cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HCPMS and HCP Database backend

mingkho
Advisor
Advisor

on ‎05-22-2015 8:12 AM

0 Kudos

Dear HCPMS/SMP dev and experts,

I'd like to pick your brain on a persitent problem I am facing.

Background to the problem:

I have a productive hana instance on Hana Cloud Platform. I have created a database for it and exposed it as xsodata service i.e. https://abcdefg.hana.ondemand.com/myxsapp/MyODataService.xsodata/

The service can be accessed using user's SAP ID (p-xxxxxx/s-xxxxxx) via SAP's Identity Provider

It is important that user must log in with SAP ID because I have Database Views which is using SESSION_USER to identify which records to retrieve.

Now I have also created a hybrid mobile app with Kapsel Logon.

I have also set up application on the HCPMS, which backend "https://abcdefg.hana.ondemand.com/myxsapp/MyODataService.xsodata/"

What I want to achieve:

It's actually quite simple: I want user to logon via Kapsel Logon (can be Basic auth or Form auth) using SAP IDP. Then I would like that logged-in user being propagated to the backend which is using the same SAP IDP too.

What problem I am having:

I can't seem to get the user propagation to work. Please do note that I am no security expert, so I am currently still trying to understand many of the concepts.

Currently there are a few choice of Authentication Type for the backend configuration in HCPMS:

Auth Type
Basic Authentication This seem to require me to logon as a specific user by providing username and password
Principal PropagationThis is only for on-premise that use HANA Cloud Connector? My hana instance is on Hana Cloud Platform
SAPAssertionSSO

This sounds like the way to go, but I have absolutely no idea where to find the Issuer SID, Issuer Client, Receipient SID, Receipient Client, Signing Key, Signing Certificate.


Can I use existing certificate that my HANA instance already has, if it has one? If yes, where do I find those information and what sort of configuration do I my HANA instance to allow this type of authentication?


If not, how do I generate these information (I assume I need to generate certificate?) and how to upload this cert to HANA?

Client CertificationI assume this is no go as it will always log in as a specified user instead real user's username.

Regards

Ming

Show replies
Show replies
Answer
View Entire Topic
WRoeckelein
Active Participant
‎10-15-2015 7:46 PM
0 Kudos

Hi Ming,

IMHO you need to change your HANA XSODATA service so that it accepts Basic Authentication. Then use NoAuthentication for BackendConnection. When you send from Kapsel with AuthProxy or other means Basic Authentication, this should pass through the Connection and arrive at the xsodata service which should then accept the Basic Authentication.

Regards,

Wolfgang

Show replies
Show replies
Ask a Question