SAP Community - SAP BTP Security

SAP Authorization and Trust Management Service - Authorization API: Role Collections all subaccount

2024-07-29T09:27:40.260000+02:00

Good morning,

We have a requirement to list the role collections of our subaccounts and their assigned IAS groups.

I am looking into the Authorization API:

https://api.sap.com/api/AuthorizationAPI/overview

This works fine. I create an XSUAA instance in a subaccount with plan api-access and I can get the role collections without any problem. The challenge comes when we want to achieve that for several subaccounts. Does this mean that we neeed to create an XSUAA instance in each subaccount and that we would need to call N times the API, each for each subaccount? Is it possible at all to achieve that at account level preventing us to create as many XSUAA instances as subaccounts?

Many thanks!

Use ServiceBinding data for APIRule jwt accessStrategies configuration

2024-07-29T22:21:35.006000+02:00

Hello Kyma Experts,

when using the helm charts generated by CAP there is a ServiceBinding to XSUAA which is used via a

volume mount of the service binding secretName. I would like to use this secrets also in the APIRule for a jwt accessStrategies configuration. In https://github.com/gregorwolf/cap-azure-ad-b2c/blob/main/kyma/deployment.yaml#L49 I did this manually with a static configuration of the trusted_issuers and jwks_urls. But I want to get the configuration be flexible so I do not need to adjust it between dev / qa and production.

Best Regards
Gregor

Connect 2 SAP BTP accounts

2024-08-01T12:41:02.127000+02:00

Hi experts,

I would like to check if it is possible to connect 2 SAP BTP account to transfer information from one to another one (using the SAP BTP APIs enabled for that, for sharing information about the security settings or the subaccounts). If it is possible, how should I perform this connection?

Thank you!

Regards.

ROLES, OBJETOS DE AUTORIZACIONES,PERFILES SAP BASIS

2024-08-10T09:03:46.214000+02:00

How can I see the objects authorization of a transaction and, how can I configure the authorizations o permissions.

Thank you

Como puedo ver los objetos de autorización de una transacción y como puedo configurarla para dar los accesos o permisos necesarios.

Gracias

CAP Node Js Authorization: Unable to retrieve User logged scopes

2024-08-20T16:22:12.582000+02:00

He expert,

My Project setup as TypeScript

with packge:

"@sap/cds": "^8.1.1",

"@sap/cds-compiler": "^5.1.0",

"@sap/cds-dk": "^8.1.1",

"@sap/xsenv": "^5.2.0",

"@sap/xssec": "^4.2.1",

CDS Auth

"cds": {

"requires": {

"auth": {

"kind": "xsuaa"

"db": {

"kind": "hana",

"model": "srv",

"pool": {

"pingCheck": false,

"acquireTimeoutMillis": 5000,

"min": 100,

"max": 1000,

"fifo": true

}

-----------------------------

I'm trying to get scopes assigned to the user via jwt token

For role collections, it working well i can retrieved all role collections assigned to user via

xs.rolecollections

But for the scopes, it's not return scopes of apps just only open id and apps namelike that:

["openid","myapp!t203402"] as far as i know it should

["openid","myapp!t203402.CreateScope","myapp!t203402.DeleteScope"] right?

See JWT decoded

I've tried with req['authInfo'], req['user'].scope but no luck

Can anyone tell me how can i get scopes of logged user?

Business role provisioning from Microsoft Entra

2024-09-06T14:22:30.439000+02:00

Dear Gurus.

We are going to use Microsoft Entra as Corporate Identity Provider for access to BTP Subaccount and application. There are 2 points that need clarification.

1) How exactly we can create a role provisioning from Microsoft Entra to specific BTP subaccount?

2) When one user has different roles in different subaccounts. How the provision will distinguish between them?

I mean the same use Subaccount admin in the development subaccount and viewer only on production one?

Thank you.

