Background and Context
Exposing APIs securely to your ecosystem that consists of internal/external developers, vendors, suppliers and any other third-party recipients is a critical use case where API Management capabilities of SAP Cloud Platform’s Integration Suite are widely adopted.
Giving your customers and end-users an omni-channel experience where they are not required to log in multiple times and authenticate repeatedly over the network is a big part of IT simplification initiatives. But this can be a challenge given the heterogeneity in the landscapes that enterprise deal with. For example, your frontend enterprise applications may well be authenticating to an Identity Provider that federates with Azure Active Directory or perhaps connect to Okta for certain flows where access to external systems is needed. Likewise, you want to say, fetch Sales Order data that resides in your ECC system that may be in a different part of the corporate network, or that you have a microservice deployed in Cloud Foundry that reads data from a HANA Cloud instance that serves as a data grid.
You get the picture and I’m certain that there could be various other complexities in your setup when it comes to having a mechanism to have a secure login across all these disparate systems.
Launching the API Management mini-Security series
After having spoken with many customers, it was very clear that there is no ‘one-size-fits-all‘ approach that can be recommended to our customers, so there existed a challenge in terms of how we could create enablement guides and evangelize such know-how. That only ended up motivating us to create an end to end security series where this topic could be dealt with in great detail and explain various security and single sign-on flows. So here’s presenting API Management mini-Security series, a set of 11 videos spread over 150 minutes of learning content that explain the intricacies of the Principal propagation / SSO flows that apply to Neo and Cloud Foundry environment along with code projects, configurations and API Proxy bundles to follow along.
Who should follow the security series?
The security series targets solution architects and developers who have set up API Management tenants in their organization and are looking at best practices/guidelines to set up principal propagation from clients to API Management components to SAP Cloud Connector into their backends.
This series also has specific coverage for customers who are already proficient with this subject and are looking at ways to adapt their Neo based security / SSO patterns into Cloud Foundry accounts based on the nuances of Cloud Foundry security topology.
Pre-requites to follow along
In case you are a beginner to the topic of API Management, it may make sense to familiarize yourself with other learning resources that we’ve put up. A few ones that I can recommend would be :
Here is a brief description of the content that is presented in each video, the links to the video themselves, and additional resources to follow along.
Also, make a note that all the source code, configurations, proxy bundles used in the examples will be available in a GitHub project that we’ve put here.
Part 1 – Introduction to Security flows and Principal propagation
An introduction of principal propagation / SSO flows that are relevant from an API Management point of view and sets the context for how the other parts of this video series will be laid out.
Existing API Management SSO Blogs:
- Part 1: Single sign-on from Fiori Application to SAP Gateway via SAP Cloud Platform API Management
- Part 2: Single sign-on from Fiori Application to SAP Gateway via SAP Cloud Platform API Management
Cloud Connector setup guides:
Part 2 – CF setting up OnPremise connectivity plan
This video takes you through the experience of enabling API Management in SAP Cloud Foundry environment and later enabling the on-premise connectivity via the on-premise connectivity service broker plan
Product documentation resources to enable the on-premise-connectivity Plan:
- Initial setup to get API Management activated in SAP Cloud Foundry accounts.
- Activating the on-Premise Connectivity plan.
- Creating an API Provider.
- Enable SAP Cloud Platform API Management in Cloud Foundry Environment
Part 3a – CF Simple Passthrough with OnPremise connectivity plan
This video part discusses the solution blueprints of various ways to achieve SSO between a microservice running in SAP Cloud Foundry instance ( a simple Java Microservice secured via AppRouter as an example) and API Management’s instance running in the same Cloud Foundry Account via the OnPremise connectivity plan
Resources to build and deploy microservices in Cloud Foundry:
- Building a Java microservice with SAP Cloud SDK to connect to an OData source.
- Securing a Java microservice with authentication and authorization.
