147 | +6. An additional User for Inbound Communication with Authentication Method OAuth 2.0 is created automatically |
| 148 | + |
| 149 | +  |
| 150 | + |
| 151 | +### Modify Communication Arrangement in SAP S/4HANA Cloud, public edition to use Authentication OAuth 2.0 |
| 152 | + |
| 153 | +As an administrator in SAP S/4HANA Cloud, public edition, configure your communication arrangement to use the authentication method **OAuth 2.0** for inbound connectivity. |
| 154 | + |
| 155 | +1. Open communication arrangement `ZBPA2X_CA_INBOUND` |
| 156 | + |
| 157 | +2. Choose button **Edit** |
| 158 | + |
| 159 | +3. In the **Inbound Communication** section select newly maintained inbound communication user of type OAuth 2.0 for Inbound Communication |
| 160 | + |
| 161 | +  |
| 162 | + |
| 163 | +  |
| 164 | + |
| 165 | +4. Choose **Save** to save the Communication Arrangement |
| 166 | + |
| 167 | +5. A new button appears: **OAuth 2.0 Details**, this will be needed in the next step |
| 168 | + |
| 169 | +  |
| 170 | + |
| 171 | +### Determine Business Catalogs for Service Authorization |
| 172 | + |
| 173 | +Now you must determine the business catalogs, which enable your S/4HANA Cloud business user for business partner creation. The determination is done as follows: |
| 174 | + |
| 175 | +1. In the communication arrangement **Inbound Communication** section, choose button **OAuth 2.0 Details** |
| 176 | + |
| 177 | +2. In the OAuth 2.0 Details Popup, mark `API_BUSINESS_PARTNER_0001` OAuth 2.0 Scope ID |
| 178 | + |
| 179 | +3. Choose button **Granted by Business Catalogs** |
| 180 | + |
| 181 | +  |
| 182 | + |
| 183 | +4. In the OAuth 2.0 Details popup you can see the business catalogs, which enable your S/4HANA Cloud business user for business partner creation. |
| 184 | + |
| 185 | +  |
| 186 | + |
| 187 | + E.g. business catalog `SAP_CMD_BC_BP_MAINT_PC` is contained in business role `BR_BUPA_MASTER_SPECIALIST`. This business role is used in this tutorial to authorize the business user to create a business partner. |
| 188 | + |
| 189 | +5. Choose button **Close** |
| 190 | + |
| 191 | +### Execute Business Partner Service Call |
| 192 | + |
| 193 | +As a developer in **SAP BTP, ABAP environment**, you can now execute the console application. |
| 194 | + |
| 195 | +1. In ADT, open the project for your SAP BTP ABAP environment system |
| 196 | + |
| 197 | +2. Navigate to the Console Application `ZBPA2X_CL_CLASSRUN` |
| 198 | + |
| 199 | +3. If you have previously executed your code, change it to create a business partner with different properties |
| 200 | + |
| 201 | +4. Right click on the class and choose **Run As** > **ABAP Application (Console)** |
| 202 | + |
| 203 | +5. Note down the Business Partner number that is written to the Console for later use |
| 204 | + |
| 205 | +  |
| 206 | + |
| 207 | +### Verify Business Partner |
| 208 | + |
| 209 | +You should now verify that the business partner was successfully created in your SAP S/4HANA Cloud, public edition system. |
| 210 | + |
| 211 | +1. Open the SAP Fiori Launchpad of your SAP S/4HANA Cloud, public edition system. |
| 212 | + |
| 213 | +2. Access the Manage Business Partner Master Data app |
| 214 | + |
| 215 | +3. Enter the created Business Partner number in the related field and press the **Go** button. Check data of the created business service. |
| 216 | + |
| 217 | +  |
| 218 | + |
| 219 | +4. Display column **Created By** via the settings button. |
| 220 | + |
| 221 | +  |
| 222 | + |
| 223 | +  |
| 224 | + |
| 225 | +5. Check the data of the created business partner. See that the user was created by the technical communication user, and not by your own business user |
| 226 | + |
| 227 | +  |
| 228 | + |
| 229 | +You have now verified that the integration of SAP BTP, ABAP environment and your SAP S/4HANA Cloud, public edition system, using the OAuth 2.0 SAML Bearer Assertion authentication flow, indeed works. |
| 230 | + |
| 231 | +You will see that the business partner was created by your business user in that system, and not by a technical communication user. Your identity is thus propagated from SAP BTP ABAP environment to the SAP S/4HANA Cloud, public edition system and used to consume the service. For this reason, it is necessary for your S/4HANA Cloud business user to be authorized for business partner creation, which is achieved by assigning business role `BR_BUPA_MASTER_SPECIALIST` to the user. Without the role assignment, the remote service call fails with an authorization error. |
| 232 | + |
| 233 | +### Test yourself |
0 commit comments