Regards

Vladimir

Configuring or Disabling Authentication in SAP Build Apps Deployed on SAP BTP

2024-09-09T14:48:22.959000+02:00

Hello SAP Community,

I am currently working with SAP Build Apps, which I have deployed on SAP BTP (Business Technology Platform). Whenever I access the application in SAP C4C, a login window pops up requesting a username and password.

Is it possible to completely disable authentication for my SAP Build Apps application deployed on SAP BTP?
I would prefer to have unrestricted access to the app without the need for user credentials, if that's feasible.

If complete disabling is not possible, can authentication be managed through Mashup parameters or some configuration settings?
Ideally, I would like to preset the username and possibly bypass the login screen through backend configurations or scripts.

Are there any recommended practices for managing authentication in SAP Build Apps within the SAP BTP environment?
If disabling authentication isn't an option, I am open to other suggestions that can simplify the login process for end-users.

Any guidance, examples, or documentation references would be greatly appreciated. I am relatively new to working with SAP Build Apps, so detailed steps or explanations would be very helpful!

Customer/Vendor Integration Conversion Process Authorizations Ownership

2024-09-11T10:35:14.158000+02:00

Team,
Please let me know which SAP Functional Team [ SAP HCM etc...] or SAP Technical Team should be ROLE OWNER [ Role assignment approver or Role Content Approver] for Customer/Vendor Integration Conversion Process Authorizations. Also, please share location of relevant documentation - if available.

Thanks

Raj

NoClassDefFoundError: Could not initialize class com.sap.cloud.security.token.Token

2024-09-11T15:10:45.210000+02:00

We have developed a Java-servlet based extension application for SAP SuccessFactors. Our deployment package includes both the Java application and the Approuter application, which customers deploy through the SAP BTP Cloud Foundry environment. We use Approuter for authentication, and once a request is successfully authenticated, it is forwarded to our Java application.

Although the application generally operates smoothly, one of our customers occasionally experiences the issue described below (which may occur once a month or even more frequently). This problem is resolved when the application is manually restarted.

Could you please assist us in identifying the root cause of this issue?

When an application URL (via approuter) is accessed, the application logs the following error in BTP:

java.lang.NoClassDefFoundError: Could not initialize class com.sap.cloud.security.token.Token

