on 07-31-2014 6:17 AM
Hi All,
I'm trying to create an HTTP destination with OAuth2SAMLBearerAssertion authentication.
However, I'm at a loss as where to put the secret/private key. It should be part of the call to the token service so must be populated somewhere. But where? I'm guessing if I create a destination via a file, there is some parameter that I could set that should contain this key, but I'm not sure what it is - certainly there is nowhere on the HCP cockpit screen that I can use.
Downloading an existing destination that works, it looks like there is an additional "Password" parameter, but when I populate that with the private key, my connection still doesn't work.
Is there a special format that this private key must be entered into the destination file?
Many thanks for you help!
Cheers,
Chris
Hi Chris,
here's a link to the documentation of this authentication type:
You can configure the destination using the cloud cockpit, see example below. The client key should go into the technical parameter "clientKey" (if you upload the destination via file), or in the respective field in the editor.
Does this answer your question?
Best regards, Timo
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Timo,
unfortunately not.
There is also a need to pass the private key to the token generation - or to somehow get the public key that is used by HCP so that I can populate that into my remote system..
eg for getting a SAML assert from SuccessFactors I can use (values abbreviated and altered)
This generates a SAML assertion (nice of them) that I can use to get a token.
The receiving system (SuccessFactors) checks the SAML assert against the public key I have maintained against the client key on their side and grants the OAuth token which is used for subsequent authorisation.
So somewhere I need to either - populate the system I am calling with a public key for the private key that is being used to sign the SAML assertion, or somehow pass the private key for the public key that is being used on the called system.
I can't figure out how to do that, I'm guessing that perhaps it is more that there is a public key that I should be using on the receiving end, but not sure where I could find that.
here's a screenshot of a working SuccessFactors connection...
and no TrustStoreLocation so - I don't think it's using a truststore for the certificate...
according to the doco - When the OAuth authorization server is called, it accepts the trust settings of the destination.
Perhaps it is using the public key of the Local Service Provider in "Trust"? Certainly if this is the case it's not very obvious! (but I'm going to try!)
Cheers,
Chris
Hi Timo,
nope I've already got trust configured and working - can SSO from SFSF to HCP and use the SFSF IdP to log into HCP.
it's just getting the the OAuth working for the OData interface. I have it working on one account but not the other, and as I didn't set it up the first time, am struggling to set up this time.
Perhap this is setting up "trust between HCP service provider and SFSF IdP"! I'm really not sure, but am pretty sure if my understanding of the SAML OAuth Bearer process is correct (and given I've actually written my own code to do this in past, I'm pretty sure it is.) There is a need to sign the SAML assertion with a private key and provide the public key to the system you are authenticating to.
...
pause for moment to check something...
...
OK - I've got it!
in SuccessFactors in the Manage OAuth2 Clients area, copy paste the "signing certificate" from the HCP Cockpit - Local Service Provider tab in the Trust Management section into the SFSF *X.509 Certificate field of the created client application...
the SAML assertion is signed using the "Signing Key", the "Signing Certificate" is the public key.
Would be great if the doco made this a little clearer!
Thanks for your help!
Cheers,
Chris
Hi Chris,
yes, the flow of certificates is as you summarized. There is a document available that describes all this, but unfortunately not (yet?) publicly available. I will follow up on this.
We also had some discussions already internally that this whole flow is over-complex and should be handled under the hood automatically for the user, when it comes to well-known extensions for e.g. SFSF. So we are working on making this easier in the future.
Regards,
Timo
Hi Chris,
I am trying to create a destination from HCP to SuccessFactors, but I do not know where to get the Client Key. Can you tell me how you did it?
Thank you in advance,
Neili
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi there,
i am trying to achieve the same scenario and did what was described here, but somehow i still can't connect to SF and the log says
Cannot return OAuth 2.0 SAML Bearer Assertion because of com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerationException: Could not generate OAuth 2.0 SAML Bearer Assertion token.
my Destinationfile looks like
SuccessFactors is properly configured, under "Manage OAUTH Client Applications" our HCP Account is set and the X.509 Certificate equals the Signing Certificate from HCP Trust Settings.
Can one of you or give me a hint what is missing?
Thanks in advance
Regards
mathias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ok i switched DEBUG Loggin on. which one do you need ?
i can see the token post with correct company_id, client_id and assertion but the response code is 401 and therefore the system crashes
edit: how can i format the dump better?
2015 08 25 11:11:09#+00#ERROR#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/HCP-MSS-Role-Assignment-0.0.1-SNAPSHOT].[com.tts.hcp.service.TestServlet]##maerkama#http-bio-8041-exec-6#na#add6e064f#mssroleassigment#web#add6e064f#Servlet.service() for servlet [com.tts.hcp.service.TestServlet] in context with path [/HCP-MSS-Role-Assignment-0.0.1-SNAPSHOT] threw exceptionjava.lang.RuntimeException: System headers cannot be generated due to : com.sap.core.connectivity.httpdestination.common.HeaderGenerationException: Cannot return OAuth 2.0 SAML Bearer Assertion because of com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerationException: Could not generate OAuth 2.0 SAML Bearer Assertion token.
