Cloud Application Integration Scenario
This section provides an overview of the supported authentication methods for a scenario where the consumer accesses a private or public Cloud application, for example, SAP StreamWork.
The Cloud application communicates OData request to SAP Gateway. For this scenario, SAP Gateway supports multiple authentication options, including the following:
-
Unsolicited SAML 2.0 bearer assertion
Requires an additional system IdP or STS for generating the assertion, which is sent to SAP Gateway directly in a POST request (IdP-initiated SSO POST Binding).
-
Short-lived X.509 client certificate
The certificate is generated on the fly without PKI infrastructure.
If HTTPS request is terminated by a reverse proxy, for example, SAP Web Dispatcher, the proxy and SAP Gateway should implement forwarding of the client certificate in the HTTP header.
Applicable in highly trusted environment.
In this scenario, the consumer accesses a private or public Cloud application to create an entry in SAP ERP through SAP Gateway.
The figure above is an overview of the data flow for the request in a scenario using the SAML authentication method:
-
Consumer:
Cloud application accesses SAP Gateway on behalf of the consumer. Cloud application acquires a SAML assertion from local STS.
-
Connectivity Layer (DMZ)
Reverse proxy acts as a connectivity solution for external consumers.
-
SAP Gateway:
SAP Gateway trusts STS in two authentication scenarios:
-
Issuing SAML 2.0 assertion for an unsolicited request.
-
Issuing SAML 2.0 bearer assertion proving user’s identity for OAuth 2.0 flow.
-
-
Business Layer:
SAP Gateway uses Trusted RFC Connection to access backend services with a named user.