2024-09-06T05:01:16.834+0000 [APP/PROC/WEB/0] STDOUT {"msg":"Error processing request","level":"ERROR","written_ts":"1725598876833000000","logger":"org.apache.coyote.http11.Http11Processor","exception_type":"java.lang.NoClassDefFoundError","written_at":"2024-09-06T05:01:16.833Z","thread":"http-nio-0.0.0.0-8080-exec-5","type":"log","exception_message":"Could not initialize class com.sap.cloud.security.token.Token","stacktrace":["java.lang.NoClassDefFoundError: Could not initialize class com.sap.cloud.security.token.Token","\tat com.sap.xs.security.UserInfoFactory.createXsuaaToken(UserInfoFactory.java:105)","\tat com.sap.xs.security.UserInfoFactory.checkAndSetXsuaaToken(UserInfoFactory.java:46)","\tat com.sap.xs.security.UserInfoValve.invoke(UserInfoValve.java:17)","\tat com.sap.xs.statistics.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:43)","\tat com.sap.xs.logging.catalina.RuntimeInfoValve.invoke(RuntimeInfoValve.java:42)","\tat org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:765)","\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)","\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)","\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)","\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)","\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1790)","\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)","\tat org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)","\tat org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)","\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)","\tat java.lang.Thread.run(Thread.java:838)","Caused by: java.lang.ExceptionInInitializerError: Exception java.util.ServiceConfigurationError: com.sap.cloud.security.token.TokenFactory: Provider com.sap.cloud.security.servlet.HybridTokenFactory not a subtype [in thread \"http-nio-0.0.0.0-8080-exec-1\"]","\tat java.util.ServiceLoader.fail(ServiceLoader.java:239)","\tat java.util.ServiceLoader.access$300(ServiceLoader.java:185)","\tat java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:376)","\tat java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)","\tat java.util.ServiceLoader$1.next(ServiceLoader.java:480)","\tat java.lang.Iterable.forEach(Iterable.java:74)","\tat com.sap.cloud.security.token.Token$1.<init>(Token.java:31)","\tat com.sap.cloud.security.token.Token.<clinit>(Token.java:29)","\tat com.sap.cloud.connectivity.apiext.cloud.destinationservice.DestinationServiceClient.getDestinationServiceAccessToken(DestinationServiceClient.java:77)","\tat com.sap.cloud.connectivity.apiext.cloud.destinationservice.DestinationServiceClient.getAuthorizationToken(DestinationServiceClient.java:121)","\tat com.sap.cloud.connectivity.apiext.cloud.destinationservice.DestinationServiceClient.findDestination(DestinationServiceClient.java:114)","\tat com.sap.cloud.connectivity.apiext.cloud.configuration.datasource.CloudDataSourceImpl.getDestinationConfiguration(CloudDataSourceImpl.java:41)","\tat com.sap.core.connectivity.apiext.impl.cache.AbstractDataSourceCache$1.compute(AbstractDataSourceCache.java:88)","\tat com.sap.core.connectivity.apiext.impl.cache.AbstractDataSourceCache$1.compute(AbstractDataSourceCache.java:72)","\tat com.sap.core.connectivity.apiext.impl.cache.util.Memoizer$1.call(Memoizer.java:109)","\tat com.sap.core.connectivity.apiext.impl.cache.util.Memoizer$1.call(Memoizer.java:105)","\tat com.sap.core.connectivity.apiext.impl.cache.CircuitBreakerFutureExecutor.execute(CircuitBreakerFutureExecutor.java:44)","\tat com.sap.core.connectivity.apiext.impl.cache.AbstractDataSourceCache$DatasourceMemoizer$2.call(AbstractDataSourceCache.java:297)","\tat com.sap.core.connectivity.apiext.impl.cache.AbstractDataSourceCache$DatasourceMemoizer$2.call(AbstractDataSourceCache.java:294)","\tat java.util.concurrent.FutureTask.run(FutureTask.java:266)","\tat com.sap.core.connectivity.apiext.impl.cache.util.PeriodicFutureExecutor.runTask(PeriodicFutureExecutor.java:60)","\tat com.sap.core.connectivity.apiext.impl.cache.util.PeriodicFutureExecutor.execute(PeriodicFutureExecutor.java:49)","\tat com.sap.core.connectivity.apiext.impl.cache.util.Memoizer.compute(Memoizer.java:79)","\tat com.sap.core.connectivity.apiext.impl.cache.AbstractDataSourceCache.computeFromMemoizer(AbstractDataSourceCache.java:160)","\tat com.sap.core.connectivity.apiext.impl.cache.AbstractDataSourceCache.getDestinationConfiguration(AbstractDataSourceCache.java:230)","\tat com.sap.core.connectivity.apiext.impl.cache.AbstractDataSourceCache.getDestinationConfiguration(AbstractDataSourceCache.java:220)","\tat com.sap.core.connectivity.apiext.impl.configuration.reader.DataSourceConfigurationReader.readDestinationConfiguration(DataSourceConfigurationReader.java:22)","\tat com.sap.core.connectivity.apiext.impl.configuration.provider.AbstractConfigurationProvider$1.load(AbstractConfigurationProvider.java:58)","\tat com.sap.core.connectivity.apiext.impl.configuration.provider.AbstractConfigurationProvider$1.load(AbstractConfigurationProvider.java:54)","\tat com.sap.core.connectivity.apiext.impl.configuration.provider.AbstractConfigurationProvider.provide(AbstractConfigurationProvider.java:179)","\tat com.sap.core.connectivity.apiext.impl.configuration.provider.AbstractConfigurationProvider.provideDestinationConfiguration(AbstractConfigurationProvider.java:67)","\tat com.sap.core.connectivity.apiext.impl.configuration.provider.AbstractConfigurationProvider.getDestinationConfiguration(AbstractConfigurationProvider.java:54)","\tat com.sap.core.connectivity.apiext.impl.configuration.AbstractConnectivityConfiguration.getConfiguration(AbstractConnectivityConfiguration.java:60)","\tat com.sap.core.connectivity.apiext.impl.configuration.AbstractConnectivityConfiguration.getConfiguration(AbstractConnectivityConfiguration.java:46)"

