{ "info": { "_postman_id": "fb75fcaa-613c-4f99-a34a-2f6311fba782", "name": "AAD APIM SAP Principal Propagation", "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" }, "item": [ { "name": "Web App Login to obtain Access Token from AAD", "event": [ { "listen": "test", "script": { "exec": [ "" ], "type": "text/javascript" } } ], "request": { "method": "GET", "header": [], "url": { "raw": "https://login.microsoftonline.com/{{AAD tenant ID}}/oauth2/v2.0/authorize?client_id={{Frontend App Client Id}}&response_type=token&redirect_uri=https://localhost:44326/signin-oidc&scope=openid profile api://{{APIM middle tier client ID}}/user_impersonation&response_mode=fragment", "protocol": "https", "host": [ "login", "microsoftonline", "com" ], "path": [ "{{AAD tenant ID}}", "oauth2", "v2.0", "authorize" ], "query": [ { "key": "client_id", "value": "{{Frontend App Client Id}}" }, { "key": "response_type", "value": "token" }, { "key": "redirect_uri", "value": "https://localhost:44326/signin-oidc" }, { "key": "scope", "value": "openid profile api://{{APIM middle tier client ID}}/user_impersonation", "description": "Scope for API Management app for requesting FrontEnd app (shared component)" }, { "key": "response_mode", "value": "fragment" } ] } }, "response": [] }, { "name": "Obtain Access Token from AAD for service principal", "event": [ { "listen": "test", "script": { "exec": [ "try {\r", " var json = JSON.parse(responseBody);\r", " pm.collectionVariables.set(\"AADBearerToken\", json.access_token);\r", "}\r", "catch (e) {\r", " console.log(e);\r", "}" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "basic", "basic": [ { "key": "password", "value": "{{Frontend App Client Secret}}", "type": "string" }, { "key": "username", "value": "{{Frontend App Client Id}}", "type": "string" } ] }, "method": "POST", "header": [], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "grant_type", "value": "client_credentials", "type": "text" }, { "key": "scope", "value": "openid profile api://{{APIM middle tier client ID}}/.default", "type": "text" } ] }, "url": { "raw": "https://login.microsoftonline.com/{{AAD tenant ID}}/oauth2/v2.0/token", "protocol": "https", "host": [ "login", "microsoftonline", "com" ], "path": [ "{{AAD tenant ID}}", "oauth2", "v2.0", "token" ], "query": [ { "key": "response_type", "value": "token", "disabled": true }, { "key": "redirect_uri", "value": "https://localhost:44326/signin-oidc", "disabled": true }, { "key": "scope", "value": "openid profile api://{{APIM middle tier client ID}}/user_impersonation", "description": "Scope for API Management app for requesting FrontEnd app (shared component)", "disabled": true }, { "key": "response_mode", "value": "fragment", "disabled": true } ] } }, "response": [] }, { "name": "DEPRECATED Request SAML assertion from AAD with ObO flow", "event": [ { "listen": "test", "script": { "exec": [ "try {\r", " if (pm.environment.get(\"Web App Client ID\") === \"\")\r", " {\r", " console.log(\"You need to enter *Web App Client ID* environment variable first.\");\r", " }\r", " if (pm.environment.get(\"Web App Client Secret\") === \"\")\r", " {\r", " console.log(\"You need to enter *Web App Client Secret* environment variable first.\");\r", " }\r", " if (pm.environment.get(\"AAD tenant ID\") === \"\")\r", " {\r", " console.log(\"You need to enter *AAD tenant ID* environment variable first.\");\r", " }\r", " else\r", " {\r", " var json = JSON.parse(responseBody);\r", " pm.collectionVariables.set(\"bearerToken\", json.access_token);\r", " }\r", "}\r", "catch (e) {\r", " console.log(e);\r", "}" ], "type": "text/javascript" } } ], "request": { "method": "POST", "header": [], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "grant_type", "value": "urn:ietf:params:oauth:grant-type:jwt-bearer", "type": "text" }, { "key": "assertion", "value": "{{AADBearerToken}}", "description": "replace with assertion if user based flow is used instead of app registration (service principal use