cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP BTP CF to CF app: Propagate User Attributes via OAuth SAML Bearer Assertion

Go to solution
Rwitte
Participant

on ‎05-30-2023 4:04 PM

Dear experts,
we are currently struggling with the setup of the connection of two CF apps in different subaccounts of the same region. We have a UI5 app residing in one subaccount and a CAP app in the other subaccount. We configured the user propagation successfully like described here: https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/user-propagation-between-cloud-foundr...

In general this works like a charm and we can authenticate succesfully. However the user attributes we defined in our SAML assertion issued by the IdP are successfully available in the UI5 app however in the transfer lost and are not reaching our CAP app.
In the first SAML assertion and the JWT token for the UI5 app they are present, however when testing the OAuth2SAMLBearerAssertion destination they are not available anymore.
According to the documentation here: https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/oauth-saml-bearer-assertion-authentic... this should happen automatically. However I find it quite strange why there the attributes "user_attributes" is mentioned in difference to "xs.user.attributes" generated by the XSUAA into our JWT token. Could this be the issue? And if yes how to resolve it? Or any other suggestions how to resolve this issue?

Show replies
Show replies
Pavansj
Explorer
‎11-09-2023 8:12 PM
0 Kudos

Hello Raphael,

Thanks for posting the question and the answer to it as well. However, the answer you provided is still not getting us the attribute we are looking for. Could you kindly validate my attached files and tell me if I am doing anything wrong? We have exactly the same setup as you. The provider app is a cap deployed in Subaccount A, and the UI is deployed in Subaccount B. We were successful in granting the Auth (thanks to Carlos once again). However, we now need the attributes. Thanks in advance.
XS Security of the CAP APP (Provider)

{
  "xsappname": "dev-planproject-authentication",
  "tenant-mode": "dedicated",
  "description": "Security profile of called application",
  "scopes": [
    {
      "name": "$XSAPPNAME.external-user",
      "description": "external-user",
      "granted-apps": [
        "$XSAPPNAME(application, <SubbaccountID of UI app>, plansui_auth)"
      ]
    }
  ],
  "attributes": [
    {
      "name": "EmployeeNumber",
      "description": "EmployeeNum",
      "valueType": "int"
    }
  ],
  "role-templates": [
    {
      "name": "external-user",
      "description": "generated",
      "scope-references": [
        "$XSAPPNAME.external-user"
      ],
      "attribute-references": [
        "EmployeeNumber"
      ]
    }
  ]
}

XS security of the UI app.

{
  "xsappname" : "plansui_auth", 
  "tenant-mode": "dedicated",
  "authorities": [
    "$ACCEPT_GRANTED_AUTHORITIES"
  ],
  "foreign-scope-references": [
    "$XSAPPNAME(application, <Sub account ID where the Provider app is deployed>, dev-planproject-authentication).external-user",
    "user_attributes"
  ],
  "description": "Security profile of called application",
  "scopes": [],
  "role-templates": []
}
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Rwitte
Participant
‎06-29-2023 11:56 AM
0 Kudos

Hi Carlos,

your blog series is amazing and helped me to dig really into the details and under stand everything what is going on. Great job!
However, what I was missing was just the ""foreign-scope-references": ["user_attributes"] in the xs-security.sjon of my app router. This due to some reason has not kicked in immediately, but on the next day after submitting my question here.

Best regards,
Raphael

Show replies
Show replies
CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎06-29-2023 2:57 PM

Hello Rapahel,

here's one more link for you, you can check if it helps to clarify about the "foreign-scope-reference"

https://blogs.sap.com/2020/06/02/how-to-call-protected-app-from-external-app-as-external-user-with-s...

I'm very happy to hear that those blogs have helped you - so writing them was not in vain 😉

thanks and good luck!

Carlos

Answers (1)

Answers (1)

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎05-30-2023 4:14 PM

Hello Raphael,

have you seen this blog post?

https://blogs.sap.com/2022/06/10/sap-btp-how-to-call-protected-app-across-regions-with-saml-and-oaut...

Scroll down to the links section to see the list of 4 posts about a scenario that looks similar like yours.

I hope you can surf around the 3 posts and scroll around there and find a snippet that helps you solve your issue

Kind Regards,
Carlos

Show replies
Show replies
Ask a Question