cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to include additional SAML attributes into JWT?

bpasynkov
Advisor
Advisor

on ‎05-09-2023 10:08 AM

0 Kudos

Dear colleagues,

I'm currently working on Principal Propagation scenario between BTP CF and ABAP backend. The issue I have faced is related to JW token, which is generated by BTP and utilized by Cloud Connector to issue a X.509 certificate.

As of SCC version 2.13.2 it is possible to directly access to user attributes injected in the JWT:

SAP Cloud Connector Principal Propagation with xs.user.attributes | SAP Community

Configure Subject Patterns for Principal Propagation | SAP Help Portal

So I configured subject patterns for principal propagation on the Cloud Connector level in the following way:

{type} is a user type attribute which is maintained in IAS (Employee, Public, etc.) and transferred with SAML from IAS to BTP during authentication:

But when BTP generates JW Token for Cloud Connector, this attribute is not included by default except the default ones: "given_name", "family_name", "email", etc:

and there's such log in ljs_trace.log of Cloud Connector like "Condition ... does not fir to principal ... "

as {type} attribute is not included in JWT.

I've got familiar with blogs like SAP BTP Security: How to handle Authorization and Attributes [1] with XSUAA | SAP Blogs or pages like Application Security Descriptor Configuration Syntax | SAP Help Portal, but they are mostly related to custom applications.

But how can it be managed using standard functionality of BTP for Business Application Studio, for instance, to configure Principal Propagation for BAS?

Many thanks in advance! Regards.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

dyaryura
Active Participant
‎09-06-2023 3:21 PM
0 Kudos

Hi!

I think this is a common issue and I would expect a more flexible solution for this.

Boris is correct on the point that, at the moment, passing custom attributes is only possible using custom apps as per note below:

2727260 - SAP Cloud Connector - Principal propagation: "CN is not available in context"

"...propagating custom attributes will be possible in custom applications only since SaaS applications in general do not specify custom attributes. For more information, see Authorization Entities."

Show replies
Show replies
Øyvind
Newcomer
‎09-06-2023 2:37 PM
0 Kudos

Hi,

Maybe not the same issue, but we also have the need to include additional SAML attributes into JWT. We are using BTP services, e.g ABAP environment, which authenticate with SAML by matching email as unique ID. But when using principal propagation through cloud connector to any backend system the company requirement is to match users against an attribute that is not email.

The unique identifier is determined by the company IdP, and we are not able to find any way for the JWT to contain anything except the predefined values, making it impossible to use principal propagation without having to maintain different trust configurations in BTP subaccounts, and in some cases it makes it impossible to solve as we get into a catch 22 where if we use email principal propagation won't work and if we use the other attribute we are not able to log onto the BTP service (like ABAP environment).

I am very interested to know if we have missed something or if this is just something that is not possible with standard BTP services.

Show replies
Show replies
Ask a Question