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.injectHeaders(AbstractHttpClientWrapper.java:89)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.convertHttpRequest(AbstractHttpClientWrapper.java:79)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.convertHttpUriRequest(AbstractHttpClientWrapper.java:57)
at com.sap.core.connectivity.httpdestination.impl.HttpClientWrapper.execute(HttpClientWrapper.java:34)
at com.tts.hcp.service.TestServlet.doGet(TestServlet.java:77)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.sap.core.communication.server.CertValidatorFilter.doFilter(CertValidatorFilter.java:321)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.eclipse.virgo.web.enterprise.security.valve.OpenEjbSecurityInitializationValve.invoke(OpenEjbSecurityInitializationValve.java:44)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614)
at com.sap.core.jpaas.security.auth.service.lib.AbstractAuthenticator.invoke(AbstractAuthenticator.java:205)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)
at com.sap.core.tenant.valve.TenantValidationValve.invokeNextValve(TenantValidationValve.java:215)
at com.sap.core.tenant.valve.TenantValidationValve.invoke(TenantValidationValve.java:94)
at com.sap.js.statistics.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:24)
at com.sap.core.js.monitoring.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:25)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:812)
Caused by: com.sap.core.connectivity.httpdestination.common.HeaderGenerationException: Cannot return OAuth 2.0 SAML Bearer Assertion because of com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerationException: Could not generate OAuth 2.0 SAML Bearer Assertion token.
at com.sap.core.connectivity.httpdestination.impl.headerproviders.AbstractAssertionHeaderProvider.injectHeaders(AbstractAssertionHeaderProvider.java:28)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.injectHeaders(AbstractHttpClientWrapper.java:87)
... 35 common frames omitted
Caused by: com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerationException: Could not generate OAuth 2.0 SAML Bearer Assertion token.
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerator.generateOAuthToken(OAuthTokenGenerator.java:21)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenCache.generateValue(OAuthTokenCache.java:25)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenCache.generateValue(OAuthTokenCache.java:1)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthCache$OAuthCacheEntry.generateValue(OAuthCache.java:114)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthCache$OAuthCacheEntry.getValue(OAuthCache.java:99)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthCache.getValue(OAuthCache.java:27)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuth2SAMLBearerAssertionProvider.getAssertionToken(OAuth2SAMLBearerAssertionProvider.java:49)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.AbstractAssertionProvider.getAssertionToken(AbstractAssertionProvider.java:30)
at com.sap.core.connectivity.httpdestination.impl.headerproviders.AbstractAssertionHeaderProvider.injectHeaders(AbstractAssertionHeaderProvider.java:25)
... 36 common frames omitted
Caused by: java.io.IOException: Unexpected response from oAuth token service 'https://api.successfactors.eu/odata/v2/oauth/token': 401
text/plain;charset=utf-8
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenServiceClient.readOAuthTokenResponse(OAuthTokenServiceClient.java:160)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenServiceClient.access$1(OAuthTokenServiceClient.java:146)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenServiceClient$1.execute(OAuthTokenServiceClient.java:187)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenServiceClient$1.execute(OAuthTokenServiceClient.java:1)
at com.sap.core.connectivity.apiext.impl.ConnectivityClient.execute(ConnectivityClient.java:118)
at com.sap.core.connectivity.apiext.impl.ConnectivityClient.execute(ConnectivityClient.java:103)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenServiceClient.retrieveOAuthToken(OAuthTokenServiceClient.java:183)
at com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthTokenGenerator.generateOAuthToken(OAuthTokenGenerator.java:19)
... 44 common frames omitted
Hi Mathias,
The 401 response from the token service means that the OAuth Client key (API key) that you configure in the destination:
I assume 3-5 are not valid for your case so you can either check the rest of the options or you can put the "org.apache.http.wire" logger to DEBUG log level.
That will give info which of the above problems is the one you have in your configuration.
Hope that helps.
Regards,
Stanimir
Hi Stanimir,
i switched the logger to Debug but the only thing i see is:
2015 08 26 06:29:45#+00#DEBUG#org.apache.http.wire##SF-USERNAME#http-bio-8041-exec-10#na#ACCOUNT#mssroleassigment#web#ACCOUNT#>> "GET /rest/configuration/tenant/FunnyNumbers/connectivity/ttstest HTTP/1.1[\r][\n
which returns an 404 and message
2015 08 26 06:29:45#+00#DEBUG#org.apache.http.wire##SF-USERNAME#http-bio-8041-exec-10#na#ACCOUNT#mssroleassigment#web#ACCOUNT#<< ""Configuration with the respective path and name was not found.""
But the destination is there and called later by com.sap.core.jpaas.security.saml2.service.SAML2BearerGenerationService
But the actual Oauth call is made later and is still returning 401 but no wire log does show up.
Regards
Mathias
Argh, i got i working the token URL was wrong. has to be https://api.successfactors.eu/oauth/token
and not https://api.successfactors.eu/odata/v2/oauth/token
Thanks a lot Stanimir and sorry for wasting your time
Regards Mathias
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.