When the business users try to access the application URL(via approuter), they receive the following error, even though both the main application and approuter are in running state in SAP BTP.

manifest.yml :

---
# Extension application
- name: sf-extension 
  memory: 900M
  timeout: 300
  routes:
    - route: sfextension.cfapps.us10-001.hana.ondemand.com
  path: SfExtension.war
  buildpacks:
    - sap_java_buildpack
  env:
    TARGET_RUNTIME: tomcat
    USE_CONNECTIVITY_APIEXT: true
    APP_ROUTER_URL: https://websfextension.cfapps.us10-001.hana.ondemand.com
    SET_LOGGING_LEVEL: "{ROOT: DEBUG}"
  services:
   - xsuaa
   - destination
   - sap_hcmcloud_core_odata
   - connectivity
# Application Router 
- name: approuter-sf-extension
  path: approuter
  buildpacks: 
    - nodejs_buildpack
  memory: 124M
  routes:
    - route: websfextension.cfapps.us10-001.hana.ondemand.com
  services:
    - xsuaa
  env:
    destinations: >
      [
        {"name":"sap_hcmcloud_core_odata",
         "url":"https://sfextension.cfapps.us10-001.hana.ondemand.com",
         "forwardAuthToken": true}
      ]

 mvn dependency:tree
 
[INFO] +- commons-validator:commons-validator:jar:1.7:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- com.google.code.gson:gson:jar:2.9.0:compile
[INFO] +- javax.ws.rs:javax.ws.rs-api:jar:2.1:compile
[INFO] +- javax.ws.rs:jsr311-api:jar:1.1.1:compile
[INFO] +- com.sun.jersey:jersey-client:jar:1.19.4:compile
[INFO] +- com.sun.jersey:jersey-core:jar:1.19.4:compile
[INFO] +- com.sun.jersey.contribs:jersey-multipart:jar:1.19.4:compile
[INFO] |  \- org.jvnet.mimepull:mimepull:jar:1.9.3:compile
[INFO] +- commons-codec:commons-codec:jar:1.13:compile
[INFO] +- commons-io:commons-io:jar:2.11.0:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.14.1:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.14.1:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.14.1:compile
[INFO] +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.14.1:compile
[INFO] +- joda-time:joda-time:jar:2.10.3:compile
[INFO] |  \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] +- com.github.librepdf:openpdf:jar:1.3.28:compile
[INFO] +- com.sap.cloud.db.jdbc:ngdbc:jar:2.13.9:compile
[INFO] +- com.sap.cloud.security:java-security:jar:2.13.4:compile
[INFO] |  +- com.sap.cloud.security:java-api:jar:2.13.4:compile
[INFO] |  +- com.sap.cloud.security:env:jar:2.13.4:compile
[INFO] |  |  +- com.sap.cloud.environment.servicebinding:java-sap-vcap-services:jar:0.10.1:compile
[INFO] |  |  |  \- com.sap.cloud.environment.servicebinding.api:java-core-api:jar:0.10.1:compile
[INFO] |  |  +- com.sap.cloud.environment.servicebinding:java-sap-service-operator:jar:0.10.1:compile
[INFO] |  |  +- com.sap.cloud.environment.servicebinding.api:java-consumption-api:jar:0.10.1:compile
[INFO] |  |  \- com.sap.cloud.environment.servicebinding.api:java-access-api:jar:0.10.1:compile
[INFO] |  \- com.sap.cloud.security.xsuaa:token-client:jar:2.13.4:compile
[INFO] |     +- com.sap.cloud.security.xsuaa:api:jar:2.13.4:compile
[INFO] |     \- com.github.ben-manes.caffeine:caffeine:jar:2.9.3:compile
[INFO] |        +- org.checkerframework:checker-qual:jar:3.19.0:compile
[INFO] |        \- com.google.errorprone:error_prone_annotations:jar:2.10.0:compile
[INFO] +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |  \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] +- com.sun.xml.bind:jaxb-core:jar:2.3.0:compile
[INFO] +- com.sun.xml.bind:jaxb-impl:jar:2.3.2:compile
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] |  +- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  \- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] +- org.mockito:mockito-core:jar:4.6.1:test
[INFO] |  +- net.bytebuddy:byte-buddy:jar:1.12.10:test
[INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.10:test
[INFO] |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- org.mockito:mockito-inline:jar:4.6.1:test
[INFO] +- org.mockito:mockito-junit-jupiter:jar:4.6.1:test
[INFO] +- com.h2database:h2:jar:2.1.214:test
[INFO] +- javax.websocket:javax.websocket-api:jar:1.1:provided
[INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.1:provided
[INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
[INFO] +- org.slf4j:slf4j-api:jar:1.7.28:provided
[INFO] +- com.sap.xs:java-js-client:jar:1.7.2:provided
[INFO] |  +- org.slf4j:slf4j-simple:jar:1.7.36:provided
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.12.0:provided
[INFO] \- com.sap.cloud:neo-java-web-api:jar:3.154.5:provided
[INFO]    +- org.apache.chemistry.opencmis:chemistry-opencmis-commons-api:jar:1.0.0:provided
[INFO]    +- javax.el:javax.el-api:jar:3.0.0:provided
[INFO]    +- org.apache.chemistry.opencmis:chemistry-opencmis-client-api:jar:1.0.0:provided
[INFO]    +- javax.mail:javax.mail-api:jar:1.5.5:provided
[INFO]    \- org.glassfish:javax.annotation:jar:3.1-b41:provided
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS

