I have a UI5 Application hosted on SAP NEO which retrieves Data via an ABAP OData Service.
Users are maintained in SAP Cloud Identity and mapped with their Backenduser and the login is setup via Principal Propagation. This is all setup and works.
I got requested to change the Application to enable External Sales Representatives without SAP Backend Users to use the application.
The idea is to use one "technical user" with Basic Authentication instead of Principal Propagation.
My question is what would be the way to identify the original Cloud Username in ABAP(since there sy-uname would be a technical user).
Debugging in ABAP didn't reveal the original information and I am afraid the original User is not even passed to the Gateway
The SAP Cloud User API (https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/1de599bf722446849d2b2e10132df42a.html) is not an option because the request could be manipulated in the browser
I heard of another option using a Java Servlet. But I am afraid that means we have to setup there the whole OData Service again and with every change in the Gateway we have to adjust the Java Servlet as well, or is there maybe a proxy.
If you are using Mobile Services of SAP Cloud Platform, you can activate a header with the username to be transferred to your ABAP system. It's called X-SMP-ENDUSERNAME.
Ref the documentation at https://help.sap.com/viewer/38dbd9fbb49240f3b4d954e92335e670/Cloud/en-US/defdadb71ee2476691d987689e3703a2.html
I assume you can get cloud user ID within your UI5 application and in case you access backend via Odata model you can use ODataModel.setHeaders function to provide your custom request headers which will be attached to every request sent to the backend. I would try to send cloud user id in some custom header value.
And on ABAP side you can use DP facade interface in service implementation to read custom headers:
lo_facade ?= /iwbep/if_mgw_conv_srv_runtime~get_dp_facade( ).
lt_client_headers = lo_facade->get_request_header( ).
Related
We are trying to access BI Publisher reports that are created in our OBIEE (Oracle Business Intelligence Enterprise Edition) via SOAP or REST API's.
When we try to access a report directly via browser UI (https://xx.xx.xx.xxx:443/xmlpserver) we are able to view (or attain) the results.
However, we were not able to achieve it via either of the API's (SOAP or REST).
We are suspecting any configuration (or settings) needed on the OBIEE end, but unable to figure out the root cause that is blocking (frequently returning random errors) the API calls.
Please advise on the settings needed.
Can the namespace preferences and program preferences be set via REST API calls? If yes, what is the syntax for it?
Generally in Cloud Data Fusion, when we intend to perform the action on GCP side, like create/delete/restart etc. instance, it's feasible to use domestic Google Cloud API, giving the opportunity to interact with a service endpoint via JSON/HTTP calls interface as described in Google Cloud API design document.
Dedicated to Data Fusion you can follow the Cloud Data Fusion REST API reference document, nicely explaining the methods for composing REST API HTTP calls to manage Data Fusion instances, moreover every method description from the documentation contains Google API Explorer sub-panel, to get handy experience building JSON request on a live data.
Said above, I assume your initial question is related more to CDAP REST API, as it includes the methods for pure CDAP instance metadata/namespaces/application configuration.
From the user perspective your workflow might be the following:
Identify the CDAP API endpoint as explained in this guideline;
Compose an HTTP PUT/GET request relevant to Data Fusion
Namespace/Metadata/Preferences/Configuration
object via CDAP RESTful API.
Yes of course! You have two methods.
The first method is creating it from the platform. Follow the steps below:
Open your data fusion instance
Go to System Admin => Configuration => Make HTTP calls
To create a namespace, submit an HTTP PUT request:
PUT /v3/namespaces/<namespace-id>
Link of CDAP: CDAP
The second method is using terraform.
I have seen the tutorial for starting the cloud functions and creating a guestbook on IBM Cloud, but when trying to connect an App ID it actually requires an application and not a Cloud Functions API.
So how can I connect them? Is there some tutorial somewhere? What needs to be considered?
depending on what you want to do, take a look in https://console.bluemix.net/docs/services/appid/relatedlinks.html#secure.
