Single sign on or principal propagation is the ability of a system to securely forward or propagate the identity of the user or principal from a sender to a receiver, in a way that the forwarded user information is kept confidential and is not changed during transit. Based on pre-established trust relationship to the sender, the receiver uses this information to logon the user without asking for the user credentials or logon again.
The diagram below shows the user principal flow from Fiori Applications to the on-premise SAP Gateway or Backend system for APIs protected via SAP Cloud Platform API Management.
To establish such a user propagation, the trust would have to established between the Fiori application account and SAP Cloud Platform API Management which is done via certificate exchanges. On the SAP Gateway system, SAP Cloud Platform API Management is on boarded as a trusted SAML Identity Provider so that SAML assertion generated by SAP Cloud Platform API Management can be validated and processed on the SAP Backend system. The SAML assertion passed from the Fiori application is validated using the certificates imported in SAP Cloud Platform API Management account. After the assertion is validated, the user’s identity is read and then a short lived SAML assertion is generated from SAP Cloud Platform API Management. The SAML response containing the SAML assertion can then be base64 encoded and passed in the following format authorization header to the SAP Gateway OData APIs.
Header Name
Format
Authorization
SAML2.0 base64_encoded_saml_response
In SAP Cloud Platform, API Management Validate SAML Assertion Policy can be used to validate the SAML assertion passed from the Fiori application to the SAP Cloud Platform, API Management. At a high level, a SAML validation flow would consist of the following steps: –
* Raise a 401 security error in case no Authorization header is passed
* Read the SAML Assertion passed in the authorization header
* Base 64 bind Decode SAML Assertion passed from the Fiori application
* The SAML Assertion passed from SAP Cloud Platform, doesn’t contain the x509 signature information which is mandatory for validateSAML Assertion policy and therefore this would have to added in using a JavaScript Policy
* Validate SAML assertion using SAML certificates of the SAP Cloud Platform account.
In Security Best Practices package of SAP API Business Hub policy templates for API security best practices has been published which includes the policy template for validation of SAML assertion.
In this blog, we describe how user’s principal passed from the Fiori application to on-premise APIs protected is validated on the SAP Cloud Platform API Management and user’s identity passed in the SAML assertion is read and validated. This blog also covers the steps to establish trust between the SAP Cloud Platform account where Fiori application is running and SAP Cloud Platform API Management account.
In Part 2 of the blog, we would cover steps to on board SAP Cloud Platform API Management as a trusted SAML Identity Provider in SAP Gateway and generate a short lived SAML Assertion from SAP Cloud Platform API Management which is then passed to the SAP Gateway.
Configuration on SAP Cloud Connector for On-Premise connectivity
Note: – This step is an optional Step and is required in case the SAP Backend is available on premise, and SAP Cloud connector is used for the On Cloud to on premise connectivity
The configuration described in SAP Help document can be followed to Install/Configure SAP Cloud connector and then create an Access Control to the SAP Backend system.
* While creating the Access control, the principal type should be set to None so, that the SAML assertion passed by the SAP API Gateway is passed as is by SAP Cloud Connector.
Note: – The white-listed resource paths in the Access control setting of Cloud Connector as case sensitive so ensure the resource path are maintained in the same case as the value entered in the API Proxy target endpoint paths.
Configuring trust between SAP Cloud Platform account and SAP API Cloud Platform API Management account
Enable Principal Propagation
* Logon to your SAP Cloud Platform account
* From the hamburger icon, click on the Trust tab under Security and then click on the Edit button under Local Service Provider tab
* Select the option Enabled for the Principal Propagation and then click on the Save button to confirm the changes
Certificate download from SAP Cloud Platform account
* From the hamburger icon, click on the Trust tab under Security and then click on the Edit button under Local Service Provider tab
* From the Configuration Type select the type Custom
* Copy the content Signing Certificate and then save the content locally in a file (say cert.pem). This certificate would have to imported into trust store of SAP API Cloud Platform API Management and would be used to validate the SAML assertion. After copying the certificate information into a local file, select the Cancel
* Add —–BEGIN CERTIFICATE—– as the first line in the certificate file and —–END CERTIFICATE—– as the end line to the certificate file copied so that the content looks as follows
Upload Certificate to SAP Cloud Platform, API Management
* Logon to your SAP Cloud Platform, API Management account (say https://account.hanatrial.ondemand.com/cockpit).
* Navigate to the Services tab, search for API Management service tile and click to open API Management service.
* Click on the link Access API Portal to open API Portal.
* Click on Certificate tab and then click on Create button
* In the Create Certificate screen, from the drop down select Trust Store and then select the option New Store. Enter the store name and name details as provided in the table below. This information would have to be used in the “ValidateSAMLAssertion” Policy.Using the Browse button upload the cert.pem file generated in section Certificate download from SAP Cloud Platform tenant and then click on the Create button
Store Name
samlroot
Name
saml
Copy UserPropagationViaSAML policy template to your API Management
* Navigate to Discover to discover all the APIs and Policy templates published by SAP and select partners in SAP API Business Hub.
* Click on ALL tab and search for Security Best Practices and Open the Security Best Practices from the search result.
* Navigate to the Artifacts tab and click on Actions button associated with policy template Principal_Propagation_via_SAML and select Copy
* Policy template Principal_Propagation_via_SAML is copied to your API Management tenant, go to Policy Template tab under Develop and verify.
Create an API Provider to the SAP Gateway System
* Navigate to SAP Cloud Platform, API Management API Portal tenant ( https://yourapimanagement/shell/develop )
* Click on the Tab API Provider and then click Create to create a new API Provider. In the host enter the value of the virtual host and port used in the section SAP Cloud connector Access control section. Use SSL flag should be checked and On Premise flag should be set to true.
Create an API Proxy to connect to SAP Gateway OData API
* Click on the Tab API Proxy and then click Create button to create a new API Proxy. In the create Proxy screen, select the API Provider created in previous section and then provide the base Path of the APIs. Enter details like the proxy name, title, base path etc and then click Create.
* Click on the Save and Deploy button to save the API Proxy.
Apply User Propagation via SAML policy template
* Click on the Edit button and then from the … button select the option Policies to open the Policy Designer
* Click on the Policy template and then click on the Apply button
* From the Apply Template dialog, select copied policy template Principal_Propagation_via_SAML then click Apply button
* From the scripts section, select the js file and then replace the value (PROVIDE_YOUR_SAML_ROOT_CERTIFICATE_DETAILS) of samlRootCert with the value of the SAML root certificate which was download from SAP Cloud Platform Account in section Certificate download from SAP Cloud Platform account
Copy only the base64 encoded certificate content minus the header —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–
* Click on Update to save the Policy changes
* Click on the Save to persist the API Proxy changes.
With this we have completed steps to validate SAML assertion passed from the Fiori applications. In the Part 2 of the blog, we will cover the steps to generate a short lived SAML assertion for user’s identity and pass it to SAP Gateway.
http://bit.ly/2Bpql4R #SAP #SAPCloud #AI