SAP malware scanning service in CAP

2024-09-14T06:21:19.024000+02:00

Hi experts,

We've a requirement where we need to integrate SAP Malware Scanning service with our CAP/UI5 application. If you have any insights or suggestions, we would greatly appreciate your assistance.

Thank you for your attention to this issue. We look forward to your guidance.

Best regards,

Adarsh

How to use XSUAA in FastAPI Python app

2024-09-16T07:21:48.484000+02:00

Hi there,

I have a fastapi app with 2 routes, one for rendering an html page and one for serving a request. I am using Jinja2 for templating.

Example of one of the route:

@router.get("/", response_class=HTMLResponse)
async def read_root(request: Request):
    return templates.TemplateResponse("index.html", {"request": request})

My manifest.yaml for deploying it to cloud foundry:

---
applications:
- name: fastapi-app
  disk_quota: 2048M
  memory: 256M
  path: ./
  routes:
    -   route: fastapi-app.cfapps.eu10.hana.ondemand.com
  buildpacks:
  - python_buildpack
  command: uvicorn com.crack.snap.make.app:app --host 0.0.0.0 --port $PORT
  services:
    - app-xsuaa
    - app-logging-service
  logging:
    level: error
  env:
    PYTHONUNBUFFERED: true
    xsuaa_connectivity_instance_name: "app-xsuaa"
    xsuaa_destination_instance_name: "app-xsuaa"

How do I protect these fastapi routes directly using XSUAA, without having to create one more webapp then use app-router and then forwarding the request to fastapi app?

