Show TOC

Cloud Application Integration ScenarioLocate this document in the navigation structure


This section provides an overview of the supported authentication methods for a scenario where the consumer accesses a private or public Cloud application, for example, SAP StreamWork.

The Cloud application communicates OData request to SAP Gateway. For this scenario, SAP Gateway supports multiple authentication options, including the following:

  • Unsolicited SAML 2.0 bearer assertion

    Requires an additional system IdP or STS for generating the assertion, which is sent to SAP Gateway directly in a POST request (IdP-initiated SSO POST Binding).

  • Short-lived X.509 client certificate

    The certificate is generated on the fly without PKI infrastructure.

    If HTTPS request is terminated by a reverse proxy, for example, SAP Web Dispatcher, the proxy and SAP Gateway should implement forwarding of the client certificate in the HTTP header.

    Applicable in highly trusted environment.

In this scenario, the consumer accesses a private or public Cloud application to create an entry in SAP ERP through SAP Gateway.

Figure 1: Cloud integration scenario

The figure above is an overview of the data flow for the request in a scenario using SAML authentication method:

  • Consumer

    Cloud application accesses SAP Gateway on behalf of consumer.

    Cloud application acquires a SAML assertion from local STS.

  • Connectivity Layer

    Reverse proxy acts as a connectivity solution for external consumers.

  • SAP Gateway

    SAP Gateway trusts STS in two authentication scenarios:

    • Issuing SAML 2.0 assertion for an unsolicited request.

    • Issuing SAML 2.0 bearer assertion proving user’s identity for OAuth 2.0 flow.

  • Business Layer

    SAP Gateway uses Trusted RFC Connection to access BE services with named user