cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Creating an HTTP destination with OAuth2SAMLBearerAssertion authentication

Go to solution
ChrisPaine
Active Contributor

on ‎07-31-2014 6:17 AM

0 Kudos

Hi All,

I'm trying to create an HTTP destination with OAuth2SAMLBearerAssertion authentication.

However, I'm at a loss as where to put the secret/private key. It should be part of the call to the token service so must be populated somewhere. But where? I'm guessing if I create a destination via a file, there is some parameter that I could set that should contain this key, but I'm not sure what it is - certainly there is nowhere on the HCP cockpit screen that I can use.

Downloading an existing destination that works, it looks like there is an additional "Password" parameter, but when I populate that with the private key, my connection still doesn't work.

Is there a special format that this private key must be entered into the destination file?

Many thanks for you help!

Cheers,

Chris

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-31-2014 7:38 AM
0 Kudos

Hi Chris,

here's a link to the documentation of this authentication type:

SAP HANA Cloud Platform

You can configure the destination using the cloud cockpit, see example below. The client key should go into the technical parameter "clientKey" (if you upload the destination via file), or in the respective field in the editor.

Does this answer your question?

Best regards, Timo

Show replies
Show replies
ChrisPaine
Active Contributor
‎07-31-2014 9:19 AM
0 Kudos

Hi Timo,

unfortunately not.

There is also a need to pass the private key to the token generation - or to somehow get the public key that is used by HCP so that I can populate that into my remote system..

eg for getting a SAML assert from SuccessFactors I can use (values abbreviated and altered)

https://apisalesdemo8.successfactors.com/oauth/idp?client_id=NWI2YTMyOTdiNjA0ZmYy...kZjM2NTU2NQ&user...

This generates a SAML assertion (nice of them) that I can use to get a token.

https://apisalesdemo8.successfactors.com/oauth/token?company_id=HCPDISCC&assertion=PD94bWwgdmVy..==&...

The receiving system (SuccessFactors) checks the SAML assert against the public key I have maintained against the client key on their side and grants the OAuth token which is used for subsequent authorisation.

So somewhere I need to either - populate the system I am calling with a public key for the private key that is being used to sign the SAML assertion, or somehow pass the private key for the public key that is being used on the called system.

I can't figure out how to do that, I'm guessing that perhaps it is more that there is a public key that I should be using on the receiving end, but not sure where I could find that.

here's a screenshot of a working SuccessFactors connection...

and no TrustStoreLocation so - I don't think it's using a truststore for the certificate...


according to the doco - When the OAuth authorization server is called, it accepts the trust settings of the destination.

Perhaps it is using the public key of the Local Service Provider in "Trust"? Certainly if this is the case it's not very obvious! (but I'm going to try!)

Cheers,


Chris

Former Member
‎07-31-2014 1:10 PM
0 Kudos

Hi Chris,

ok, got it, you are asking how to set up the trust between the HCP service provider and the SFSF IdP.

There are some manual steps needed to do this. I have to check with the colleagues where this is documented and will get back to you then again.

Regards,

Timo

ChrisPaine
Active Contributor
‎07-31-2014 1:25 PM
0 Kudos

Hi Timo,

nope I've already got trust configured and working - can SSO from SFSF to HCP and use the SFSF IdP to log into HCP.

it's just getting the the OAuth working for the OData interface. I have it working on one account but not the other, and as I didn't set it up the first time, am struggling to set up this time.

Perhap this is setting up "trust between HCP service provider and SFSF IdP"! I'm really not sure, but am pretty sure if my understanding of the SAML OAuth Bearer process is correct (and given I've actually written my own code to do this in past, I'm pretty sure it is.) There is a need to sign the SAML assertion with a private key and provide the public key to the system you are authenticating to.

...

pause for moment to check something...

...

OK - I've got it!

in SuccessFactors in the Manage OAuth2 Clients area, copy paste the "signing certificate" from the HCP Cockpit - Local Service Provider tab in the Trust Management section into the SFSF  *X.509 Certificate field of the created client application...

the SAML assertion is signed using the "Signing Key", the "Signing Certificate" is the public key.

Would be great if the doco made this a little clearer!

Thanks for your help!

Cheers,


Chris

Former Member
‎07-31-2014 1:32 PM
0 Kudos

Hi Chris,

yes, the flow of certificates is as you summarized. There is a document available that describes all this, but unfortunately not (yet?) publicly available. I will follow up on this. 

We also had some discussions already internally that this whole flow is over-complex and should be handled under the hood automatically for the user, when it comes to well-known extensions for e.g. SFSF. So we are working on making this easier in the future.