Also I want the fastapi to use the sub-account's default authentication which we do by using redirect-url of xs-security.json

{
	"xsappname": "fastapi-app",
	"tenant-mode": "dedicated",
	"scopes": [{
		"name": "$XSAPPNAME.fastapi_scope"
	}],
	"role-templates": [{
		"name": "FastAPIRoleTemplate",
		"default-role-name": "FastAPIRole",
		"description": "Role template for app users",
		"scope-references": ["$XSAPPNAME.fastapi_scope"]
	}
	],
	"oauth2-configuration": {
		"redirect-uris": [
			"https://*.cfapps.eu10.hana.ondemand.com/**"
		]
	}
}

Any help on achieving this will be really appreciated, we can also have a blog post on the same topic

SAP BTP, Cloud Foundry runtime and environment Python SAP BTP Security

Troubleshooting 431 Status Code When Creating a SAMLAssertion Destination in SAP BTP

2024-09-16T15:23:25.616000+02:00

Issue Overview:

I’m facing an issue while setting up a SAMLAssertion destination in SAP BTP. I’m encountering a 431 status code when checking the connection for the destination. The 431 status code stands for "Request Header Fields Too Large". This error indicates that the request headers being sent to the server are exceeding its size limits. In my case, this is happening while using SAMLAssertion as the authentication method for an SAP destination.

From what I understand, SAML tokens can sometimes become quite large, and this can cause issues when they are passed in the request headers. However, I’m not sure how to proceed in resolving the issue.

Details of the Issue:

Setup: SAMLAssertion-based authentication for an SAP destination.
Error: When I attempt to check the connection, I receive a 431 status code.
Potential Cause: The error might be related to the size of the SAML token or other header fields being sent as part of the request. However, I haven’t been able to identify the exact cause or find a solution.

Seeking Suggestions:

I’ve done some research, but I haven’t come across a definitive solution yet. I’m reaching out to the community to see if anyone has encountered a similar problem and managed to resolve it.

Has anyone faced this issue with SAMLAssertion destinations?
What are some potential ways to reduce the header size in such cases?
Could the issue be related to proxy or gateway limits? If so, what adjustments helped?

Any advice or suggestions would be greatly appreciated!

Destination

Fiori Genrator

Conclusion:

Dealing with a 431 status code while using SAMLAssertion in SAP is proving to be quite a challenge. I’d love to hear from anyone who has tackled this issue or has insights into potential solutions.

Import into node dev_node failed. - Error during client creation: Not Found

2024-09-19T03:58:16.842000+02:00

Dear All,

I have a problem importing a file into Dev transport node in SAP BTP .

Getting the following error Import into node dev_node failed. - Error during client creation: Not Found.

Thanks,

Ravi

HOW to securing odata services or api in sap btp CAPM in node js

2024-09-19T07:04:52.268000+02:00

Hello SAP Community,

I’m currently working on a client project with my team using the SAP BTP Cloud Application Programming Model (CAP) in Node.js, with CDS for our backend services. We have successfully created OData services and APIs, but we’re facing challenges in securing them effectively.

In other technology stacks like .NET and MERN, the standard approach we follow for securing APIs typically involves:

Verifying the user based on their login credentials against the data stored in the database.
Generating a token upon successful validation.
Using authentication middleware to secure the APIs.

However, we are unsure how to apply this approach in the context of SAP BTP CAP. The usual methods of user authentication, token generation, and middleware usage seem different or not directly applicable.

Could you please guide us on the best practices for securing OData services or APIs in CAP? Any recommendations, frameworks, or configurations specific to SAP BTP CAP would be greatly appreciated.

SAP BTP Identity Services logon against SAP ECC or S4 backend?

2024-09-25T22:59:27.964000+02:00

Howdy!

So I have a requirement to setup an external facing WorkZone (Cloud Fiori Launchpad) which houses a few Fiori apps that connect to our SAP ECC EHP8 system (soon to be S4). My requirement is that when a user access our WorkZone the logon page should authenticate against our SAP ECC system instead of the default BTP Open ID provider.

I've scoured the web and believe to have come across a few posts that seem to alude to a solution but even then I'm not sure. For example, I've read some blogs/documents about activating the SAML 2.0 service on SAP and hooking that up to BTP identity services. I've walked through these steps but it won't work; even then, it just doesn't feel like the right approach. I've considered user propagation as a potential solution but haven't tried to implement it as I'm not even sure I'm headed in the right direction.

If anyone has any experience here I'd greatly appreciate some validation or success stories. Much appreciated!