Part 3b – CF Authenticated Passthrough with OnPremise connectivity plan
Continuing the context set in Part 3a of this video series, this part focusses on other ways (Basic Authentication) to set up a Destination that can be used by a Java Microservice to connect to the API Management’s instance running in the same Cloud Foundry Account via the OnPremise connectivity plan.
Part 3c – CF OAuthUserTokenExchange with OnPremise connectivity plan
Continuing the context set in Part 3a & 3b of this video series, this part focusses on OAuth User Token Exchange mechanism to set up a Destination that can be used by a Java Microservice to connect to the API Management’s instance running in the same Cloud Foundry Account via the OnPremise connectivity plan.
Resources to set up User Token exchange mechanism in SAP Cloud Foundry:
- Exchanging User JWTs via OAuth2UserTokenExchange Destinations.
- APIs to interact with Destination Services in SAP Cloud Foundry from the API Business Hub.
Part 3d – CF OAuth2SAMLBearer with OnPremise connectivity plan
Continuing the context set in Part 3a, 3b & 3c of this video series, this part focusses on OAuth2SAMLBearer mechanism to set up a Destination that can be used by a Java Microservice to connect to the API Management’s instance running across Cloud Foundry Accounts via the OnPremise connectivity plan.
Resources to set up OAuth2SAMLBearerAssertion mechanism in SAP Cloud Foundry:
- Setting up Trust between Accounts and Destination settings for OAuth2SAMLBearer Assertion mechanism.
- Destination attributes needed for OAuth2SAMLBearerAssertion.
Part 4 – Neo OAuthToSAMLBearer flow OnPremise connectivity
This video part describes the usage of OAuth2SAMLBearerAssertion Destination type in Neo to connect into API Management instances when connecting from Apps that are deployed within SAP Cloud Platform environment for e.g. Fiori apps, Java Services, etc.
Resources to set up OAuth2SAMLBearerAssertion mechanism in Neo environments:
- Understanding OAuth SAML Bearer assertion flows in Neo.
Deploying a Fiori App in Neo to demonstrate SSO flows:
- Using WebIDE to build a simple Fiori App in Neo.
Part 5 – Neo SAML Assertion flow with OnPremise connectivity
This video part describes the procedure to attach SAML Assertions from the API Management layer in Neo environment to a backend via API Management’s OnPremise connectivity component
Resources to set up a SAML based flow to establish Single Sign-On:
- Policy Template in API Business Hub for SAML Verification and Generation flows.
Part 6 – CF SAML Assertion Flow with OnPremise connectivity plan
This video part explains the process to authenticate to the SAP’s OnPremise connectivity component via the SAML2 Grant flow where a SAML Token is exchanged for a JWT token that is used eventually to authenticate to the Cloud Foundry component to establish Single Sign-On.
Resources to set up a SAML flow from API Management tenant running in CF by directly authenticating to XSUAA:
- Blog series to learn more about conducting a JWT based verification scheme in API Management.
- Policy template from API Business Hub to orchestrate the SAML2Grant exchange for OAuth token
Part 7 – CF Client Credentials flow for principal propagation
This video part explains the process to authenticate to the SAP’s OnPremise connectivity component via the Client Credentials grant type.
Resources to set up a Client Credentials flow from API Management tenant running in CF by directly authenticating to XSUAA:
- Policy template from API Business Hub to orchestrate the Client credentials flow for OAuth token
Part 8 – NEO to CF OAuth2SAMLBearer principal propagation
The final video part of this series explains the process by which an application that is deployed in the Neo environment can connect to an API Management instance that is running in SAP Cloud Foundry tenant using the OAuth2SAMLBearerAssertion flow.
The key take away from the video series should be that you are in a position to understand the various options that exist to establish single sign-on and depending on how your scenario looks, some of the described means could serve as a starting point for you to consider implementing into your solution blueprints.
Should you have any feedback, please come back to us with suggestions, improvements so that we can help you run better.