Regards,

Timo

Answers (2)

Answers (2)

Former Member
‎11-30-2015 1:23 PM
0 Kudos

Hi Chris,

I am trying to create a destination from HCP to SuccessFactors, but I do not know where to get the Client Key. Can you tell me how you did it?

Thank you in advance,

Neili

Show replies
Show replies
stanimir_ivanov
Participant
‎12-04-2015 3:14 PM
0 Kudos

Hi Neili,

The Client Key, which you have to set in the destiantion configuration, is the API Key of the OAuth 2 Client in SuccessFactors.

Hope that helps.


Regards,
Stanimir

Former Member
‎08-25-2015 11:19 AM
0 Kudos

Hi there,

i am trying to achieve the same scenario and did what was described here, but somehow i still can't connect to SF and the log says

Cannot return OAuth 2.0 SAML Bearer Assertion because of com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerationException: Could not generate OAuth 2.0 SAML Bearer Assertion token.

my Destinationfile looks like

SuccessFactors is properly configured, under "Manage OAUTH Client Applications" our HCP Account is set and the X.509 Certificate equals the Signing Certificate from HCP Trust Settings.

Can one of you or give me a hint what is missing?

Thanks in advance

Regards

mathias

Show replies
Show replies
stanimir_ivanov
Participant
‎08-25-2015 11:38 AM
0 Kudos

Hi Mathias,

What I see, from your screenshot, is that you're missing one important "Additional Property" in your destination. That is the "assertionIssuer". The value for it should be the same as the value for the "Clien Key".

Regards,

Stanimir

Former Member
‎08-25-2015 11:49 AM
0 Kudos

Hi Stanimir,

thanks for the reply. i just tried that now but the same result as before. To clarify for my understanding:

"Client Key" is equal to SF OAUTH client api key?

stanimir_ivanov
Participant
‎08-25-2015 11:57 AM
0 Kudos

Hi Mathias,


Yes, Client Key is equal to SF OAuth Client API key.

Can you provide more logs, probably to increase the appache wire logs to DEBUG level in order to understand what the problem is?

Regards,

Stanimir

Former Member
‎08-25-2015 12:19 PM
0 Kudos

Ok i switched DEBUG Loggin on. which one do you need ?
i can see the token post with correct company_id, client_id and assertion but the response code is 401 and therefore the system crashes

edit: how can i format the dump better?

2015 08 25 11:11:09#+00#ERROR#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/HCP-MSS-Role-Assignment-0.0.1-SNAPSHOT].[com.tts.hcp.service.TestServlet]##maerkama#http-bio-8041-exec-6#na#add6e064f#mssroleassigment#web#add6e064f#Servlet.service() for servlet [com.tts.hcp.service.TestServlet] in context with path [/HCP-MSS-Role-Assignment-0.0.1-SNAPSHOT] threw exceptionjava.lang.RuntimeException: System headers cannot be generated due to : com.sap.core.connectivity.httpdestination.common.HeaderGenerationException: Cannot return OAuth 2.0 SAML Bearer Assertion because of com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerationException: Could not generate OAuth 2.0 SAML Bearer Assertion token.

    at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.injectHeaders(AbstractHttpClientWrapper.java:89)

    at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.convertHttpRequest(AbstractHttpClientWrapper.java:79)

    at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.convertHttpUriRequest(AbstractHttpClientWrapper.java:57)

    at com.sap.core.connectivity.httpdestination.impl.HttpClientWrapper.execute(HttpClientWrapper.java:34)

    at com.tts.hcp.service.TestServlet.doGet(TestServlet.java:77)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at com.sap.core.communication.server.CertValidatorFilter.doFilter(CertValidatorFilter.java:321)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

    at org.eclipse.virgo.web.enterprise.security.valve.OpenEjbSecurityInitializationValve.invoke(OpenEjbSecurityInitializationValve.java:44)

    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614)

    at com.sap.core.jpaas.security.auth.service.lib.AbstractAuthenticator.invoke(AbstractAuthenticator.java:205)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)

    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)

    at com.sap.core.tenant.valve.TenantValidationValve.invokeNextValve(TenantValidationValve.java:215)

    at com.sap.core.tenant.valve.TenantValidationValve.invoke(TenantValidationValve.java:94)

    at com.sap.js.statistics.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:24)

    at com.sap.core.js.monitoring.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:25)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)

    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)

    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)

    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

    at java.lang.Thread.run(Thread.java:812)

Caused by: com.sap.core.connectivity.httpdestination.common.HeaderGenerationException: Cannot return OAuth 2.0 SAML Bearer Assertion because of com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerationException: Could not generate OAuth 2.0 SAML Bearer Assertion token.

    at com.sap.core.connectivity.httpdestination.impl.headerproviders.AbstractAssertionHeaderProvider.injectHeaders(AbstractAssertionHeaderProvider.java:28)

    at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.injectHeaders(AbstractHttpClientWrapper.java:87)

    ... 35 common frames omitted

Caused by: com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerationException: Could not generate OAuth 2.0 SAML Bearer Assertion token.

