0

I want to consume a CF service in my Neo SCP, using a destination with OAuthSAMLBearerAssertion.

But every time I check for the service in WebIDE, I get error 500.

Here is my destination:

#clientKey= Client-ID of your OAuth client
--> you will get the clientid from environment variables in CF: 
--> xsuaa --> credentials --> clientid
#tokenServicePassword=  Client secret of your OAuth client
--> you will get the clientsecret from environment variables in CF: 
--> xsuaa --> credentials --> clientsecret
#Tue May 21 07:02:37 UTC 2019
Description=CF HANA OData Service
Type=HTTP
TrustAll=true
audience=xyz.aws-live-eu10 (=EntityID out of the SAML metadata)
Authentication=OAuth2SAMLBearerAssertion
WebIDEUsage=odata_gen
Name=cf_xyz_odata_auth
WebIDEEnabled=true
tokenServiceURL=https\://xyz.authentication.eu10.hana.ondemand.com/oauth/token/alias/xyz.aws-live-eu10 (= Token URL out of the SAML metadata)
URL=https\://backend.cfapps.eu10.hana.ondemand.com
ProxyType=Internet
tokenServiceURLType=Dedicated
tokenServiceUser= same as client key
WebIDESystem=CF

Any ideas?

RNLS0176
  • 115
  • 4
  • 13
  • I'm not sure whether I really understand what you're trying to achieve. From my understand, you have an application on SCP **Neo** and you're not trying to consume a **Cloud Foundry** service from your **Neo** app. Did I get this right? Assuming I did, I have to say this does not sound like a scenario that is intended to work. Could you please give some background knowledge on your use case and which service you're trying to consume? – Dennis H May 21 '19 at 14:56
  • @DennisH I have an oData-Service running on Cloud foundry. I have an UI5 application running on Neo SCP. I want to consume the oData-Service via destination from the Neo environment. – RNLS0176 May 21 '19 at 16:11
  • Okay, so when you say "oData-Service" I assume it's an app that you've written and run on CF yourself. In that case the next question is: how have you protected that app? Have you written some form of authentication mechanism yourself? Or are you using an approuter in front of the app? – Dennis H May 22 '19 at 06:55
  • The service is protected the following way via CAP: service CustomerService @(requires: 'authenticated-user') ... To access the service on CF i have the approuter which is working, but as I understood from other colleagues I should NOT use the approuter-URL in my destination but the service URL itself. – RNLS0176 May 22 '19 at 07:32
  • 2
    Given that this is not a question related to the SAP Cloud SDK, I unfortunately cannot give an answer to that (because I frankly have no idea). I will try to find someone who can answer that. – Dennis H May 22 '19 at 12:39
  • @DennisH found no one? Topic is quite urgent for our project... – RNLS0176 May 24 '19 at 09:21
  • I forwarded it, but I will follow-up on it. Cannot make any promises, though, sry... – Dennis H May 24 '19 at 14:25

1 Answers1

5

Fixed it:

Problem was that I did had to give the Neo-Account as "allowed provider" in the oauth2-configuration in the xs-security.json and delete/re-start the xsuaa service instance.

"oauth2-configuration": {

    "token-validity": 900,

    "refresh-token-validity": 1800,

    "autoapprove": "true",

    "allowedproviders": ["..."],

    "grant-types": ["refresh_token", "urn:ietf:params:oauth:grant-type:saml2-bearer", "password", "authorization_code"]


}
RNLS0176
  • 115
  • 4
  • 13