SAP Build App -BTP Connection to "XXX" established. Response returned: "401: Unauthorized"

2024-09-27T14:32:56.085000+02:00

I did this very nice video " Access Demo SAP APIs for SAP Build" (https://www.youtube.com/watch?v=11TUQgQi-9k) to create an app using a Business Partner sandbox API and worked fine. I could see the data when lauching the web app. Really nice indeed!

But one day after I could no longer see the data when oppening web preview.

In the Build App, in the data section, I can see my integration (BTP destination), install it, enable entities and when executing "browse real data" it works perfectly.

But when I make a binding with a data variable, and launch the web app, the data no longer appears.

One point is that, within the BTP, when I try to test the destination (check connection), the system returns a message of : Connection to "demoApp_BP" established. Response returned: "401: Unauthorized"

I have already cleared the browser cache, reinstalled the Build App, deleted and created a new subaccount in the BTP, but none of this worked.

OBS: I put all the role colections on my btp user ( Custom IAS tenant and Default identity provider users) and i m loggin in SAP Business Accelerator Hub

Could someone please help me?

I really can't see what is different from a day ago when the data was returned ok.

Thanks.

Here some of the app

when oppening web preview = no data

Application Router Not Redirecting Correctly to XSUAA Authentication Service in CAP Project

2024-09-30T10:06:31.446000+02:00

Hello community,

i have followed Add User Authentication to Your Application (SAP HANA Cloud) | SAP Tutorials this tutorial to add user authentication in my application but facing error.

i have created a entity Playing_11 then used

@requires: 'Admin'

entity Playing_11 as projection on dipnesh.Playing_11; in my service after that i have followed "cds compile srv/ --to xsuaa > xs-security.json" command from tutorial and it has updated my xs-thsecurity.json file .

{

"xsappname": "fullstackdeployment",

"tenant-mode": "dedicated",

"scopes": [

{

"name": "$XSAPPNAME.Admin",

"description": "Admin"

}

"attributes": [],

"role-templates": [

{

"name": "Admin",

"description": "generated",

"scope-references": [

"$XSAPPNAME.Admin"

"attribute-references": []

}

"oauth2-configuration": {

"credential-types": [

"binding-secret",

"x509"

"redirect-uris": [

"https://api.cf.us10-001.hana.ondemand.com"

]

}

and create the XSUAA services and its key instance with the xs-security.json

then binded it with my application . after that created and granted roles . finally by using command "cds watch --profile hybrid " i got this error

{
  "error": {
    "stack": "Error\n    at reject (/home/user/projects/fullstackdeployment/node_modules/@sap/cds/libx/_runtime/common/generic/auth/utils.js:17:16)\n    at ApplicationService.handler (/home/user/projects/fullstackdeployment/node_modules/@sap/cds/libx/_runtime/common/generic/auth/requires.js:37:3)\n    at ApplicationService.handle (/home/user/projects/fullstackdeployment/node_modules/@sap/cds/lib/srv/srv-dispatch.js:52:53)\n    at ApplicationService.handle (/home/user/projects/fullstackdeployment/node_modules/@sap/cds/libx/_runtime/common/Service.js:84:28)\n    at cds.ApplicationService.handle (/home/user/projects/fullstackdeployment/node_modules/@sap/cds/libx/_runtime/fiori/lean-draft.js:396:14)\n    at ApplicationService.dispatch (/home/user/projects/fullstackdeployment/node_modules/@sap/cds/lib/srv/srv-dispatch.js:35:15)\n    at /home/user/projects/fullstackdeployment/node_modules/@sap/cds/lib/srv/srv-dispatch.js:15:48\n    at ApplicationService.run (/home/user/projects/fullstackdeployment/node_modules/@sap/cds/lib/srv/srv-api.js:72:46)\n    at ApplicationService.dispatch (/home/user/projects/fullstackdeployment/node_modules/@sap/cds/lib/srv/srv-dispatch.js:15:34)\n    at /home/user/projects/fullstackdeployment/node_modules/@sap/cds/libx/odata/middleware/read.js:227:24",
    "code": 401,
    "numericSeverity": 4
  }
}

and after using command "cds bind --exec -- npm start --prefix app/router" i got this error in console in browser.