Specifically one of
Securing your Cloud Functions API
Securing your serverless Cloud Functions mobile backend with App ID
Tutorial: GitHub traffic analytics with Cloud Functions and Cloud Foundry
Cloud Functions supports OAuth 2.0 user authorization out of the box and you can bound your App ID instance directly to it.
Here's a fairly recent tutorial showing the steps:
https://www.ibm.com/cloud/blog/authenticating-users-with-cloud-functions-api-gateway-and-app-id
If you're looking to automatically initiate a new authentication flow as in redirect to the an identity provider where you're user will sign in, you'll have to either add logic to your application using an OIDC SDK (For instance App ID's: https://github.com/ibm-cloud-security/appid-serversdk-nodejs/) or add it manually handle the flow from a set of actions.
If you go the action approach, you'll have to keep in mind that they are ephemeral and can't keep session state, so you'll have to keep secure cookies in the user's browser.
My goal is to create a REST API Integration from Salesforce to SAP application.
SUCCESS Through Chrome APP
1. All I need to do is retrieve values from sap application through the REST API. When I tried to use the Chrome APP 'Advanced Rest Client' and have passed the appropriate URL and Content with POST method I was able to retrieve the values from local server database.
For EG : If I pass request 92126 then I was able to get response 'SAN DIEGO' which is correct.
Here is the link (https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnphfgcellkdfbfbjeloo?hl=en-US) for Advanced REST Client.
PROBLEM from Salesforce :
I had created a remotesite setting
When I created this REST class in SAlesforce and tried invoking the End Point then it's throwing this error.
System.HttpResponse[Status=Service Unavailable, StatusCode=503]
As the web api url which is provided to us is in local sql server i.e hosted in private, as we know in Salesforce for making callouts the URLs must be in public. But the URL is in private only for the security reasons not hosted in public. We should achieve it, any way is there to achieve it? What change should be done in Salesforce or server to communicate to each other, and allows to make the callout?
It is most likely that you endpoint does not allow access from outside some ip range which you indicated by saying it's not public. Salesforce is a SaaS application hosted outside the domain that your service is on. In order for Salesforce to access that endpoint resource you need to whitelist Salesforce IP ranges, which can be found here.
Whitelisting allows Salesforce to access the resource. The only caveat is that because Salesforce is multi-tenant it means that any instance of Salesforce on the range that you whitelist would have access to your endpoint. If this is not ok, you might want to add some sort of header or sign the request to the call to that identifies your Salesforce instance uniquely from any other instance to validate that the call originated from your Salesforce org.
(I am linking to the article instead of pasting the IP ranges here because these may change in the future).
I am currently evaluating keycloak as central Identity Manager for multiple a backend with multiple REST services (Resteasy/Wildfly).
After a lot of trial and error and reading the docu, I have succeeded in succesfully making an openid connect login into my custom keycloakrealm (analogue to this post http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html)
I can see the acces token + id_token coming in the response and are able to make requests to the REST services by passing these tokes.
However I can only authenticate using the credentials of the users defined in keycloak itself. However, in our reallife case, the users reside in SAP and are unknown to keycloak.
We do, however have a javalibrary for authenticating these users over the SAPJCO connector.
Can anyone please tell me how to configure keycloak to use a "custom authentication" module for the actual authentication?
Is implementing a custom authenticator SPI (https://keycloak.gitbooks.io/server-developer-guide/content/v/2.1/topics/auth-spi.html) the way to go? If not, what wuold be a possible solution???
Hope you guys can help!
Reagrds,
Kim Zeevaarders
The Netherlands
If you can access the SAP users details via the SAPJCO connector then you could write a custom Federation Provider. The provided example is rudimentary but it give the basic idea and maven dependencies.
In a nutshell you will need to extend org.keycloak.models.UserFederationProvider and provide methods for obtaining user details, validation of credentials and searching by attributes. In your case you would use your SAPJCO connector to fulfil each of these functions against your existing user base.
Update 30 May 2018
The User Federation SPI was replaced with a new User Storage SPI in release 2.5. Migration Notes are available here