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerator.generateOAuthToken(OAuthTokenGenerator.java:21)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenCache.generateValue(OAuthTokenCache.java:25)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenCache.generateValue(OAuthTokenCache.java:1)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthCache$OAuthCacheEntry.generateValue(OAuthCache.java:114)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthCache$OAuthCacheEntry.getValue(OAuthCache.java:99)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthCache.getValue(OAuthCache.java:27)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuth2SAMLBearerAssertionProvider.getAssertionToken(OAuth2SAMLBearerAssertionProvider.java:49)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.AbstractAssertionProvider.getAssertionToken(AbstractAssertionProvider.java:30)

    at com.sap.core.connectivity.httpdestination.impl.headerproviders.AbstractAssertionHeaderProvider.injectHeaders(AbstractAssertionHeaderProvider.java:25)

    ... 36 common frames omitted

Caused by: java.io.IOException: Unexpected response from oAuth token service 'https://api.successfactors.eu/odata/v2/oauth/token': 401

text/plain;charset=utf-8

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenServiceClient.readOAuthTokenResponse(OAuthTokenServiceClient.java:160)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenServiceClient.access$1(OAuthTokenServiceClient.java:146)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenServiceClient$1.execute(OAuthTokenServiceClient.java:187)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenServiceClient$1.execute(OAuthTokenServiceClient.java:1)

    at com.sap.core.connectivity.apiext.impl.ConnectivityClient.execute(ConnectivityClient.java:118)

    at com.sap.core.connectivity.apiext.impl.ConnectivityClient.execute(ConnectivityClient.java:103)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenServiceClient.retrieveOAuthToken(OAuthTokenServiceClient.java:183)

    at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerator.generateOAuthToken(OAuthTokenGenerator.java:19)

    ... 44 common frames omitted

stanimir_ivanov
Participant
‎08-25-2015 3:25 PM
0 Kudos

Hi Mathias,

The 401 response from the token service means that the OAuth Client key (API key) that you configure in the destination:

  1. Is disabled.
  2. Does not exist.
  3. Company has expired license.
  4. Company does not exist.
  5. Company is not currently active.
  6. The API key set for "Client Key" in the destination is different than the API key set for the "assertionIssuer" property.
  7. The API key used in the destination is created with different x.509 certificate than HCP account's certificate.

I assume 3-5 are not valid for your case so you can either check the rest of the options or you can put the "org.apache.http.wire" logger to DEBUG log level.

That will give info which of the above problems is the one you have in your configuration.

Hope that helps.

Regards,
Stanimir

Former Member
‎08-26-2015 7:42 AM
0 Kudos

Hi Stanimir,

i switched the logger to Debug but the only thing i see is:

2015 08 26 06:29:45#+00#DEBUG#org.apache.http.wire##SF-USERNAME#http-bio-8041-exec-10#na#ACCOUNT#mssroleassigment#web#ACCOUNT#>> "GET /rest/configuration/tenant/FunnyNumbers/connectivity/ttstest HTTP/1.1[\r][\n

which returns an 404 and message

2015 08 26 06:29:45#+00#DEBUG#org.apache.http.wire##SF-USERNAME#http-bio-8041-exec-10#na#ACCOUNT#mssroleassigment#web#ACCOUNT#<< ""Configuration with the respective path and name was not found.""

But the destination is there and called later by com.sap.core.jpaas.security.saml2.service.SAML2BearerGenerationService

But the actual Oauth call is made later and is still returning 401 but no wire log does show up.

Regards

Mathias

Former Member
‎08-26-2015 9:03 AM
0 Kudos

Argh, i got i working the token URL was wrong. has to be https://api.successfactors.eu/oauth/token

and not https://api.successfactors.eu/odata/v2/oauth/token

Thanks a lot Stanimir and sorry for wasting your time

Regards Mathias

stanimir_ivanov
Participant
‎08-26-2015 9:10 AM
0 Kudos

Hi Mathias,


Happy to hear it!

Regards,

Stanimir

Ask a Question