GET https://2f540306trial.authentication.us10.hana.ondemand.com/oauth/authorize?response_type=code&client_id=sb-fullstackdeployment!t326190&redirect_uri=https%3A%2F%2Fport5000-workspaces-ws-gjm7l.us10.trial.applicationstudio.cloud.sap%2Flogin%2Fcallback 500 (Internal Server Error)Understand this error
favicon.ico:1
GET https://2f540306trial.authentication.us10.hana.ondemand.com/favicon.ico 404 (Not Found)

#xsuaa

Can you connect eclipse oxygen to sap btp server currently ?

2024-09-30T19:54:45.914000+02:00

is this a supported option currently for custom adapter development on sap BTP.

XSUAA Configuration

2024-10-01T07:39:17.847000+02:00

Hello community.

i have followed this tutorial to add authentication in my cap project using xsuaa.

Add User Authentication to Your Application (SAP HANA Cloud) | SAP Tutorials.

in step 5 of this tutorial i got this particular type of error after using command "cds watch --profile hybrid".

{
  "error": {
    "stack": "Error\n    at reject (/home/user/projects/MyHANAApp5/node_modules/@sap/cds/libx/_runtime/common/generic/auth/utils.js:17:16)\n    at ApplicationService.handler (/home/user/projects/MyHANAApp5/node_modules/@sap/cds/libx/_runtime/common/generic/auth/requires.js:37:3)\n    at ApplicationService.handle (/home/user/projects/MyHANAApp5/node_modules/@sap/cds/lib/srv/srv-dispatch.js:52:53)\n    at ApplicationService.handle (/home/user/projects/MyHANAApp5/node_modules/@sap/cds/libx/_runtime/common/Service.js:84:28)\n    at run (/home/user/projects/MyHANAApp5/node_modules/@sap/cds/libx/_runtime/fiori/lean-draft.js:382:12)\n    at onlyActives (/home/user/projects/MyHANAApp5/node_modules/@sap/cds/libx/_runtime/fiori/lean-draft.js:800:27)\n    at cds.ApplicationService.handle (/home/user/projects/MyHANAApp5/node_modules/@sap/cds/libx/_runtime/fiori/lean-draft.js:423:26)\n    at ApplicationService.dispatch (/home/user/projects/MyHANAApp5/node_modules/@sap/cds/lib/srv/srv-dispatch.js:35:15)\n    at /home/user/projects/MyHANAApp5/node_modules/@sap/cds/lib/srv/srv-dispatch.js:15:48\n    at ApplicationService.run (/home/user/projects/MyHANAApp5/node_modules/@sap/cds/lib/srv/srv-api.js:72:46)",
    "code": 401,
    "numericSeverity": 4
  }
}

while in this tutorial error is different

If you open the CAP service test page (cds watch --profile hybrid if you need to restart it) and try to access one of the service endpoints or metadata, you should receive an Unauthorized error.

This means your security setup is working. Accessing the CAP service directly will always produce an error now as there is no authentication token present. We need to run via the Application Router to generate and forward the authentication token.

please help and guide me in understanding the difference between the two errors for same problem .

Set Up Trust Between SAP Cloud Identity Services and SAP BTP, Cloud Foundry environment

2024-10-03T07:18:47.524000+02:00

Hello community ,

i have followed this tutorial to set up trust between sap cloud identity services and sap btp .cloud foundry environment in my trial account.

Set Up Trust Between SAP Cloud Identity Services and SAP BTP, Cloud Foundry environment | SAP Tutorials

in step 5 of this tutorial ,under " Primary Attribute use Identity Directory as Source, choose Login Name as Value and save your changes".

only "User id " option was available inside Value option .

while in tutorial there are multiple options inside Value option .

please help me in understanding this and why only single option is present in my case