Configuration of OAuth Settings

You can make the OAuth settings either directly here in PCo or in the Machine Model in the SAP Digital Manufacturing Cloud. The data is then transferred automatically from the cloud to the PCo Management Console and displayed here.

Check the settings that have been transferred from the SAP Digital Manufacturing Cloud or enter them here:

OAuth Settings
Field	Description
Client ID	The client ID is a public identifier for the Web application, for example, a Web service, that is provided by the SAP Digital Manufacturing Cloud and can be executed by PCo. This ID must be unique for all clients that are managed by an authorization server.
Client Secret	The client secret is only known to the Web application and the authorization server.
URI	The endpoint of the user authentication and authorization service that is hosted by the authorization server (in the cloud). The service is responsible for checking the client ID presented by PCo, the client secret, the scope, and the SAML metadata sent by PCo. If the check is successful, the authorization server issues an access token. This access token (JavaScript Web Token) is added to the authorization header in each request that is sent to the Web application or a cloud service.
Issuer	Specifies the SAML issuer that issues the SAML assertions with which you can logon to a system that trusts the issuer. Enter, for example, `PCoIDP` here. The SAML issuer that provides the information about the identity provider is entered in this field. An identity provider is a trustworthy system that authenticates the user to Web applications (cloud) or digital resources.
Certificate	You select a certificate here that contains a private key. The certificate can also be self-signed. The self-signed certificate needs to be stored in the certificate store of the computer on which PCo is installed. Using encryption, the cloud can reliably ascertain the origin of PCo requests with the public key of this certificate. PCo uses this certificate in its role as identity provider. A SAML metadata descriptor can be generated based on the issuer and this certificate. You can generate the SAML metadata later by choosing the pushbutton Generate SAML Metadata.
Identification Type	You use the identification type to determine how the certificate is to be identified at runtime. If you select Identification By Thumbprint, the configured certificate is identified using the unique thumbprint. This is the default setting. If you select Identification By Subject, the subject of the certificate is used at runtime to select the appropriate certificate with the longest validity from the list of certificates in the selected storage location. This enables certificate rotation.
Name ID	You enter the user name or the e-mail address of the user here on whose behalf the SAML assertions are to be used. Note A SAML assertion is an XML structure that contains properties of the user. SAML assertions are created by the identity provider (PCo) and consumed by the service provider (cloud). SAML assertions and the context information allow the service provider to make decisions about allowing or rejecting access requests of an authenticated user.
Scope	Contains the list of delimited scopes requested for the token. The scope provides a way to limit the number of access rights that are granted for an access token. Example An access token that has been issued to a client app may be granted READ and WRITE access to protected resources, or just READ access. You can implement your APIs so that each scope or each combination of scopes can be enforced. This entry is optional.
Audience	Identifies the recipient of the SAML assertion. This might be a Web application or a cloud service for which the SAML assertion token is intended.

Choose Generate SAML Metadata.

Note

As described above, to make sure that the SAML metadata is generated correctly, you need to have entered the issuer, for example, PCoIDP and have selected a self-signed certificate with a private key.

The generated SAML metadata must then be made known to the authorization server in the cloud so that a trustworthy connection to the identity provider (PCo) can be established. You achieve this by uploading the XML file containing the SAML metadata to the authorization server.