case)", "type": "text" }, { "key": "client_id", "value": "{{APIM middle tier client ID}}", "type": "text" }, { "key": "client_secret", "value": "{{APIM middle tier client secret}}", "type": "text" }, { "key": "resource", "value": "{{AAD App registration resource}}", "type": "text" }, { "key": "requested_token_use", "value": "on_behalf_of", "type": "text" }, { "key": "requested_token_type", "value": "urn:ietf:params:oauth:token-type:saml2", "type": "text" } ] }, "url": { "raw": "https://login.microsoftonline.com/{{AAD tenant ID}}/oauth2/token", "protocol": "https", "host": [ "login", "microsoftonline", "com" ], "path": [ "{{AAD tenant ID}}", "oauth2", "token" ] } }, "response": [] }, { "name": "Request SAML assertion from AAD with ObO flow v2", "event": [ { "listen": "test", "script": { "exec": [ "try {\r", " if (pm.environment.get(\"Web App Client ID\") === \"\")\r", " {\r", " console.log(\"You need to enter *Web App Client ID* environment variable first.\");\r", " }\r", " if (pm.environment.get(\"Web App Client Secret\") === \"\")\r", " {\r", " console.log(\"You need to enter *Web App Client Secret* environment variable first.\");\r", " }\r", " if (pm.environment.get(\"AAD tenant ID\") === \"\")\r", " {\r", " console.log(\"You need to enter *AAD tenant ID* environment variable first.\");\r", " }\r", " else\r", " {\r", " var json = JSON.parse(responseBody);\r", " pm.collectionVariables.set(\"bearerToken\", json.access_token);\r", " }\r", "}\r", "catch (e) {\r", " console.log(e);\r", "}" ], "type": "text/javascript" } } ], "request": { "method": "POST", "header": [], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "grant_type", "value": "urn:ietf:params:oauth:grant-type:jwt-bearer", "type": "text" }, { "key": "assertion", "value": "", "type": "text" }, { "key": "client_id", "value": "{{APIM middle tier client ID}}", "type": "text" }, { "key": "client_secret", "value": "{{APIM middle tier client secret}}", "type": "text" }, { "key": "scope", "value": "spn:{{AAD App registration resource}}/.default", "type": "text" }, { "key": "requested_token_use", "value": "on_behalf_of", "type": "text" }, { "key": "requested_token_type", "value": "urn:ietf:params:oauth:token-type:saml2", "type": "text" } ] }, "url": { "raw": "https://login.microsoftonline.com/{{AAD tenant ID}}/oauth2/v2.0/token", "protocol": "https", "host": [ "login", "microsoftonline", "com" ], "path": [ "{{AAD tenant ID}}", "oauth2", "v2.0", "token" ] } }, "response": [] }, { "name": "Request access token from SAP backend with SAML Bearer Grant Type (RFC 7522)", "event": [ { "listen": "test", "script": { "exec": [ "try {\r", " if (pm.environment.get(\"SAP OAuth Client ID\") === \"\")\r", " {\r", " console.log(\"You need to enter *SAP OAuth Client ID* environment variable first.\");\r", " }\r", " if (pm.environment.get(\"SAP OAuth Scope\") === \"\")\r", " {\r", " console.log(\"You need to enter *SAP OAuth Scope* environment variable first.\");\r", " }\r", " else\r", " {\r", " var json = JSON.parse(responseBody);\r", " pm.collectionVariables.set(\"SAPBearerToken\", json.access_token);\r", " pm.collectionVariables.set(\"refreshToken\", json.refresh_token);\r", " }\r", "}\r", "catch (e) {\r", " console.log(e);\r", "}" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "basic", "basic": [ { "key": "password", "value": "{{SAP OAuth Client Pwd}}", "type": "string" }, { "key": "username", "value": "{{SAP OAuth Client ID}}", "type": "string" } ] }, "method": "POST", "header": [ { "key": "Ocp-Apim-Subscription-Key", "value": "{{Ocp-Apim-Subscription-Key}}", "type": "text" }, { "key": "Ocp-Apim-Trace", "value": "true", "type": "default", "disabled": true } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "grant_type", "value": "urn:ietf:params:oauth:grant-type:saml2-bearer", "type": "text" }, { "key": "assertion", "value": "{{bearerToken}}", "type": "text" }, { "key": "client_id", "value": "{{SAP OAuth Client ID}}", "type": "text" }, { "key": "scope", "value": "{{SAP OAuth Scope}}", "type": "text" } ] }, "url": { "raw": "https://{{Azure APIM Domain}}.azure-api.net/oauth2/token", "protocol": "https", "host": [ "{{Azure APIM Domain}}", "azure-api", "net" ], "path": [ "oauth2", "token" ] } }, "response": [] }, { "name": "Refresh token from SAP backend with Bearer token", "event": [ { "listen": "test", "script": { "exec": [ "try {\r", " if (pm.environment.get(\"SAP OAuth Client ID\") === \"\")\r", " {\r", " console.log(\"You need to enter *SAP OAuth Client ID* environment variable first.