Introduction
This blog post provides a comprehensive guide on establishing a SAML Assertion authentication method between an SAP S/4HANA Public Cloud and an SAP BTP (Business Technology Platform) applications. This setup allows you to securely access standard SAP APIs, such as those for Sales Orders and Purchase Orders, by leveraging a SAML Assertion, thereby eliminating the need for establishing separate technical user authentication using methods like basic authentication.
Case
By utilizing this SAML-based authentication flow, organizations can seamlessly integrate SAP S/4HANA Public Cloud data with applications running on SAP BTP. This is particularly useful for building custom applications, that need to retrieve and display live data from SAP S/4HANA Public Cloud without expecting user inputting credentials again or requiring a separate OAuth 2.0 configuration for each API call. This approach enhances security, simplifies integration, and provides a unified single sign-on experience.
Simplified Explanation
- A user logs into an app on SAP BTP.
- The BTP app needs to retrieve data from SAP S/4HANA Public Cloud (e.g., a list of sales orders).
- Instead of asking the user for their SAP S/4HANA Public Cloud password, SAP BTP uses its pre-configured destination with SAP S/4HANA Public Cloud to generate a secure, temporary token.
- This token acts like a temporary pass. SAP BTP sends the request to SAP S/4HANA Public Cloud with this pass attached.
- SAP S/4HANA Public Cloud checks the pass, sees that it's valid, and grants access to the data.
- The data is then sent back to the SAP BTP app to be shown to the user. SAP S4/HANA Public Cloud authorization is already applied on the data exposed as response in the API call.
Flow Diagram
Steps
1. Download/Export destination trust certificate from SAP BTP Sub Account
2. Create a Communication system in SAP S/4HANA Public Cloud
i. Choose Inbound Only
ii. Enable SAML Bearer Assertion Provider
iii. Import Exported/Downloaded SAP BTP Destination Certificate
iv. Enter SAML Bearer Issuer
v. Save the Communication System
3. Create Destination in SAP BTP Sub Account
| Properties | Values |
|---|---|
| Name | S4CloudSAML (User Friendly) |
| Type | HTTP |
| Description | S4 Cloud API (User Friendly) |
| Proxy Type | Internet |
| URL | https://<TenantId>-api.s4hana.cloaud.sap |
| Authentication | SAMLAssertion |
| Key Store Location | (empty) |
| Key Store Password | (empty) |
| Client Trust Store configuration Use default client trust store | true |
| AuthnContextClassRef | urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession |
| Audience | https://<TenantId>.s4hana.cloud.sap |
| Client Key | (empty) |
| Name Id Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Additional Properties (In this example I am using Build Apps, you might need to enter relevant additional as per your need such as Fiori, any other technology)
a) Key
HTML5.DynamicDestination
Value
true
b) Key
AppgyverEnabled
Value
true
c) Key
WebIDEEnabled
Value
true
d) Key
BuildApps.RequiresCsrf
Value
true
4. Test
i. Create a simple build app in SAP BTP with table list as shown in the image below
ii. Add integration as REST API and corresponding URL endpoint
iii. Configure table list and preview. Data which the user can see in the custom application is the same that the user is entitled to see in SAP S/4HANA Public Cloud environment. Authorization of data happen at SAP S/4HANA Public Cloud while exposing the response.
Conclusion
In this blog, we have configured SAP BTP Destination to consume SAP S/4HANA Public Cloud APIs using SAML Assertion authentication method.
Which is eliminating the traditional basic authentication concept and provide business users to access the SAP S/4HANA Public Cloud APIs effectively from an external applications.