\");\r", " }\r", " if (pm.environment.get(\"SAP OAuth Scope\") === \"\")\r", " {\r", " console.log(\"You need to enter *SAP OAuth Scope* environment variable first.\");\r", " }\r", " else\r", " {\r", " var json = JSON.parse(responseBody);\r", " pm.collectionVariables.set(\"SAPBearerToken\", json.access_token);\r", " }\r", "}\r", "catch (e) {\r", " console.log(e);\r", "}" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "basic", "basic": [ { "key": "password", "value": "{{SAP OAuth Client Pwd}}#", "type": "string" }, { "key": "username", "value": "{{SAP OAuth Client ID}}", "type": "string" } ] }, "method": "POST", "header": [ { "key": "Ocp-Apim-Subscription-Key", "value": "{{Ocp-Apim-Subscription-Key}}", "type": "text" } ], "body": { "mode": "urlencoded", "urlencoded": [ { "key": "grant_type", "value": "refresh_token", "type": "text" }, { "key": "refresh_token", "value": "{{refreshToken}}", "type": "text" }, { "key": "client_id", "value": "{{SAP OAuth Client ID}}", "type": "text" }, { "key": "scope", "value": "{{SAP OAuth Scope}}", "type": "text" } ] }, "url": { "raw": "https://{{Azure APIM Domain}}.azure-api.net/oauth2/token", "protocol": "https", "host": [ "{{Azure APIM Domain}}", "azure-api", "net" ], "path": [ "oauth2", "token" ] } }, "response": [] }, { "name": "Call OData backend service on SAP via APIM", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{SAPBearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Ocp-Apim-Subscription-Key", "value": "{{Ocp-Apim-Subscription-Key}}", "type": "text" }, { "key": "Ocp-Apim-Trace", "value": "true", "type": "default", "disabled": true } ], "url": { "raw": "https://{{Azure APIM Domain}}.azure-api.net/api/Products?$top=10", "protocol": "https", "host": [ "{{Azure APIM Domain}}", "azure-api", "net" ], "path": [ "api", "Products" ], "query": [ { "key": "$top", "value": "10" } ] } }, "response": [] }, { "name": "Call OData backend service via VPN", "request": { "auth": { "type": "bearer", "bearer": [ { "key": "token", "value": "{{SAPBearerToken}}", "type": "string" } ] }, "method": "GET", "header": [ { "key": "Ocp-Apim-Subscription-Key", "value": "{{Ocp-Apim-Subscription-Key}}", "type": "text" }, { "key": "Ocp-Apim-Trace", "value": "true", "type": "default", "disabled": true } ], "url": { "raw": "https://<>:<>/sap/opu/odata/sap/epm_ref_apps_prod_man_srv/Products?$top=10&$format=json", "protocol": "https", "host": [ "10", "250", "60", "7" ], "port": "44321", "path": [ "sap", "opu", "odata", "sap", "epm_ref_apps_prod_man_srv", "Products" ], "query": [ { "key": "$top", "value": "10" }, { "key": "$format", "value": "json" } ] } }, "response": [] } ], "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ], "variable": [ { "key": "APIM middle tier client ID", "value": "<>" }, { "key": "APIM middle tier client secret", "value": "<>" }, { "key": "AAD tenant ID", "value": "<>" }, { "key": "AAD App registration resource", "value": "<>" }, { "key": "SAP OAuth Client ID", "value": "<>" }, { "key": "SAP OAuth Client Pwd", "value": "<>" }, { "key": "SAP OAuth Scope", "value": "ZEPM_REF_APPS_PROD_MAN_SRV_0001" }, { "key": "Azure APIM Domain", "value": "<>" }, { "key": "bearerToken", "value": "" }, { "key": "SAPBearerToken", "value": "" }, { "key": "Ocp-Apim-Subscription-Key", "value": "<>" }, { "key": "Frontend App Client Id", "value": "<>" }, { "key": "Frontend App Client Secret", "value": "<>" }, { "key": "refreshToken", "value": "" }, { "key": "AADBearerToken", "value": "<>" } ] }